firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PCI DSS & Firewalls (Chris Blask)
2. Re: PCI DSS & Firewalls (Brian Loe)
----------------------------------------------------------------------
Message: 1
Date: Sat, 4 Apr 2009 08:44:12 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: mjr@ranum.com, bam@cisco.com
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <607428.2901.qm@web33803.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
From: Marcus J. Ranum <mjr@ranum.com>, Friday, April 3, 2009 1:14:29 PM
>Bill McGee wrote:
>> Short of a Ranum dictatorship, we really need to
>> recognize that wide-eyed idealism, however well-intentioned, is never a reasonable replacement for dealing with the vagaries of the reality we actually inhabit.
.d.
> "Ranum dictatorship"?? You should be so lucky.
All hail our new Ant Overlords!
I see an opportunity for a line of T-Shirts at the very least...
:~)
-chris
------------------------------
Message: 2
Date: Sun, 5 Apr 2009 00:50:06 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904042250o504f6690h179995cd74443a5c@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Apr 3, 2009 at 3:36 PM, Paul Melson <pmelson@gmail.com> wrote:
> At the end of the day, offensive security (scanning, pen-testing, auditing,
> etc.) is testing. ?And some testing is ALWAYS better than no testing. ?Show
> me a company that doesn't require testing before moving a system into
> production and I'll show you a company that can afford lots of downtime.
And I'll show you every company I've ever worked for - including the
one that's handling your prescriptions and likely the one handling
your 401k.
Then again, I guess it depends on what you call testing. If it means
"it turns on, given expected input it returns expected output" then
never mind - you're "safe". Otherwise you're living as big of a make
believe world as Marcus. And as everyone knows I'm quite the realist!
Then again I'm also the manager who, while trying to get an updated
security program approved by the "IT Steering Committee", removed the
part about certification and accreditation for new systems because,
frankly, if you're our size it's stupid and overly costly. What I
would VERY MUCH LIKE is a "checklist" like the first set of
instructions I got for (well, it's late and I can't remember the
acronym - and it's since been changed anyway - DoD crap)....
I prefer a standard tell me EXACTLY what it want as a minimum and then
my midldle management idiot self can busy myself doing BETTER than
that standard...
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 10
************************************************
No comments:
Post a Comment