Great Circle Associates Firewalls
(June 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: CIFS - To Firewall or not to Firewall ?
From: Frank Willoughby <frankw @ in . net>
Date: Mon, 24 Jun 96 12:55:04 -0400
To: firewalls @ GreatCircle . com
Cc: Ian Johnstone-Bryden <ianj-b @ dial . pipex . com>

At 04:02 PM 6/24/96 GMT, Ian Johnstone-Bryden had some good things
to say.  I would like to add a few thoughts to his mail.

>> The question is, do you let it through your firewall when your
>> CEO asks for it ?

>The risk management answer has to be that you only permit that which can 
>be permitted under the requirements of the risk policy. Anything which is 
>outside those requirements has to be held or rejected until such time as 
>someone decides that the rules have changed.
>The reality unfortunately is that the people controlling the gateways are 
>often a fair way down the corporate structure from the CEO (and often less 
>exaulted beings) and depend on a pay check to feed the family. 
>Its a tough call.

Do the following:

1) Explain the risks (gently) to the executive management - in terms 
    that they can understand.  If possible, quote an indepent source
    (preferrably from a book, etc).  This helps to make the issue 
    less personal (us vs. them) and helps boost your credibility
    at the same time.

2) Make your recommendation - in writing, cc: several people (your 
    manager, the ISO (Information Security Officer), the CFO, CIO, 
    etc.  Save the letter (you might need it).  

3) Suggest alternative methods which help management to achieve 
    their business goals while doing so in a secure manner.  Ask
    the question "What problem are you trying to solve?"

4) Get someone from upper management to sign off on the risk.  In
    theory, this gets you out of the loop (noose) should things go
    wrong.  Be aware that this is no guarantee that your job will
    remain secure (but it helps).

5) You might want to talk to the CFO privately.  Generally, they
    are able to make security a high priority & can sell it better 
    to the CEO & other executives.

6) Keep your resume on file (at home) & up-to-date.  Make sure you
    have networked enough so that if it becomes necessary for you
    to jump ship that you have a place to swim to.

>Do you stick on principle? The CEO may not like it when you say he is 
>wrong and you may get fired or life becomes so bad that you leave.

I stick to my principles.  I call things like I see them & try to 
be as diplomatic as possible.  From my experience, many CEOs have
a problem with too many "yes"-men.  They would much prefer to have
you tell them (politely & tactfully):

 o  what the real issues are
 o  what the choices are
 o  which choice you recommend
 o  why you recommend that choice.

Feed them the facts.  Let them make the decision.  It also helps 
(a lot) if you have established a high degree of competence before 
being confronted with the above situation.

>OTOH if you give way and your system gets shredded, the boss who was such 
>a moron not to let you do your job right is not going to accept any part 
>of the blame and you could find your head on a pike outside the front 

Agreed.  Hence the CYA (Cover Yourself Always) memo mentioned earlier.

>So maybe the call is between pain today, or extreme pain later. You should 
>know your own CEO and your personal needs, but if you dont the right thing 
>to do is attempt to do your job right which is observing the policy 
>Aint life a bitch?

*I* don't think so.  I think life is grand and offers many opportunities
to grow.  Challenges are just part of the process.  Three quotes:

 "If you see a man on the top of a mountain, remember - he didn't fall there".
        - Paul Dunn

  "A ship in a harbor is safe - but that isn't what ships are built for."
        - Grace Hopper

   "Behold the turtle who makes progress only when he sticks his neck out"
        - anonymous

If you are put in a difficult situation like this *always* choose the 
right & let the consequences follow.  Perhaps in the short-term things 
may look a little bleak, but in the long run, it *always* pays to do 
the right thing.  NEVER compromise on your principles.  I have been
in situations many times where I have had to make tough calls and 
haven't compromised on my principles.  It is not always easy to do
the right thing, but it is worth it.  

Not compromising on your principles does *not* mean you dig your heals 
in the sand and try to block business.  The compromising of principles
is primarily an ethics issue - not a security issue.  Also, if business 
is proposing something unethical, or completely insane, figure out your 
options and plot your heading from there.

It is also very important to remember that business runs the company 
 - *not* security.  Work with them to try to design a solution which 
is secure & helps them achieve their goals.  

>Ian J-B.

Best Regards,

Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist

Indexed By Date Previous: Re: IPX/NetBEUI routing on VPN
From: Steve Kennedy <steve @ gbnet . org>
Next: Re: Gauntlet - How good is it?
From: John Betts <johnb @ aztec . co . za>
Indexed By Thread Previous: RE: CIFS - To Firewall or not to Firewall ?
From: Lee Fisher <leefi @ MICROSOFT . com>
Next: Re[2]: CIFS - To Firewall or not to Firewall ?
From: "Jim Meritt" <jmeritt @ smtpinet . aspensys . com>

Search Internet Search