Musings on Information Security :: Our perimeter is secure because I have got a firewall...

This Month

Month Archive

March 2007
February 2007
January 2007
December 2006
November 2006

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

Previous:	Launch of Pragmatic CSO
Next:	Product Vendor's sloppiness vs. Hacker's intelligence

Our perimeter is secure because I have got a firewall...

by RaviC on Sun 07 Jan 2007 01:25 AM PST | Permanent Link | Cosmos

Security is mostly perceived as protecting information and the infrastructure that host information from hackers. In reality this is partly true. Security addresses concerns of confidentiality, integrity and availability (aka CIA triad) of your information infrastructure within the context of your business in a meaningful way.

Is CIA triad a meaningful goal to pursue? The answer depends on the company's context. Firstly, the line of business a company is in is the prime driver of the security program within the company (example: financial institution are more security savvy than others for a reason). Secondly, whether the company has enough resources (budget, people Et. Al.) to address security. Most importantly security strategy should align with your business strategy. Alignment of strategies itself does not justify your security investment. Security should enable your business else you will have an uphill battle to get your budget approved.

Recently, I heard an IT manager mention that they have a secure perimeter because they have a firewall. This is akin to saying that my house is secure because I have purchased a lock. As an example of the right security mindset, deploying firewall should address the following concerns:

0. Have you picked the right firewall vendor?

1. How is the firewall configured?

2. How does it fit into the overall security framework?

3. How is the firewall architecture?

4. Is there a well defined process to maintain the access list on the firewall?

5. Who administers the firewall? Is there a backup admin?

6. Who monitors the firewall logs?

7. Is there a well defined documentation about the firewall, so that another firewall administrator can take over in case the primary administrator is unavailable?

8. Is the firewall being monitored for uptime, performance?

9. Is the firewall hardened for any known vulnerabilities?

10. What is the process of keeping the firewall software up to date?

I have highlighted firewall as an example. This can easily apply to IDS/IPS or any other security product implementation.

In summary, buying security product don't entitle security. Half baked security product implementation do not beget security either. Implementing security products holistically by addressing set of valid concerns is the right approach.

Posted to:

Main Page