North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: How to get better security people

  • From: Tim Irwin
  • Date: Fri Mar 29 15:45:35 2002


> What is the right mindset for ISP security.  It seems to be a little
> different from the traditional security mindset found in the corporate
> or military security world.  A lot of sharp people with that background
> try to move into ISP security, but they often have a difficult time
> making the transition.

ISPs are often in the position of having almost a conflict of interest when
compared to enterprises.  The idea of the Internet (and therefore ISPs) is
about openness and the ability to connect to anything, anywhere.
Enterprises must take almost the opposite stance of "deny all that which is
not expressly permitted".

ISPs have many customers and each customer has their own opinion about
security.  How many posts did we have recently asking which providers were
filtering things like port 80 and port 25?  The sad fact is that mucking up
what was intended to be an open network drives away customers and there will
always be someone else down the street waiting to take the customer's money
who won't do it.

I struggle with this myself.  I don't like the idea of having routers with
huge, complicated access lists all over the network.  But I don't like the
idea of being hammered by a DoS attack either.

So, I suggest that the *best* security people are those that can actually
quantify risks vs benefits, and who approach things with an "even keel".
I've talked with companies that think the primary job qualification for
security professionals is that they be obnoxious, ill-tempered, bark at
people for no apparent reason, and write nazi-like policies that stand no
chance of being adhered to.

Bottom line: There is a business to run.  Security people who don't
understand that are worthless in my opinion, no matter how technically savvy
they are.

> But are the students really getting the right training for working in
> a public network such as an ISP?

You can lead a horse to water, but you can't make him drink.  The best forum
for security education is trial by fire.

Tim Irwin, Sr. Network Engineer
Architecture & Engineering, Inc.
e-mail: [email protected]
office: 678.441.7951

"The plain and simple truth is rarely
plain and never simple."  --Oscar Wilde