On Wed, Oct 10, 2018 at 1:53 PM Naslund, Steve <SNaslund@medline.com> wrote:
Mr Herrin, you are asking us to believe one or all of the following :
1. You believe that it is good security policy to NOT have a default DENY ALL policy in place on firewalls for DoD and Intelligence systems handling sensitive data.
Steve, I believe it's a good idea for every security control to trace to first principles not just as conceived but as implemented. Default-deny-all is not a first principle. If often traces. Often is not always. Treating often as always is the sort of lazy error that leads users to work around non-sensible security implementations, demolishing the security they would have provided.
2. You managed to convince DoD personnel of that fact and actually got them to approve an Authorization to Operate such a system based on cost savings.
You mischaracterize it as "cost savings" but that's essentially correct. I spent six months going through the 1100 controls they laid on me and where I thought a control would be destructive I provided a thorough analysis of the anticipated mission impact for both the control as written and the proposed alternate mitigation. The impact is far more than a dollar sign. Make it hard to use and you sap the system's utility to the mission. Make it hard to manage and you increase the probability of error, decreasing the system availability. And so on. Won some of the arguments. Lost others. Built a better system with happier users for the effort. You can believe that or not as you choose. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>