You misunderstood me if you though I was saying the key to this problem is
to throw money at it. You can spend a load of cash and accomplish nothing.
In fact, you can do far worse damage this way by giving you a false sense of
security than if you did nothing at all. There is a right way to view
security and a wrong way. If you let a couple fast talking sales people
sell you their "kitchen sink" solution without the full understanding on
your part as to what you've just purchased, or the understanding on how to
install and maintain the product, then you don't belong in your company's
security group and should look for a new line of work. I think we can all
think of security installations or practices we've seen in the past that we
can find fault in, or ones that are so bad they need to fire the security
staff and reevaluate the entire infrastructure. The point I was making in
my original email was that you need to understand your network. This
includes the users and how they interact. You can spend $0 in the way of
new hardware and instead work to change the bad habits of users on the
network and be in a much more secure position months from now. By
understanding your network and the security risks associated in each
element, as well as the options available to closing (or mitigating) those
security risks, you will find yourself in a better position to spend
allocated funds more wisely. You'll never be able to make a network hacker
proof, but you can work to mitigate risk to varying degree. Here is where
the money comes in. How wisely you spend is up to you.
Mike Braun