1998-02-20-07:22:27 Anton J Aylward:
>[ lengthy quote below ]
> Have I been adequate reductionist and closed the loop?
Not really. I tried editing your statement down to a reasonable length,
to capture the essence, but failed; you did a good job of making it hard
to compress, if nothing else.
But the problem is, you failed to close the loop because you didn't
indicate what use there is to a CISSP for answering the question ``is
a person competant to audit computer security in general or firewalls
in particular?''. In fact, the more you talk about it, the clearer it
seems that it has no use or bearing at all; that a person who has a
CISSP may well know about paper shredders and door locks, but there's
no evidence they know about network protocols, computer authentication
tools, how the pieces need to be put together to enforce a security
policy, and how to test to make sure they're really there. In fact,
a detailed knowlege of security guards and management strategies and
so forth doesn't even constitute a sufficient foundation to audit a
computer security policy, much less its implementation; if the policy
isn't a good fit for available technologies and the risks they incur,
then it will likely provide inadequate protection, or be unaffordable to
implement, or both.
So does the CISSP in fact do anything to help ensure that its holders
are sufficiently knowlegeable to assist in computer security policy
design, implementation, or audit? Or is it of more interest to night
shift guys with nightsticks and radios who wear funny caps, and to
has-been mainframe admins trying to weasle some bucks out of the
> >I can see the interest and use for these things, to other people in
> >other parts of our organization. Out of curiosity, why are you jumping
> >up and down screaming about how wonderful the CISSP is on the firewalls
> >mailing list? Sounds like there's a nebulous connection at best between
> >the job the CISSP does and the job a firewall admin is going to be
> Let me see, the term 'firewall' is the vernacular for a Perimiter
> Protection Policy Enforcement Mechanism, [...] A policy is a set of
> business decisions that, collectively, determines an organization's
> posture towards security. [...] Who defines policy? I think it should
> be a business decision, based on the responsibility, [...]
> These are the same policies that put locks on the doors, [...]
> Firewalls, which is the label on this list, are one of the tools
> for enforcing those policies. Unless you have the policies,
> how you configure the firewall is arbitrary, since there is no
> requirement as to how it should be configured. If there are
> policies, the configuration should be verified to ensure that
> it does in fact enforce those policies.
> Normal security practice involves separation of dustiness.
> Rather like in software development, the guy who writes the
> code isn't the guy who tests it. The guy who verifies the
> configuration of the firewall - but isn't to alter it - is called
> the auditor.