Re: Another Newbie with questions

[Rick Smith <rick_smith () securecomputing com>]

At 02:39 PM 8/10/99 -0400, Michael Kelley wrote:

> The decision has been made to use a PIX <sp?> firewall. I'm told these
> are some fairly stout devices and darned near impenetrable.

No firewall is impenetrable. Since I'm a competitor I'll skip further
comments.

> It's looking more and more like I will be the guy doing the
> maintainance of the Firewall/Security setup for our company . I don't
> have much experience, but I'm told that I am the most paranoid person in
> my department. <heh>

Try to be systematic in your paranoia. Look at what your company needs to
achieve as an enterprise and deal with the really big risks. Don't sweat
the small stuff. You'll just give yourself an ulcer and senior management
won't back you up.

You need to establish an Internet usage policy that describes how the
company will be using the Internet. If general Web browsing and e-mail will
be available to anyone, you want to have statements about "acceptable use"
of those capabilities, unless all the users are senior managers (in which
case it's probably unenforceable).

> I'm looking for is personal opinions regarding this device. I
> understand it has logging capabilities 

Logging will probably play an important part in enforcing your Internet
usage policy. People are more likely to behave if their behavior is recorded.

> and is configurable (I'm told it's a bitch to configure). 

It all depends on what you're making it do. Paranoia is harder to configure
than permissiveness for just about any firewall.

> I'd also like to know if there are things I should do to help shore up
> any weaknesses in this type firewall if any. 

It goes back to what really threatens your company. The best way to shore
it up is to keep tabs on your traffic patterns and what the box is doing.
Changes in behavior will indicate trouble unless you're being hit by a real
expert (would they hit you? why?).

> I've already started putting the bug in the ears of the deciding
> authorities at the office about restricting internet access to only the
> places we have to go. Since word got out that we will be getting access,
> the "Gods' Must Be Crazy" syndrome(#1) has hit the office and suddenly,
> everyone thinks they have a reason to have access to the Internet.

If you're only using the Internet connection to talk to a single business
partner, then it might be practical to configure the firewall to only talk
with that partner. On the other hand, lots of companies provide Internet
access to employees for business purposes and perceive this as a real
benefit to getting work done. Don't be surprised at the level of interest
being generated.

If some users at your site are going to use the public Web, then there's no
practical way to establish which sites they can visit ahead of time. You
can't possibly anticipate all the places that someone might want to visit
on the 'Net even if the person focuses entierly on legitimate business
activities.

The closest you can come would be a Net classification and filtering
product like SmartFilter that can track and optionally block the types of
sites people visit. We've managed to make SmartFilter do a number of cool
things which I've talked about in earlier messages on this list.

> I am of the
> opinion that if we begin with a drastic, "don't you dare go to Persian
> Kitty", style of internet policy, it will be somewhat easier to maintain
> productivity and reduce risks to the network. 

One approach that has worked in other places is to identify the general
types of behaviors that won't be allowed (i.e. traffic whose contents might
"produce a hostile work environment" and/or non-business related). Then use
your firewall logs to look for site names that sound inappropriate. Many
organizations can keep a lid on misbehavior just by letting people know
that they're being watched.

Keep the policy SHORT. The longer the policy document, the less likely
people will read or follow it. Write a half page -- what it's for, what it
shouldn't be used for, and a warning that usage will be monitored. If
Official Company Policies must be lengthy legal things, be sure the
essentials fit on a half page and the Official Policy simply amplifies the
half page.



Rick.
smith () securecomputing com
"Internet Cryptography" at http://www.visi.com/crypto/