Convincing Management of Network Security Issues?

An Anonymous Coward asks: "Here at work for internet connectivity, we share a Cisco 2600 router with the administrative folks in the other half of the building. Our development network is isolated from theirs, safely behind a Debain firewall--we just show up as one IP with _very_ few ports open. The Cisco connects directly into a Linksys DSL router, which is *supposed* to be providing NAT for both of our networks. Instead, it's acting needlessly as an extra hub, with the incoming feed plugged into its port 2 and the outgoing feed in port 3. The feed from port 3 plugs into a 24-port hub, which connects all of the admin workstations and our Debian box. Each workstation, in turn, has a static IP (we have one too). This is due to a variety of reasons--so we've been told--but what it boils down to is the incompetence of the 'Microsoft Certified (w/Internet) Network Engineer,' who's responsible for the routers, the administrative network, and their Windows 2000 corporate webserver." Now, the workplace is left with no firewall and a Network Engineer that is downplaying the problem to the higher-ups. What would be the best way to communicate that there really is a problem?

"I went up the chain and explained the problem to my boss. He was horrified. He took it to his boss (who also happens to be in charge of said Network Engineer). The result was less-than spectacular. My boss' boss came out, with The Engineer in tow, who after fiddling with things for a while, proclaimed everything to be 'locked down,' and then they left. What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation. But in the process, she'd managed to convince our collective higher-ups that the problem wasn't as big as we (read: the lowly, know-nothing, software developers) had made it all out to be and now nobody wants to hear a word about it. In other words, they have NO firewall at all, and we've been unable to convince them that this is a Bad Thing(tm).

Since The Engineer and her boss have always tended to be reactive, rather than proactive, I logged onto Steve Gibson's Leak Test from an admin workstation and showed them the results. Unfortunately, this 'parlor trick' failed to generate much in the way of enthusiasm. So what I'm looking for are (mostly) non-destructive suggestions to alert them to the dangers of their network configuration. Short of posting their IP's in a #skript_kiddie_channel and daring them to trash everything, how should I bring it to their attention in a, shall we say, meaningful way?"

The 'other' people

[mnmn]

Do these others using the network belong to the company? They sound like they can be trusted. Have you tried talking to the MCSE guy himself? It might be easier to convince him than the higher ups. As long as the system is working fine I dont think the higher-ups would be worried, so going after the admin guy is the bet. I'm an admin and Ive taken advice from other workers at more than one occasion.

Do nothing.

You've told them about what you think is a problem, they think otherwise, they are responsible -> Don't do anything. Stepping on their toes will get you in trouble, plus there isn't anything legal you could do to provide further proof that there is a problem anyway. You would have to be in a position where you could avoid working "below" the folks, who you are going to make look bad, in the future, either by moving up the ladder, getting them fired or by leaving the company. If you are not in that position: It's not your job to secure the network - don't do it.