If roads to hell could be paved with good intentions, then we have the potential to build a couple of super highways here. However, technology has always been a double edged sword. On the plus side, the NSA might be very interested in the Palladium concept even if confidence in the trustworthiness sponsoring company (Microsoft) is rather limp. One motto of Open Source should be: "ALWAYS look a gift horse in the mouth!"

We could act like little children (or immature adults who act like little children) and collectively go back and forth about whether Windows 2000 or Linux is more secure without listening to each other. It is becoming more and more apparent to me that network security is a matter of defense in depth - routers, firewalls, switches with implemented VLAN capabilities, proxy servers - and defense in layers - physical (cabling, wireless, modems), data link (encapsulations supported), network (protocols supported), transport (ports open, access filter lists), applications (user and group rights, file system access rights, application software configuration). A good defense is a systematic defense, which does require a degree of discipline and consistency. Within that context, we may be doing a disservice to ourselves by focusing solely on OS security which is really a small although important link in the chain of network security - OS security becomes vital when it is neglected, of course.

It is also becoming more apparent to me that the demands of genuine security are more than the average network or system administrator can handle, if average is taken to mean overburdened and overworked.

It is quite clear to me that medium and large size businesses need full-time security professionals in the sense that a full-time security professional is more effective than four or five sys admins who share the security duties, but definitely have many other fish to fry. I'd say a medium to large business that lacks even one full-time security professional is asking for it.

Am I making sense?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/148/18741#18741