Sunday, July 10, 2005

Tear down what firewall?

Slashdot posted to Tear Down the Firewall as Re:Too smart for their own good:

My suggestion was that if you finds yourself slacking with regards to security procedures, you've effectively eliminated the inner wall. If the outer wall is breached, so is the inner one, by virtue of the fact that you're slacking. If the benefits of slacking (with respect to productivity, convenience, etc.) are sufficient, you should just harden the firewall and ditch the internal security processes. If maintaining security is a serious issue, you should do your damn job and implement the security processes. The fact that you have a firewall is no excuse for being sloppy, and sloppiness will bite you in the ass when the firewall fails.

That sounds great, but doesn't reflect the reality in large corporations.

One team runs the big honking edge firewalls, and takes their job seriously. They regularly strengthen the walls, and comission tiger-team testing to verify the belief that the perimeter walls are as secure as they can be for the budget available.

Another team (or six teams, or sixteen teams) run the various internal networks and servers and desktops. These are the ones who will start slacking off because "we have a firewall", and getting sloppy in locking down the internal devices.

Sure, the perimeter team can rant and rave about how while their firewall is great, it is not a panacea and the internal groups need to take up their share of the load, but this is little more than a CLM.