bloomberg on supermicro: sky is falling

William Herrin bill at
Wed Oct 10 16:35:56 UTC 2018

On Wed, Oct 10, 2018 at 11:25 AM Naslund, Steve <SNaslund at> wrote:
> You are free to disagree all you want with the default deny-all
> policy but it is a DoD 5200.28-STD requirement and NSA
> Orange Book TCSEC requirement.

And yet I got my DoD system ATOed my way earlier this year by
demonstrating to the security controls assessment team that the cost
of default-deny-all exceeded the risk cost of default-allow with IDS
alerts on unexpected traffic.

Because not spending more on a security implementation than the amount
by which it reduces the risk cost, is a CORE SECURITY PRINCIPLE while
default-deny-all is merely a standard policy.

Bill Herrin

William Herrin ................ herrin at  bill at
Dirtside Systems ......... Web: <>

More information about the NANOG mailing list