bloomberg on supermicro: sky is falling
William Herrin
bill at herrin.us
Wed Oct 10 18:19:05 UTC 2018
On Wed, Oct 10, 2018 at 1:53 PM Naslund, Steve <SNaslund at medline.com> wrote:
> Mr Herrin, you are asking us to believe one or all of the following :
>
> 1. You believe that it is good security policy to NOT
> have a default DENY ALL policy in place on firewalls
> for DoD and Intelligence systems handling sensitive data.
Steve,
I believe it's a good idea for every security control to trace to
first principles not just as conceived but as implemented.
Default-deny-all is not a first principle. If often traces. Often is
not always. Treating often as always is the sort of lazy error that
leads users to work around non-sensible security implementations,
demolishing the security they would have provided.
> 2. You managed to convince DoD personnel of that fact
> and actually got them to approve an Authorization to
> Operate such a system based on cost savings.
You mischaracterize it as "cost savings" but that's essentially
correct. I spent six months going through the 1100 controls they laid
on me and where I thought a control would be destructive I provided a
thorough analysis of the anticipated mission impact for both the
control as written and the proposed alternate mitigation. The impact
is far more than a dollar sign. Make it hard to use and you sap the
system's utility to the mission. Make it hard to manage and you
increase the probability of error, decreasing the system availability.
And so on.
Won some of the arguments. Lost others. Built a better system with
happier users for the effort. You can believe that or not as you
choose.
Regards,
Bill Herrin
--
William Herrin ................ herrin at dirtside.com bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>
More information about the NANOG
mailing list