My .02 worth time..
Steve K brings up some very good points on auditing but auditing should
also entail the groups that are responsible for different pieces of the
security solution in place. As Joe points out, there are lots of people
who want to implement or have a piece of control but miss the big picture
type of thing. They want to solve their business need and not address the
bigger concerns within a particular environment. We want a web server that
does the following blah, or our customers want to be able to do some sort
of commerce type of thing. So those business units read the current trendy
type magazines, they get some high power type person to approve it, and
whoosh it is in. What happenned with consulting with the architecture type
people or security staff. Nope, not necessary, .. Only when some thing
happens is it the architecture type people or support people need to get
involved. Now, you has mish mash of things in place. Now, how do you go
about conducting an audit then?? The tools that external and internal
auditors use will not manner, it is the process and documentation, the so
called IMPORTANT business need actually needs to be addressed at the high
level before solving the pieces, logically mapping out their solution is
where the true audits should really start. True analysis starts at the
business model layer and then works it way down the details of what
hardware, software etc is in place to support the solution. Utilizing
commercial, shareware or freeware tools only gives a piece of the puzzle,
and not the reasoning why things were done..
Addressing the other points Joe J raises:
Not having those processes properly documented, having the right set of
people doing the right type of things, testing the solutions out in a lab
, and some sort of management that is somewhat knowledgeable of the risks,
the technology and are willing to back his/her people is also part of who
gets control of the firewall at your place.
At 08:42 PM 11/22/97 -0500, Steve Kruse wrote:
>You have a good point in that Audits should be conducted by a 'separate'
>organization, be that internal or external. The problem of doing security
>is that after some period of time of looking at something, you tend not to
>see what is in front of you. You begin looking for all kinds of abstract
>and wierd attacks and you miss something really blatently stupid you should
>have seen. An independent audit will often times catch things like that.
>If the audit is performed by someone who takes a completely objective look
>at the net and the IT structure, it will be more thorough (or at least
>likely to find weaknesses) than someone who has lived with it day in and
>day out. Crimes are often solved long after the original investigation is
>put in the unsolved bin because some new investigator, who wasn't an
>intimate part of it from the beginning, took a fresh look at it. The clue
>to solving it was right there in front all the time, it just was
>overlooked. Audits can fall under the same trapping.
>Whether to use an inside or outside auditor...now THERE's a question for
>some debate!! And what tools do I (or the auditor) use? Commerical?
>Freeware? Does the tool FIT the network I'm testing? Plenty of questions
>to ask BEFORE doing it, too. How often? Daily? Weekly? After every change
>control? Monthly? Do we test policy AS WELL AS network hardware and
>software? Perimiter testing only? So many questions...so few "one size
>fits all" answers.
>At 03:11 PM 11/22/97 -0500, Joseph Judge wrote:
>>I'm a bit of an old fart on this ... I must interject:
>>- it is a good idea to have separate controls
>>(weigh that along with the need for consistent and
>>But, I like to see auditing (at least) performed by a
>>separate group. Not one-stop-bribe-shop in the
>>"Joe Judge firewall planner, builder, admin, audit"
>>Of course, I work at a big $$ place -- so I tend to
>>see more risk that would lead to this separation.
>>** but the auditors should audit against criteria that
>>the owners build against, agreed on ahead of time **
>>Lets not have this "surprisingly changed requirement
>>of the month audit" under the guise of "we're just
>>raising the bar on what we are doing" (when they
>>mean that they want to impose stricted requirements
>>that they don't have to deal with the outcome)
>> -- joe
>>From: Paquette, Trevor[SMTP:TrevorPaquette @
>>Sent: Friday, November 21, 1997 11:33 AM
>>To: 'youngr @
com'; Firewalls @
>>Subject: RE: Who Gets Control of the Firewall At Your Place?
>>You not the only one who has had to battle this battle.
>>What it boils down to is the following:
>>Which group is willing to take FULL RESPONSIBILITY for
>>the security, administration and auditing of the
>>Firewall. This is not a thing that you can take lightly.
>>That group is going to be on the hook if anything goes wrong.
>><lots of other good stuff deleted>
>* Steve Kruse Milkyway Networks *
>* Network Sales Support 1342 E. Vine St. #224 *
>* Kissimmee, FL 34744 *
>* http://www.milkyway.com skruse @