Firewall Wizards mailing list archives
Re: httport 3snf
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 21 Oct 2002 20:17:31 -0400 (EDT)
On Mon, 21 Oct 2002, Ryan M. Ferris wrote:
Paul: Great Comments! But is this really realistic?:
Well, it's how I administered the HQ and main data center location for a ~US$5B corporation, I'm sure it's possible to do. Given the liberal working environment that I had to deal with, I'm sure it's something you can do in almost any given organization.
If tunneling is (a) against policy, and (b) requires active and considered engineering to achieve, then the technology has done its part. After that, it's a monitoring and enforcement issue, not a firewall issue. If you can show active anti-policy malice in achieving the connection- then it's time to move into the penalty phase.[Bigger question coming...] At what point does monitoring and enforcement become unrealistic? In
I guess that depends on what point the policy is unrealistic, and the level of commitment to policy enforcement in general. If they're against policy, and folks have been educated, and you're in such a hostile environment that you have widespread disregard for the policy, then it's more than likely time to either switch policies, architectures, or jobs.
Robert's case, he could be the network administrator of thousands of individually configured Windows laptops running some kind of tunneling. It
Ah, but once again, those laptops needent be on the same segments as "critical" systems. Let's face it, the myth of IT-configured systems in the corporate world disappeared years ago for all but a few hold-outs.
could end up as pervasive as napster. Isn't the penalty phase really just reserved for very criminal cases?! I have worked at some pretty big places.
No, administrative penalties are an appropriate thing. That may be as small as "temporarily losing legitimate access" or a letter of reprimand for the first offense. Subesquent offenses should of course escallate in punishment. Heck, if we don't teach the kids that in school, they're sure gonna find out about it in the real world.
My experience was always that you would have to do something really bad to reach "penalty phase" - a hand slap usually at most. If you had ten users doing something against policy, you didn't get ten "penalty phases", you got a meeting with your boss to help provide alternate functionality so there were no deskptops users "against policy".
I've always held a very tight line on acceptable useage. It's sometimes put me at odds with business growth, and in those cases, I've forced those who "needed" special circumstances to decouple from my core infrastructure and pay for the infrastructure to support their risky behaviour- you'd be surprised how many "critical" daily activities become non-critical when someone has to pay for them, or when someone has to get off their rear end and go to another machine to do them.
For example, if AIM and ICQ were bad, I can imagine a mandate to provide secure messaging or else the masses might riot. It is true the security
There's "unacceptable at all" and there's "unaccepable on this segment"- both of which are supportable with policy, enforcement and corrective action. It hasn't been more than a month since someone on this very list was trying to get around such a policy (and probably unsuccessfully too.)
groups had more power to slap hands than us network/desktop administrators types - but we usually took more "user heat" for reduced functionality.
Whilst I've had users who've been well, let's just call it "upset" at my security policies- I've always articulated *why* something was against policy (though usually not at the user level, but at executive management who had to agree with the risk assessment to make the policy enforcable.) When I left my last company, I was personally *very* taken aback by the genuine regret expressed by those who had been most surpressed by my policies. No only did they understand my concerns, they articulated why it had been a good thing to have someone in the security position who wouldn't cave in to local politics. I firmly believe that a large part of that was in the fact that I never made exceptions, not for CEOs, Exec VPs, and most importantly not for myself or my friends. I had extremely good support from my CIO and at least all way up to the Vice Chairman, as well as from the folks in the General Counsel's office. Network and systems support staff would often ask for my assistance in helping to lock down a rogue group or user when their local politics wouldn't allow them to do so. For that to work, you have to have strong policy and strong policy enforcement. Exceptions, cries of "that's impossible to do" and "popularity" have to be discarded. There are quite a lot of solutions that can "fix" this situation or more importantly combinations of solutions, including DNS interception, filtering, VPN software, IDS, authenticating proxies, firewalls, education, training, policies, contracts, etc. School's an ideal time to introduce the user population to real life- heck you can bill it as "real world computing environments" in the handbook! Brokerage firms are legally required to monitor "public wire traffic" and the law doesn't allow them leeway in regards to privacy or difficulty. K-12s may wish to enforce "chat" blocking to counter a potential abduction threat, colleges may wish to block P2P sharing to limit litigious content owners, etc. Personally, I'd make all the potential users take a computer ethics and acceptable usage class before I'd wire up their rooms or let them authenticate to the network (quite a few years ago, there was a story in Linux Journal about a college using floppy disks and PKI to enable computer usage, I'm sure it'd be relatively easy to cook up something like that with say IPSec gateways, "cafe/airport" style SSL servers, or something like that. This is not an unsolvable problem, and it may be that something as radical as a curriculum change to add an ethics course would both enhance dialog and produce some downstream social positives. Heck, in a school you could start with articles in the school paper and even invite dialog on an interactive forum. I've heard of at least one major college that requires MAC address registration prior to connection to their network. I doubt they have massive revolt or major issues because they've thought the problem through and made their architecture fit their solution. This is not an unsolvable problem by any stretch. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- httport 3snf Robert E. Martin (Oct 21)
- Re: httport 3snf Devdas Bhagat (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Paul Robertson (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Paul Robertson (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Paul D. Robertson (Oct 21)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul D. Robertson (Oct 22)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)
- Re: httport 3snf R. DuFresne (Oct 22)
- Re: httport 3snf Robert E. Martin (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)
- Re: httport 3snf m p (Oct 22)
- Re: httport 3snf Al Potter (Oct 22)
- Re: httport 3snf Duncan (Oct 22)