Firewall Wizards mailing list archives
Re: Security Policy methodologies
From: Ted Doty <ted () iss net>
Date: Fri, 02 Jan 1998 09:59:01 -0500
At 10:23 AM 12/31/97 -0600, Rick Smith wrote:
At 6:55 PM -0600 12/29/97, Bret Watson wrote:I'm seeking information on any methodologies for developing Security Policies.
[snip]
I think there was a paper by some folks at Hanscom AFB on this at ACSAC in '96. The basic approach was to identify the types of network traffic currently present, justify all that traffic, and then configure the firewall to support that traffic. First, they ran a firewall with no filtering enabled but with all logging enabled in order to identify all traffic passing through their point of presence. Then they systematically accounted for all traffic they could.
[snip]
Then they configured the firewall to support exactly the traffic required. In a few cases they couldn't track down the users of some obscure things, so they just disabled them. Naturally, a few protocols were not detected during their analysis phase and had to be added later. Personally, I don't think this is a way to achieve recognizable security objectives.
Actually, this is a reasonable approach to take given the state of our knowlege of the problem. If you look at the physical security realm, there is a wealth of information that managers can use to plan (i.e. set policies): local crime rates, the length of time required to penetrate a chain link fence/drywall/cinder block wall, the deterrent value of visible security guards or valut systems, etc. These exist in the network arena only as anecdotes or hunches. As a result, it is terribly difficult to establish a measurable baseline risk level that the organization can hang its hat on. This leads to really strange situations like the actual security posture significantly *exceeding* the stated security goal, because the goal was poorly specified and the administrators decided to do their job right, anyway. Until there is a better body of collected (and published) evidence on network attack that can be used to establish norms of security practice, the approach that Hanscom took is likely to be about as good as we can get. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Re: Security Policy methodologies Rick Smith (Jan 01)
- Re: Security Policy methodologies Ted Doty (Jan 02)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Re: Security Policy methodologies Marcus J. Ranum (Jan 03)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Aleph One (Jan 05)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Larry J. Hughes Jr. (Jan 06)
- Re: Security Policy methodologies Rick Smith (Jan 07)
- Re: Security Policy methodologies Ted Doty (Jan 07)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Re: Security Policy methodologies Ted Doty (Jan 02)
- <Possible follow-ups>
- RE: Security Policy methodologies Rick Smith (Jan 01)
- Re: Security Policy methodologies Aleph One (Jan 03)