RE: Another Newbie with questions

[Houser David DW <david.houser () zcswilm zeneca com>]

Michael - 

Would suggest that you work with management now to establish the policies
re. access - establish who can use it and for what purposes, as well as
whatever other parameters are appropriate for your company to have (What
protocols are allowed outbound?  Is access allowed inbound from the ISP?
etc.)        A couple of sites that may help:

    http://csrc.nist.gov/isptg/html/
    http://www.usenix.org/sage/publications/policies/fr_template.html
 
http://www.ifac.org/StandardsAndGuidance/InformationTechnology/ManagingSecur
ityOfInfo.pdf    (see Appendix A)


You probably want to establish an acceptable use policy and make it very
widely seen in the company, and quite possibly will want each person
accessing the Internet to sign off on it.  Yes, this adds admin overhead,
but you have the position of knowing that everyone who needs it has seen it,
and their signature agreeing to abide by it.   Makes it very black and white
if there is a problem.

Finally, a word of advice.  You don't want to be the Internet police.   If
you try and establish the position of  "restricting internet access to only
the places we have to go"  you're going to have a fulltime job setting up
ACLs and restricting access, and you'll be making some very subjective
calls, all of which will get old very quickly!   For your sanity's sake,
make sure policies are in place and agreed to, and then suggest a means to
enforce (e.g., once a month you'll post "SITES VISITED" on the bulletin
board, and at management request will follow through to see who went there.
Or weekly, Webtrends/Telemate/whatever will be used to generate a report
that gets mailed to management.).   Maybe you'll even want an automated
control mechanism (Cyberpatrol, Surfwatch, NetNanny, etc), but I'll bet very
quickly you'll find out you don't want to be the means of controlling who
goes where.

Good luck,
DWH

> ----------
> From:         Michael Kelley[SMTP:michaelkelley () home com]
> Sent:         Tuesday, August 10, 1999 2:39 PM
> To:   firewall-wizards () nfr net
> Subject:      Another Newbie with questions
>
>
>  Greetings,
>
>  My company is going to have to open a internet connection soon in order
> to do business with a client. 
>  The decision has been made to use a PIX <sp?> firewall. I'm told these
> are some fairly stout devices and darned near impenetrable.
>
>  It's looking more and more like I will be the guy doing the
> maintainance of the Firewall/Security setup for our company . I don't
> have much experience, but I'm told that I am the most paranoid person in
> my department. <heh>
>
>  I'm looking for is personal opinions regarding this device. I
> understand it has logging capabilities and is configurable (I'm told
> it's a bitch to configure). I've been doing my best to get up to speed
> on the subject of network security. I've been reading "Firewalls and
> Internet Security" by Cheswick and Bellovin, and "Hacker Proof" by
> Klander and Renehan. I think I'm beginning to get a glimmer of
> understanding about the issues I will have to deal with. I'm trying to
> learn as much as possible so that when I examine log files, I can
> understand what I'm looking at.
>  I'd also like to know if there are things I should do to help shore up
> any weaknesses in this type firewall if any. 
>
>
>  I've already started putting the bug in the ears of the deciding
> authorities at the office about restricting internet access to only the
> places we have to go. Since word got out that we will be getting access,
> the "Gods' Must Be Crazy" syndrome(#1) has hit the office and suddenly,
> everyone thinks they have a reason to have access to the Internet.
>  I'm making a big deal out of describing how an unwitting user can bring
> down a virus by grabbing the latest whack-a-mole game. (We use Inoculan,
> so I'm not really that worried about viri on the network.) I am of the
> opinion that if we begin with a drastic, "don't you dare go to Persian
> Kitty", style of internet policy, it will be somewhat easier to maintain
> productivity and reduce risks to the network. 
>
> #1- The Gods' Must Be Crazy Syndrome: Based on a movie of the same name.
> When a remote tribe of people recieve an empty Coca Cola bottle dropped
> from a plane flying overhead, they don't know what to do with it.
> They've never seen one before. But soon, the tribe begins fighting
> amongst themselves because all of a sudden, _everyone_ needs to use it. 
>  The same can be said for Internet access in a company that never had it
> before.