Mr Herrin, you are asking us to believe one or all of the following : 1. You believe that it is good security policy to NOT have a default DENY ALL policy in place on firewalls for DoD and Intelligence systems handling sensitive data. 2. You managed to convince DoD personnel of that fact and actually got them to approve an Authorization to Operate such a system based on cost savings. 3. You are just trolling to start a discussion. The reason I asked what system it is would be to question the authorities at DoD on who and why this was approved. If you don't want to disclose that then you are either trolling or don't want anyone to look into it. It won't be hard to determine if you actually had any government contracts since that is public data. There are very few systems whose EXISTENCE is actually classified, but you were the one that cited it as an example supporting your policy. If you cannot name the system then it doesn't support your argument very well does it. Completely unverifiable. In any case I believe the smart people here on NANOG can accept or reject your security advice based on the factors above. I'm done talking about this one. Steven Naslund
Want to tell us what system this is?
Yes, I want to give you explicit information about a government system in this public forum and you should encourage me to do so. I thought you said you had some skill in the security field?
Regards, Bill Herrin