Where have all the Security Architects gone?
December 27th, 2005
As Gadi stated, ‘Looking at it from the other side, though, this comes to show some of the ill in our industry. People buying “products” to do security rather than incorporate products in their security strategy and infrastructure.’
He’s dead on the money. I had planned on blogging about this some time in the next month…but, since he brought it up :) The *art* of architecting secure networks seems to have gone the way of the dodo. Many current security tools seem to be fixing the SYMPTOM and ignoring the CAUSE. The cause of many of our woes is simply poor initial architecture. Period. You don’t need an application firewall if you’ve followed the guidelines for architecting good code. You don’t need an IPS to only allow X% of your traffic to flow to a certain service if you have correctly implemented traffic-shaping on your edge (or core) router. I could go on and on. Many “security” tools are just “Second chance” devices. You’ve incorrectly configured your edge router or never really had a clue how to configure it in the first place? That’s OK, put our “security device” (a router with a fancy GUI) in front of your servers and try it again. Good initial architecture falls into that 80/20 rule. It solves 80% of the problem in 20% (or less) of the time.
!Dmitry