Re: httport 3snf

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

> Paul:
>
> Great Comments! But is this really realistic?:

Well, it's how I administered the HQ and main data center location for a 
~US$5B corporation, I'm sure it's possible to do.  Given the liberal 
working environment that I had to deal with, I'm sure it's something you 
can do in almost any given organization.

> > If tunneling is (a) against policy, and (b) requires active and considered
> > engineering to achieve, then the technology has done its part.  After
> > that, it's a monitoring and enforcement issue, not a firewall issue.  If
> > you can show active anti-policy malice in achieving the connection- then
> > it's time to move into the penalty phase.
>
> [Bigger question coming...]
>
> At what point does monitoring and enforcement become unrealistic? In

I guess that depends on what point the policy is unrealistic, and the 
level of commitment to policy enforcement in general.

If they're against policy, and folks have been educated, and you're in 
such a hostile environment that you have widespread disregard for the 
policy, then it's more than likely time to either switch policies, 
architectures, or jobs.

> Robert's case, he could be the network administrator of thousands of
> individually configured Windows laptops running some kind of tunneling. It

Ah, but once again, those laptops needent be on the same segments as 
"critical" systems.  Let's face it, the myth of IT-configured systems in 
the corporate world disappeared years ago for all but a few hold-outs.

> could end up as pervasive as napster. Isn't the penalty phase really just
> reserved for very criminal cases?! I have worked at some pretty big places.

No, administrative penalties are an appropriate thing.  That may be as 
small as "temporarily losing legitimate access" or a letter of reprimand 
for the first offense.  Subesquent offenses should of course escallate in 
punishment.  Heck, if we don't teach the kids that in school, they're sure 
gonna find out about it in the real world.

> My experience was always that you would have to do something really bad to
> reach "penalty phase" - a hand slap usually at most. If you had ten users
> doing something against policy, you didn't get ten "penalty phases", you got
> a meeting with your boss to help provide alternate functionality so there
> were no deskptops users  "against policy".

I've always held a very tight line on acceptable useage.  It's sometimes 
put me at odds with business growth, and in those cases, I've forced those 
who "needed" special circumstances to decouple from my core infrastructure 
and pay for the infrastructure to support their risky behaviour- you'd be 
surprised how many "critical" daily activities become non-critical when 
someone has to pay for them, or when someone has to get off their rear end 
and go to another machine to do them.

> For example, if AIM and ICQ were bad, I can imagine a mandate to provide
> secure messaging or else the masses might riot.  It is true the security

There's "unacceptable at all" and there's "unaccepable on this segment"- 
both of which are supportable with policy, enforcement and corrective 
action.  It hasn't been more than a month since someone on this very list 
was trying to get around such a policy (and probably unsuccessfully too.)

> groups had more power to slap hands than us network/desktop administrators
> types - but we usually took more "user heat" for reduced functionality.

Whilst I've had users who've been well, let's just call it "upset" at my 
security policies- I've always articulated *why* something was against 
policy (though usually not at the user level, but at executive management 
who had to agree with the risk assessment to make the policy enforcable.)

When I left my last company, I was personally *very* taken aback by the 
genuine regret expressed by those who had been most surpressed by my 
policies.  No only did they understand my concerns, they articulated why 
it had been a good thing to have someone in the security position who 
wouldn't cave in to local politics.  

I firmly believe that a large part of that was in the fact that I never 
made exceptions, not for CEOs, Exec VPs, and most importantly not for 
myself or my friends.  I had extremely good support from my CIO and at 
least all way up to the Vice Chairman, as well as from the folks in the 
General Counsel's office.  Network and systems support staff would often 
ask for my assistance in helping to lock down a rogue group or user when 
their local politics wouldn't allow them to do so.  For that to work, you 
have to have strong policy and strong policy enforcement.  Exceptions, 
cries of "that's impossible to do" and "popularity" have to be discarded. 

There are quite a lot of solutions that can "fix" this situation or more 
importantly combinations of solutions, including DNS interception, 
filtering, VPN software, IDS, authenticating proxies, firewalls, 
education, training, policies, contracts, etc.  School's an ideal time to 
introduce the user population to real life- heck you can bill it as "real 
world computing environments" in the handbook!

Brokerage firms are legally required to monitor "public wire traffic" and 
the law doesn't allow them leeway in regards to privacy or difficulty.  
K-12s may wish to enforce "chat" blocking to counter a potential abduction 
threat, colleges may wish to block P2P sharing to limit litigious content 
owners, etc.

Personally, I'd make all the potential users take a computer ethics and 
acceptable usage class before I'd wire up their rooms or let them 
authenticate to the network (quite a few years ago, there was a story in 
Linux Journal about a college using floppy disks and PKI to enable 
computer usage, I'm sure it'd be relatively easy to cook up something like 
that with say IPSec gateways, "cafe/airport" style SSL servers, or 
something like that.

This is not an unsolvable problem, and it may be that something as radical 
as a curriculum change to add an ethics course would both enhance dialog 
and produce some downstream social positives.  

Heck, in a school you could start with articles in the school paper and 
even invite dialog on an interactive forum.

I've heard of at least one major college that requires MAC address 
registration prior to connection to their network.  I doubt they have 
massive revolt or major issues because they've thought the problem through 
and made their architecture fit their solution.

This is not an unsolvable problem by any stretch.

Paul 
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards