home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!haven.umd.edu!decuac!hussar.dco.dec.com!mjr
- From: mjr@hussar.dco.dec.com (Marcus J. Ranum)
- Subject: Firewall analogies (was Re: Firewall usage)
- Message-ID: <1992Jul31.000543.7421@decuac.dec.com>
- Sender: news@decuac.dec.com (USENET News System)
- Nntp-Posting-Host: hussar.dco.dec.com
- Organization: Digital Equipment Corporation, Washington ULTRIX Resource Center
- References: <l7g11bINNlib@pollux.usc.edu> <159hutINN6vl@early-bird.think.com>
- Date: Fri, 31 Jul 1992 00:05:43 GMT
- Lines: 26
-
- >I think this analogy to a home and rooms is very poor.
-
- I really don't think there *IS* a particularly good analogy.
-
- Part of the problem is that firewalls and their implementation
- is not merely a technical problem. There is a whole set of "management"
- issues that usually need to be addressed. There are whole sets of CYA
- issues that need to be addressed, which don't necessarily improve the
- security of the network, but definitely improve the network manager's
- claim to showing diligence in securing the network.
-
- In the consulting work I've done for DEC (setting up firewalls)
- I've run across various combinations of these issues. Compared to them,
- the actual details of locking things down tight are real simple. Every
- time I run into these discussions, I try to come up with an analogy for
- Internet security - it's pretty hard. Part of the problem is that unlike
- a house, you don't always know that you've been robbed; people don't
- break into your house and steal a *COPY* of your gun collection, and
- vanish after shaving (or somehow magically cleaning) all the rugs to
- hide their footprints. This makes the whole thing harder to understand,
- especially for someone who is not used to modern networked computing.
- You get strange policies like: "it must be impossible to export data
- out over the network" - never mind that a fistful of DATs is easier
- to hide.
-
- mjr.
-