nanog mailing list archives
RE: How to get better security people
From: "Tim Irwin" <tim () eng bellsouth net>
Date: Fri, 29 Mar 2002 15:39:52 -0500
<snip>
What is the right mindset for ISP security. It seems to be a little different from the traditional security mindset found in the corporate or military security world. A lot of sharp people with that background try to move into ISP security, but they often have a difficult time making the transition.
ISPs are often in the position of having almost a conflict of interest when compared to enterprises. The idea of the Internet (and therefore ISPs) is about openness and the ability to connect to anything, anywhere. Enterprises must take almost the opposite stance of "deny all that which is not expressly permitted". ISPs have many customers and each customer has their own opinion about security. How many posts did we have recently asking which providers were filtering things like port 80 and port 25? The sad fact is that mucking up what was intended to be an open network drives away customers and there will always be someone else down the street waiting to take the customer's money who won't do it. I struggle with this myself. I don't like the idea of having routers with huge, complicated access lists all over the network. But I don't like the idea of being hammered by a DoS attack either. So, I suggest that the *best* security people are those that can actually quantify risks vs benefits, and who approach things with an "even keel". I've talked with companies that think the primary job qualification for security professionals is that they be obnoxious, ill-tempered, bark at people for no apparent reason, and write nazi-like policies that stand no chance of being adhered to. Bottom line: There is a business to run. Security people who don't understand that are worthless in my opinion, no matter how technically savvy they are.
But are the students really getting the right training for working in a public network such as an ISP?
You can lead a horse to water, but you can't make him drink. The best forum for security education is trial by fire. -- Tim Irwin, Sr. Network Engineer Architecture & Engineering BellSouth.net, Inc. e-mail: tim () eng bellsouth net office: 678.441.7951 "The plain and simple truth is rarely plain and never simple." --Oscar Wilde
Current thread:
- RE: How to get better security people, (continued)
- RE: How to get better security people Sean Donelan (Mar 26)
- RE: How to get better security people Stephen J. Wilcox (Mar 26)
- RE: How to get better security people Avleen Vig (Mar 26)
- RE: How to get better security people batz (Mar 26)
- RE: How to get better security people Sean Donelan (Mar 26)
- RE: How to get better security people Jim Popovitch (Mar 26)
- RE: How to get better security people Jay Fielding (Mar 26)
- Re: How to get better security people matthew zeier (Mar 26)
- Re: How to get better security people Sean Donelan (Mar 26)
- Message not available
- Re: How to get better security people Kelly J. Cooper (Mar 26)
- Re: How to get better security people Sean Donelan (Mar 29)
- RE: How to get better security people Tim Irwin (Mar 29)
- Message not available
- Re: How to get better security people Kelly J. Cooper (Mar 29)
- Re: How to get better security people Sean Donelan (Mar 29)
- Message not available
- RE: How to get better security people Jim Popovitch (Mar 26)
- Re: FW: How to get better security people J.D. Falk (Mar 26)