Thus spake Frank Willoughby:
> Good heavens, folks. If I can make 2 small recommendations.
> 1) Even if you are sure that your firewall is secure, have someone
> who is competent in the field do a security checkout of your
> firewall. I can't emphasize this enough. This should only
> cost $2-3K (tops), and will help you avoid the "Oooooopppsss"
> factor. Small price to pay for some piece of mind.
> 2) Never, ever, outsource any part of your Information Security
> (including managing the firewall). Here's a couple of reasons
I can't reconcile those 2 bits.
Well, I could if I said that testing of the implementation of the
security policy wasn't part of Information Security. But I really
don't want to do that.
> o How will determine if the rules are secure - particularly if
> you aren't allowed to touch the firewall?
How would you determine if the rules were secure if you did it
yourself? Only if you were competent. Ditto for the consultant.
Trust them in accordance with your assessment of their competence.
(FWIW, I _know_ there are bad firewall consultants out there. There
are bad carpenters, too. Doesn't mean I'm building my house all by my
#> Mike Shaver (shaver @
com) Ingenia Communications Corporation <#
#> UNIX medicine man -- dark magick, cheap! <#
#> When the going gets tough, the tough give cryptic error messages. <#
#> "We believe in rough consensus and running code." <#