Firewall Wizards mailing list archives
Re: Another Newbie with questions
From: Rick Smith <rick_smith () securecomputing com>
Date: Wed, 11 Aug 1999 14:23:53 -0500
At 02:39 PM 8/10/99 -0400, Michael Kelley wrote:
The decision has been made to use a PIX <sp?> firewall. I'm told these are some fairly stout devices and darned near impenetrable.
No firewall is impenetrable. Since I'm a competitor I'll skip further comments.
It's looking more and more like I will be the guy doing the maintainance of the Firewall/Security setup for our company . I don't have much experience, but I'm told that I am the most paranoid person in my department. <heh>
Try to be systematic in your paranoia. Look at what your company needs to achieve as an enterprise and deal with the really big risks. Don't sweat the small stuff. You'll just give yourself an ulcer and senior management won't back you up. You need to establish an Internet usage policy that describes how the company will be using the Internet. If general Web browsing and e-mail will be available to anyone, you want to have statements about "acceptable use" of those capabilities, unless all the users are senior managers (in which case it's probably unenforceable).
I'm looking for is personal opinions regarding this device. I understand it has logging capabilities
Logging will probably play an important part in enforcing your Internet usage policy. People are more likely to behave if their behavior is recorded.
and is configurable (I'm told it's a bitch to configure).
It all depends on what you're making it do. Paranoia is harder to configure than permissiveness for just about any firewall.
I'd also like to know if there are things I should do to help shore up any weaknesses in this type firewall if any.
It goes back to what really threatens your company. The best way to shore it up is to keep tabs on your traffic patterns and what the box is doing. Changes in behavior will indicate trouble unless you're being hit by a real expert (would they hit you? why?).
I've already started putting the bug in the ears of the deciding authorities at the office about restricting internet access to only the places we have to go. Since word got out that we will be getting access, the "Gods' Must Be Crazy" syndrome(#1) has hit the office and suddenly, everyone thinks they have a reason to have access to the Internet.
If you're only using the Internet connection to talk to a single business partner, then it might be practical to configure the firewall to only talk with that partner. On the other hand, lots of companies provide Internet access to employees for business purposes and perceive this as a real benefit to getting work done. Don't be surprised at the level of interest being generated. If some users at your site are going to use the public Web, then there's no practical way to establish which sites they can visit ahead of time. You can't possibly anticipate all the places that someone might want to visit on the 'Net even if the person focuses entierly on legitimate business activities. The closest you can come would be a Net classification and filtering product like SmartFilter that can track and optionally block the types of sites people visit. We've managed to make SmartFilter do a number of cool things which I've talked about in earlier messages on this list.
I am of the opinion that if we begin with a drastic, "don't you dare go to Persian Kitty", style of internet policy, it will be somewhat easier to maintain productivity and reduce risks to the network.
One approach that has worked in other places is to identify the general types of behaviors that won't be allowed (i.e. traffic whose contents might "produce a hostile work environment" and/or non-business related). Then use your firewall logs to look for site names that sound inappropriate. Many organizations can keep a lid on misbehavior just by letting people know that they're being watched. Keep the policy SHORT. The longer the policy document, the less likely people will read or follow it. Write a half page -- what it's for, what it shouldn't be used for, and a warning that usage will be monitored. If Official Company Policies must be lengthy legal things, be sure the essentials fit on a half page and the Official Policy simply amplifies the half page. Rick. smith () securecomputing com "Internet Cryptography" at http://www.visi.com/crypto/
Current thread:
- Another Newbie with questions Michael Kelley (Aug 10)
- Re: Another Newbie with questions Woody Weaver (Aug 11)
- Re: Another Newbie with questions Paul Alukal (Aug 11)
- Re: Another Newbie with questions Rick Smith (Aug 12)
- <Possible follow-ups>
- RE: Another Newbie with questions Houser David DW (Aug 11)
- Re: Another Newbie with questions Michael Kelley (Aug 11)
- Re: Another Newbie with questions Bill Pennington (Aug 11)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- Re: Another Newbie with questions Bill Pennington (Aug 13)
- Re: Another Newbie with questions Michael Kelley (Aug 13)
- Re: Another Newbie with questions Joseph S D Yao (Aug 13)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- RE: Another Newbie with questions sean . kelly (Aug 13)