Firewalls: RE: FW: FW: NCSC and modern ratings

Firewalls
(July 1994)

Indexed By Thread: [Previous] [Next]

Subject:	RE: FW: FW: NCSC and modern ratings
From:	RAS @ cacd1 . cacd . rockwell . com
Date:	Fri, 29 Jul 1994 7:55:45 -0500 (CDT)
To:	Firewalls @ GreatCircle . COM
Cc:	IJB @ saicuk . co . uk, RAS @ cacd1 . cacd . rockwell . com

>>Looks like all the ratings and such arent helping the military:
>
>        I don't get it.
>
>        On one hand, we have folks demanding to know why they can't
>connect to the Internet and "do everything we want, and with perfect
>security too!"  And on the other hand, we have folks laughing at the
>military when they get broken into.
>
>        Anyone see an inconsistency here?
>
>mjr.
>
>
>No inconsistency, human nature always wants to have the cake and eat it.
>
>Maybe also that most folk dont really understand security. Reading 
>'Firewalls' it seems to me that many are more motivated by the technology 
>than the need to fit it.
>
>What doesnt help the intelligent understanding of the subject is the type of 
>media hype which chris posted on Firewalls - not his fault, he just read it 
>and passed it on.
>
>The fact is that there is a lot of available technology (much of it appears 
>to be invisible to the Firewall community), and the only way you can be sure 
>you spend funds wisely and hit the balance between access 
>control/restriction and availability is to build and maintain an effective 
>Risk Policy.

I'm involved in an effort to define an effective Risk Policy for our
site.  After reading the 'Firewalls' book, monitoring the firewalls
discussion lists, and reading various white papers, I'd have to agree
that "many are more motivated by the technology than the need to fit
it," or at least tend to write about the technology more. 

We're trying to focus on a requirements analysis before jumping into
product procurement/implementation.  However, most of the technical
literature seems to be targeted to product procurement/implementation
and not requirements analysis.  Are there any examples of an "effective
Risk Policy" out there, or discussions of how network security works
with node security to ensure that a site is not penetrated?  


Bob Schneider

Enterprise Core Network Team       ras @
 cacd1 .
 cacd .
 rockwell .
 com
Design Support Engineering         ras @
 131 .
 198 .
 128 .
 108
Rockwell International             ras%27746 .
 decnet @
 consort .
 rockwell .
 com
400 Collins Road NE  M/S 106-103   
Cedar Rapids, IA  52498

Voice:  319/395-3863    Comments expressed are strictly my own and are not to
FAX:    319/395-5999    be construed as statements endorsed by my employer.

Indexed By Date	Previous:	Re: prevalence of sniffing ? From: bret @ real . com (Bret McDanel)
Indexed By Date	Next:	Re: prevalence of sniffing ? From: robp @ anubis . network . com (Rob Peglar)
Indexed By Thread	Previous:	FW: FW: NCSC and modern ratings From: "Johnson-Bryden, Ian" <IJB @ saicuk . co . uk>
Indexed By Thread	Next:	Drawbridge From: pau @ watson . ibm . com (Pau-Chen Cheng)