Firewall Wizards mailing list archives
Re: HTTP in practice
From: Bennett Todd <bet () rahul net>
Date: Wed, 24 Sep 1997 10:32:35 -0700
On Wed, Sep 24, 1997 at 02:43:26AM -0400, Greg Haverkamp wrote:
[...] assuming that most firewall administrators can't get away with not allowing https access to the outside (which seems a fair assumption to me), [...]
It's certainly a fair and reasonable assumption, given a target audience. Like most assumptions about internet use in general and security in particular, it's easy to find exceptions:-). Specifically, in at least one industry, you can expect that protocols which cannot be secured with available technology --- like https, like downloading active content, like interactive services that depend on the ability to open connections to the end user with proprietary protocols --- will be rejected; the firewall admin explains the risks to senior management, who compare those risks with business benefits and decide it's too expensive. Of course this depends on good management, but then good security _always_ depends on good management. And of course the above picture --- and all-out ban on new fun stuff --- is an oversimplification, not the whole story unless you're talking about a pretty small firm; a larger company can decide that they want to play with problematic protocols and set up a less-secure net to support such play. But production users from their production workstations don't play with those risky toys. In fact, I've set up a playpen for toying with Java on the cheap; just hang a sacrificial box in its own leg of the DMZ, screened from everything except the internet and an SSH tunnel from the firewall, and configure that box so it doesn't listen on any port except with SSH. But back to target audiences and security policies.... I've worked in Wall St. firms, and sometimes it takes a very clear presentation to convince people that a security problem is Real, not being blown out of proportion, but then giving clear presentations of the technical facts is an important part of the job of a security admin. For my part, I'm not worried about it; I can explain the tradeoffs to the decision makers, and they can set the official policy; if I should ever get into a situation where I seriously believe the decision is badly wrong and dangerous to the firm, and I can't get it changed, then I can't do my job there anymore, so it's time to vote with my feet. Hasn't happened yet in my 15-odd years working in the computer admin biz. -Bennett
Current thread:
- HTTP in practice Greg Haverkamp (Sep 22)
- Re: HTTP in practice Marcus J. Ranum (Sep 22)
- Re: HTTP in practice Greg Haverkamp (Sep 23)
- Re: HTTP in practice Marcus J. Ranum (Sep 23)
- Re: HTTP in practice Greg Haverkamp (Sep 24)
- Re: HTTP in practice Bennett Todd (Sep 24)
- Re: HTTP in practice Paul D. Robertson (Sep 29)
- Re: HTTP in practice Joe Klemmer (Sep 26)
- Re: HTTP in practice Greg Haverkamp (Sep 23)
- Re: HTTP in practice Marcus J. Ranum (Sep 22)
- <Possible follow-ups>
- Re: HTTP in practice Anton J Aylward (Sep 24)