Some years ago, nbm tried valiantly to explain what a firewall was to our class of I.S. III students. A few people got it, but it seems that about half the class learned only that firewalls were magic because they did security things and you needed them.

I guess I haven't spent enough time around I.S. graduates recently, because this conversation with a high-priced database consultant really got to me:

Consultant: What ports should I use for this? The developers will need to access the database from their PCs via these ports.

Me: Well, the port numbers don't really matter as long as we make the right holes in the firewall. What encryption protocol will this be using?

Consultant: No, I'm pretty sure there's no encryption.

Me: Will the developers need to log in?

Consultant: No.

Me: Um... can you tunnel it over SSH?

Consultant: I think so, but I've never done it before. Normally we just firewall the developers.

(slightly paraphrased)

So basically the database server exposes its databases on certain ports for the developers to access without authentication or encryption. [Cue all sorts of red lights in my head.] But apparently that would be OK because of the firewall... it must be magic.

It doesn't matter how much the consultant knows about how the database server works -- if he understands so little about security, he's a real danger to the information in the database.

Hopefully he'll learn how to do SSH tunnelling and set that up.