Well folks, I guess it had to happen. I finally agreed to work on a firewall for someone the other day. In discussions with the customer, everything was fine. Then they introduced the security consultant, from herein known as the Security Dweeb.
Now, I may not be the most fun person in the world. After all, I am 50% geek, 50% nerd, and I've got a whole pile of certifications to prove just how dull I am. But security people are just a whole new breed of IT person.
In fact, after careful consideration, I think that lawyers have a new competitor in bottom feeding. Security is all about what might happen. Think about it, and it might happen.
If you are really good at security, hypothetically nothing will happen. Of course, as customers we will never really know if that is because of the security plan, or whether nothing would have just happened anyway.
As a CIO, I am really in a bind here. If I spend money, I have very limited options for measuring the value. If I don't spend money, AND SOMETHING HAPPENS, I am in deep trouble. Alrighty then -- forget that upgrade; let's get the security consultants in.
Now that's just like calling a lawyer to check a contract. After a suitable amount of reading, hmming and hahhing, they will begin to raise issues that might happen. Whereupon everyone takes things far too seriously and paralysis sets in. (How many good ideas are shelved because as soon as the lawyers get involved its all a bit too hard?) Of course, the lawyer has almost no idea what they are reading is about, but that doesn't stop them from making a whole lot of suggestions -- suggestions that normally completely distort the whole purpose of the contract in the first place.
As a technical kind of guy, security is actually kind of fun. So I thought that when I met the Security Dweeb that I would be learning a few things. How wrong I was!
First, we checked all the door locks, the magnetic proximity card system, customer escort procedures, fire protection, tape backup procedures, offsite secure tape backup storage, after hours access to the buildings, riser security and the toilet windows. Second, we were extensively advised about social engineering, after hours access, escort procedures, configuration control, security lock downs, tailgating, ad nauseam.
Then, finally, some questions were asked about the firewall and proposed configuration.
Okay. Now, all those other things are important, but I bought a book last week that told me exactly the same thing. I also did some research on the Certified Information Systems Security Professional (CISSP) certification. This is the current fad in security certification. I reckon that about 15% of that certification is about technology. The rest of it was about earthquakes and floods. "Very useful," I thought to myself. _
Just to check the technical capability of the Security Dweeb, I decided to have a bit of a play...
Dr. Network: I have decided to not implement NAT on the firewall.
Security Dweeb: But you must have NAT. It is an added security feature.
Dr. Network: How?
Security Dweeb: Because it hides the inside address.
Dr. Network: And what does that achieve?
Security Dweeb: Then people can't launch an attack on the address of the machine.
Dr. Network: So what? NAT will translate any traffic sent to that address anyway. It doesn't matter what the internal address is, as NAT will translate from the outside address to inside address. If you launch an attack on the outside address, NAT will faithfully send it on to the host.
Security Dweeb: But it does offer some protection, don't you agree?
Dr. Network: No.
Security Dweeb: Why not?
Dr Network: NAT will translate the outside address to the inside quite well too. That's what it does. It doesn't have anything to do with security. The filtering does the security aspect.
Security Dweeb: But we always use NAT to improve security.
Goodness gracious. That's sounds an awful lot like a lawyer to me. So the next time you meet a security consultant, make sure you don't listen too hard. You might just find that they are telling you what you already know. If not, go and get a good book.
Just in case you think I'm the only one, check out this article from The Register titled "Security suppliers compared to dodgy car mechanics." (http://www.theregister.co.uk/content/55/24211.html) I'll drink to that!
Then tell the boss to save his money and instead do something that will improve productivity and get the world economy back on track. Dang it, I need a pay rise. Don't pay the bottom feeders.