|
|
|
|
| Author |
|
|
Registered
Join Date: Mar 2002
Location: My House
Posts: 5,345
|
Internet/Network Security?
So...I'm a Network Security Professional by trade.
It is my job to make sure that data is protected. I go to great lengths to research proposed projects to be sure that they can be implemented without unneeded compromise to the security of that data with consideration to the usability of the application. I've been wondering what others view as nessasary security in their line of work for computer networks. It seems the harder I try the more push back I get and quite simply I'm just doing my job - which is in essence to be a bit of a devil's advocate. When it's all said and done there are times when I just throw up my hands and say "if you can get it past the lawyers it's fine by me." Granted - I understand that security in networks comes at the cost of usability but I do try to work with the application developers to ensure that they don't loose sight of their security requirements or their usability requirements. I've got an application developer that is riding me like a big wheel to get his application out to production when he hasn't complied with half of the security requirements to go to deployment. He's behind schedule and blaming security (me) because he hasn't met the requirements. This is clear to my boss but not to his boss apparently. Anyway - that's my question - in your daily business and personal life what part does internet secutiry play?
__________________
-The Mikester I heart Boobies |
||
09-07-2004, 10:00 AM
|
|
|
Registered
|
I spend a fair amount of time arguing with my head tech guy over network issues. He wants to wall off everything from everybody. I want things as easy/open as possible. So we have a multi-tier, multi zone network. Some machines are put behind fort knox (mostly the office personel), the servers are in another area with certain port restrictions, and others (like my desktop which serves as a testing server for some things, and my developer's dev boxes) are in "the gutter" with unfettered outside access. He wanted to require VPN to get into fort knox and I said no...I refuse to use VPN....figure out another way.
This is always a balncing act. But we are an academic institution, not a business with super sensitive data. And in fact, we *want* people using parts of our network and applications. By putting security in place that raises the bar for engagement, we shoot ourselves inthe foot. |
||
|
09-07-2004, 10:08 AM
|
|
|
Registered
Join Date: Mar 2002
Location: My House
Posts: 5,345
|
The data I have to worry about has to be protected by law. We have to meet certain requirements - basicall those requirements amount to a good defense in court.
"Did we meet reasonalbe expectations of protecting the data or not?"
__________________
-The Mikester I heart Boobies |
||
|
09-07-2004, 10:37 AM
|
|
|
Registered
|
I'm implementing an exhaustive, multi-platform security checklist to be utilized by architects early on in the project lifecycle. Might as well get the security considerations in as early as possible.
Have you asked applications/systems "owners" do a security assesment and compliance plan on existing systems? Talk about a tough sell.
__________________
Warren & Ron, may you rest in Peace. |
||
|
09-07-2004, 10:42 AM
|
|
|
Registered
|
Mikester,
Are you protecting internal data from being sent outside your network via email or DB inquiries from the outside?
__________________
Warren & Ron, may you rest in Peace. |
||
|
09-07-2004, 10:44 AM
|
|
|
Registered
Join Date: Nov 2003
Location: West of Seattle
Posts: 4,718
|
Quote:
Or maybe I've misunderstood the whole thing, and my answer is only applicable to military-types.  Dan
__________________
'86 911 (RIP March '05) '17 Subaru CrossTrek '99 911 (Adopt an unloved 996 from your local shelter today!) |
||
|
09-07-2004, 10:47 AM
|
|
|
|
Registered
Join Date: Mar 2002
Location: My House
Posts: 5,345
|
We have systems set up so that employees can access data via the internet.
It's really a nightmare in my mind as under normal circumstances I would insist that this happen via VPN but I can't do that here. We're an educational institution as well and we're trying to provide certain confidential data ONLY to those who require it via web based applications. Those web based applications access the databases through firewalls and DMZs and such and those servers housing the applications as well as the data have published security plans (that I'm having trouble getting project leaders to implement as rule). They see it as a impedance on the usability of their application. Their users are screaming for the app - I'm insisting on the security before deployment and doing my damndest to help them get there without doing it for them. I'm so frustrated that someone who develops an application doesn't take the time to understand how that application actually works or when secured doesn't work because they couldn't tell me that it did one thing or another. On a completely different project we have a contractor who is developing the application - an extremely important application. 10 months into the project and 2 months before the functional test they published a need for a shared NFS mount point. Well...we don't allow NFS on "secured" systems (which we informed them in the original RFP) because of a number of reasons - mainly it has a poorly implemented authentication. Also we like to limit the number of services running on a "secured" server to as few as needed - if we can find away around using something that is undesirable like NFS then we do. We had a meeting with these guys discussing the need for NFS and came to the conclusion that we could eliminate the need with other basic UNIX functions that didn't pose any risk or real effort in implementation. They still won't get on board with it and no matter what they still insist that they need the NFS mount. They are now behind schedule and frustrated when in fact it was their own mistakes that led them here. We have never made any implications to make them think we would do an NFS share especially if we could get away easily with not doing it. even the database vendor has insisted that the NFS share is the worst possible means to their desired ends. It's very frustrating (venting).
__________________
-The Mikester I heart Boobies |
||
|
09-07-2004, 11:00 AM
|
|
|
Registered
Join Date: Mar 2002
Location: My House
Posts: 5,345
|
Quote:
Two log entries that the boss attributed to him so when he came up for review with the head of the dept my Bro brought that log and referenced those entries - clearing his record and securing his good name.
__________________
-The Mikester I heart Boobies |
||
|
09-07-2004, 11:03 AM
|
|
|
Registered
Join Date: Nov 2003
Location: West of Seattle
Posts: 4,718
|
I used to do some computer work -- writing software for database front ends and what-not, nothing terribly serious. I discovered that I couldn't handle those wacky customers. Often almost computer illiterate, with vague yet grandiose ideas for what a piece of software ought to do, without recognizing that each feature adds massive layers of complexity. Worse, features added late in the game cost a lot more than features added at design-time, a fact often lost on customers. (sigh) Yeah, I was an example in how not to engineer software.
So I can relate to your above rant. People who simply use computers (or anything else for that matter) without understanding what they're doing cause the most amazing headaches for those who have to clean up behind them. Aargh. I wish I could be more help in your security problem, but I confess to being horribly out of date on network security.  Dan
__________________
'86 911 (RIP March '05) '17 Subaru CrossTrek '99 911 (Adopt an unloved 996 from your local shelter today!) |
||
|
09-07-2004, 11:22 AM
|
|
1979 Porsche 911SC 3.0
1985 Porsche 911 3.2 (Still in the stable)
1993 BMW 740 IL (Sold)
1985 Mercedes 380 SL (Sold)
1992 Harley Davidson Fatboy (Sold)
1971 Mercedes 280 SL (Currently being restored)
