Firewall Wizards mailing list archives
RE: Another Newbie with questions
From: Houser David DW <david.houser () zcswilm zeneca com>
Date: Wed, 11 Aug 1999 10:15:30 -0400
Michael - Would suggest that you work with management now to establish the policies re. access - establish who can use it and for what purposes, as well as whatever other parameters are appropriate for your company to have (What protocols are allowed outbound? Is access allowed inbound from the ISP? etc.) A couple of sites that may help: http://csrc.nist.gov/isptg/html/ http://www.usenix.org/sage/publications/policies/fr_template.html http://www.ifac.org/StandardsAndGuidance/InformationTechnology/ManagingSecur ityOfInfo.pdf (see Appendix A) You probably want to establish an acceptable use policy and make it very widely seen in the company, and quite possibly will want each person accessing the Internet to sign off on it. Yes, this adds admin overhead, but you have the position of knowing that everyone who needs it has seen it, and their signature agreeing to abide by it. Makes it very black and white if there is a problem. Finally, a word of advice. You don't want to be the Internet police. If you try and establish the position of "restricting internet access to only the places we have to go" you're going to have a fulltime job setting up ACLs and restricting access, and you'll be making some very subjective calls, all of which will get old very quickly! For your sanity's sake, make sure policies are in place and agreed to, and then suggest a means to enforce (e.g., once a month you'll post "SITES VISITED" on the bulletin board, and at management request will follow through to see who went there. Or weekly, Webtrends/Telemate/whatever will be used to generate a report that gets mailed to management.). Maybe you'll even want an automated control mechanism (Cyberpatrol, Surfwatch, NetNanny, etc), but I'll bet very quickly you'll find out you don't want to be the means of controlling who goes where. Good luck, DWH
---------- From: Michael Kelley[SMTP:michaelkelley () home com] Sent: Tuesday, August 10, 1999 2:39 PM To: firewall-wizards () nfr net Subject: Another Newbie with questions Greetings, My company is going to have to open a internet connection soon in order to do business with a client. The decision has been made to use a PIX <sp?> firewall. I'm told these are some fairly stout devices and darned near impenetrable. It's looking more and more like I will be the guy doing the maintainance of the Firewall/Security setup for our company . I don't have much experience, but I'm told that I am the most paranoid person in my department. <heh> I'm looking for is personal opinions regarding this device. I understand it has logging capabilities and is configurable (I'm told it's a bitch to configure). I've been doing my best to get up to speed on the subject of network security. I've been reading "Firewalls and Internet Security" by Cheswick and Bellovin, and "Hacker Proof" by Klander and Renehan. I think I'm beginning to get a glimmer of understanding about the issues I will have to deal with. I'm trying to learn as much as possible so that when I examine log files, I can understand what I'm looking at. I'd also like to know if there are things I should do to help shore up any weaknesses in this type firewall if any. I've already started putting the bug in the ears of the deciding authorities at the office about restricting internet access to only the places we have to go. Since word got out that we will be getting access, the "Gods' Must Be Crazy" syndrome(#1) has hit the office and suddenly, everyone thinks they have a reason to have access to the Internet. I'm making a big deal out of describing how an unwitting user can bring down a virus by grabbing the latest whack-a-mole game. (We use Inoculan, so I'm not really that worried about viri on the network.) I am of the opinion that if we begin with a drastic, "don't you dare go to Persian Kitty", style of internet policy, it will be somewhat easier to maintain productivity and reduce risks to the network. #1- The Gods' Must Be Crazy Syndrome: Based on a movie of the same name. When a remote tribe of people recieve an empty Coca Cola bottle dropped from a plane flying overhead, they don't know what to do with it. They've never seen one before. But soon, the tribe begins fighting amongst themselves because all of a sudden, _everyone_ needs to use it. The same can be said for Internet access in a company that never had it before.
Current thread:
- Another Newbie with questions Michael Kelley (Aug 10)
- Re: Another Newbie with questions Woody Weaver (Aug 11)
- Re: Another Newbie with questions Paul Alukal (Aug 11)
- Re: Another Newbie with questions Rick Smith (Aug 12)
- <Possible follow-ups>
- RE: Another Newbie with questions Houser David DW (Aug 11)
- Re: Another Newbie with questions Michael Kelley (Aug 11)
- Re: Another Newbie with questions Bill Pennington (Aug 11)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- Re: Another Newbie with questions Bill Pennington (Aug 13)
- Re: Another Newbie with questions Michael Kelley (Aug 13)
- Re: Another Newbie with questions Joseph S D Yao (Aug 13)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- RE: Another Newbie with questions sean . kelly (Aug 13)