Firewall Wizards mailing list archives

Re: httport 3snf

From: Duncan <drsharp () pacbell net>
Date: Mon, 21 Oct 2002 23:12:24 -0700

"Paul D. Robertson" wrote:

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

Paul:

Great Comments! But is this really realistic?:


Well, it's how I administered the HQ and main data center location for a
~US$5B corporation, I'm sure it's possible to do.  Given the liberal
working environment that I had to deal with, I'm sure it's something you
can do in almost any given organization.

If tunneling is (a) against policy, and (b) requires active and considered
engineering to achieve, then the technology has done its part.  After
that, it's a monitoring and enforcement issue, not a firewall issue.  If
you can show active anti-policy malice in achieving the connection- then
it's time to move into the penalty phase.


[Bigger question coming...]

At what point does monitoring and enforcement become unrealistic? In


I guess that depends on what point the policy is unrealistic, and the
level of commitment to policy enforcement in general.

If they're against policy, and folks have been educated, and you're in
such a hostile environment that you have widespread disregard for the
policy, then it's more than likely time to either switch policies,
architectures, or jobs.


    Having worked in the Firewall support role at several companies, I need to
    vent^H^H^H^H share two experiences that are at difference with the
    above.

    At a software development firm (Dot Com) related the policy was
    written to protect property (both physical and intangible). Abuse of
    resources was prohibited.

    But if a developer had a need (or made a request) to open FW ports, or gain
    IM access,  "no" was not acceptable, but rather how fast the request
    was completed. As most developers realize, tying a deadline to any
    request is the best way around restrictions or "policies".
    You may just find yourself on the receiving end of a written reprimand
    from your CIO directed at you from the CEO of the company.

    Supporting FW's in the corporate offices of a large ISP (now gone),
    the policies required business justification for opening additional
    ports, and or relocating segments in front of the firewalls. Note that
    as a ISP, we were the daily target of hacking attempts.

    The firewall was set to transparently proxy connections for http
    (80,443,8080) to unlimited destinations. This seemed to work for all
    300+ employees. But IT had a problem, they could not download drivers
    from HP support. This was a critical problem for them. Their suggestion
    (request) was to open the FireWall to allow all (TCP ports >1024)
    outbound from their class C. to any IP as they could not provide me
    with a list of IPs for HP support.

    The suggested workaround appeared simple:
        a: Configure your browser to proxy via the FW ip.
        b: Use dialup, we are a ISP and its free.

    Management was informed of the risks. The director of IT support informed
    my director that it didn't sound too risky to him to just open up the ports.
    Besides the IT desktop support people would have to remember to turn on
    proxy support when they needed.

    Management felt the added risks were justified versus slowing down desktop
    support, since we had not had anyone actually ever breakin.

    At least in these two companies the policy only went so far as to interfere
    with some claimed business need, and we had a exception.

    Working for smaller companies (<500 employees) policies are usually
    a after thought, and may have been written by some manager in IT dealing
    only with abuse of the desktop itself. I have been at 3 Tech. companies
    where each has the following section in their policies:

    "XX. Internet usage is only for approved business purposes. Personal use
        (access) is prohibited."

    This was in (2) Software (Internet) development and one ISP company
    policies.

    On the other hand having worked in a AeroSpace biggie where there are
    more work rules than one can read in a month, policies tended to be
    better enforced. Or atleast it was much harder for a requester to get
    enough management support to force a FireWall change.

    How this relates to a educational environment, I can't really say. But
I would
    hope that policies that enforce behavior/access are enforced with a network
    design that is flexible enough to address the differing needs of
administration,
    undergraduates, graduates, and researchers.

Yours,
Duncan Sharp

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: httport 3snf, (continued)
- Re: httport 3snf Devdas Bhagat (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
  - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Christopher Hicks (Oct 21)
    - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Christopher Hicks (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Paul D. Robertson (Oct 21)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul D. Robertson (Oct 22)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)
    - Re: httport 3snf R. DuFresne (Oct 22)
    - Re: httport 3snf Robert E. Martin (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)
    - Re: httport 3snf m p (Oct 22)
    - Re: httport 3snf Al Potter (Oct 22)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)

(Thread continues...)