Great Circle Associates Firewalls
(June 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Pilot Network Services
From: manderse @ (Mike Andersen)
Date: Thu, 20 Jun 1996 14:55:31 -0400
To: proberts @ clark .
Cc: Firewalls @ GreatCircle . COM

On Thu, 20 Jun 1996  roberts @
 clark .
 net wrote:
>It also depends a great deal on your resources, and those of the
>outsourcing company.  Most large companies outsource phyiscal security, as
>was pointed out.  That's because they don't have the resources, or core
>competancy to do it themselves.  Does that mean that the physical security
>of their sites is worse than if they did it themselves?  Sometimes yes,
>sometimes no.

Well one phyiscal security guard would have a hard time stealing a significant 
amount of a firms assets (enought to chapter11 them).
But one data security person could (depends on your business).

>If you can't get a firm commitment of service, then you're looking at the
>wrong type of firms.  What happens if *you* get multiple break-ins and ...

We looked at IBM, EDS and some others.  That fact is the liabilities from a 
system outage were so great none of the firms would accept them in a contract 
that wasn't very much more expensive then keeping it in house.

Multiple break-ins - Drop Internet connection and have SA's cleanup mess.

>I'd say the same is true of most company's IT departments.  Face it, in
>almost all non-software or outsourcing vendor locations, you're an

Duh! (sorry, your flame was on too high)

>Who audits the security group?

Our audit group and periodically outside audits.

>I have outsourced almost all of my firewall development (That means the
>code writing bits, NOT the installation or security policies).

Hope they stripped the kernel and are running a minimum of processes. Not to 
mention secured mail, have routers filtering on both sides of your firewall, 
etc. Plz respond to this item offline, not that the forum's not safe place :)

>We've all seen how much concern OS vendors tend to put into security
>during their design and development phases.  I don't see many people
>ranting that they should get their own OS design group,

Never suggested that, I even think it good to get a mature firewall product from 
a firm that's been in the business 5 years or so (so long as you keep up on 

BTW - I was a consultant for 10 years - good money.  An _indepentant_ consultant
      is just as depentant as an employee on the firm that's paying him, he'd
      also like to use you as a reference.  A consultant firm is less so; they   
      have multiple clients for both cash flow and references (not that they     
      want to hurt their reps(I've seen it)).
Plz don't want to waste any more forum bandwidth - take another shot if you like 
but from then if necessary let's continue offline.  I've seen these threads go 
on far too long in the past.  Let's just lurk for tech tid bits ;^)

PS: Send over the guy who'll work for $8.95/hr - Cheers - Mike

Indexed By Date Previous: Authentication with gauntlets
From: mark @ seismo . CSS . GOV (Mark Le Vea)
Next: split-brain DNS
From: "Marcus J. Ranum" <mjr @ clark . net>
Indexed By Thread Previous: Re: Pilot Network Services
From: "Paul D. Robertson" <proberts @ clark . net>
Next: Re: Pilot Network Services
From: Frank Willoughby <frankw @ in . net>

Search Internet Search