Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: George Capehart <capegeo () opengroup org>
Date: Tue, 30 May 2006 09:38:20 -0400
Jim Seymour wrote:
"Marcus J. Ranum" <mjr () ranum com> wrote:
<snip>
This notion that security is a matter of degree is accurate in the large but inaccurate in the small. Unfortunately, we're all dealing with the small.I must be Sith, as well. I figure it's either secure [*] or it's not.
When I first read mjr's message, I nodded at the comment and kept on reading. After having read the rest of this thread, I think that I agree but I also disagree with both statements. I might be splitting hairs, but here goes: WRT the notion that security is a matter of degree, yes it is, but when viewed from the risk management perspective. In the Best Possible World (TM), the selection of security controls / choices that are made when designing the security architecture are based on risk assessments and an organization's risk tolerance. To this extent, "security" /can/ be viewed as relative or a matter of degree from the perspective of the analyst and designer. However, I would argue that from the perspective of the risk manager, a system /can/ be determined to be "secure" or not. That's what the Certification and Accreditation process is all about. The risk management process decides what threats it wants to manage and how it wants to manage them. The architects design into the system a set of controls provide the degree of control that the risk management process requires. The system is then tested to determine whether the controls that are in place do what they need to do. If they do, then, as far as the risk management process is concerned, the system is "secure." I guess that what I'm saying is that I'd like to spin things a bit WRT mjr's comment and say: "Yes, security is a matter of degree, but at both the macro /and/ the micro level." Yes, at the level of the decisions taken by the risk management process (what threats to manage and how to manage them), but also at the level of, say, firewall rules. After all, some organization may be willing to allow incoming traffic on TCP 139. WRT Jim Seymour's comment, I'd like to add a caveat. A system /can/ be defined as "secure" iff the controls that are in place are shown to provide the level of protection and function that were required by the risk management process. So the upshot of this for me is that rather than talking about "security" and "secure," I'd rather think about it in terms of being "secure enough." If the controls that are in place meet the requirements of the risk management process, the system is secure enough. Hope this made sense. I've only had one cup of coffee this morning and my blood caffiene level is still a bit low. /g _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Tina Bird (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Mark (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- cisco ssh rate limit hermit921 (May 26)
- Re: cisco ssh rate limit David Swafford (May 26)
- Re: cisco ssh rate limit hermit921 (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Balazs Scheidler (May 28)