Re: httport 3snf

[Paul Robertson <proberts () patriot net>]

On Tue, 22 Oct 2002, Robert E. Martin wrote:

> Boy, I did'nt think I'd be opening a can of worms here. I gotta hand it 

It's not really a can of worms, just a soapbox that some of us like a lot, 
and also a place where people who haven't had managment support have felt 
the pain- both ends of that perspective can help- experience matters, both 
good *and* bad.  I think it's important that people think about failure 
modes, not just of software, but also of implementation and even political 
layer things.

> to you all, there is a lot going on here that I have thought of without 
> the fancy degree and years of Unix experience. AUP here is strong but 

/me looks around- no fancy degrees here!  Heck, the only certification I 
have is one I helped write the test for...  I have been doing this for a 
while though.

> maybe this will put things into perspective:
>
> This is a military School for 8-12 graders.. The key here is disipline. 

Certainly that makes banning messaging protocols an easier political sell-
the high-profile abduction cases can be good political ammunition.  You 
may want to check the archives, locate the .ca.us district that was 
mentioned earlier on the list and ask what they're doing.

The discipline thing is also an interesting vector.  I'd once again 
recommend considering trying to do some sort of "Computer Ethics" class 
for newbies to the school.  It wouldn't be all that difficult to come up 
with a one or two day class that would give the school a reason to be 
administratively proud of your policy.  If you can win that- you'll get 
staff and administrative support like you wouldn't believe.  Take and hold 
the moral high ground and it's a heck of a lot harder for people to move 
you out of the picture.

Most military schools have codes of behaviour, it shouldn't be too 
difficult to codify a computer code of ethics, responsibilities and 
behaviour.  I'd push for making them sign a hard copy like a contract, and 
for having the parents do the same.  When they get caught, bring the paper 
in to the interview, and point out where they were told it was wrong, and 
ask them to explain the delta between their actions and the expectation 
they'd live up to their side.  That could make for some interesting 
listening.

> Most of the kids here are on some sort of chemical to keep the on the 
> ground. (doggie downers) As you all are aware of, some of the "users" 
> come in with enough knowlege to be dangerous so I get a lot of ...."so 
> how does the network work".....types of pre-adolesent questions. And 
> then there is always one guy who thinks he is above all this and has GOT 
> to hack the network. That is what we have here. Here are a couple of 
> snippetts I found applicable during this thread:

We get that in the commercial world too.  Generally, the thing we don't 
have to deal with in droves is the self-owned machine issue.

> ----No, administrative penalties are an appropriate thing.  That may be as 
> small as "temporarily losing legitimate access" or a letter of reprimand 
> for the first offense.  Subesquent offenses should of course escallate in 
> punishment.  *Heck, if we don't teach the kids that in school, they're sure 
> gonna find out about it in the real world.*
>
>
> This is the main reason I have got to solve this somehow. If I send the
> message to these types of kids that they CAN get away with hacking a
> network, You all in bigger buisness have guys like me to thank for the
> problems that arise in the future. Our network for the cadets is on it's
> own subnet from the admin so security is good. Making changes to the
> infrastructure of the network is in the works and all of the content of
> this and other discussions dealing with network security and AUP will
> play a major role in the redesign. Thanks to everyone for your input.

Every school admin we convert helps _everyone_on_the_Internet_.  If you 
have questions off-list, feel free to throw them my way as well.  If 
you're part of the solution, you're not part of the problem :)

Personally, I'd think long and hard about creating an ethics class that 
offenders had to attend before they got their access back.  You might 
manage to convert one or two, and at least you'd have a "why can't Johnny 
do his research" stick for the first level of parent complaints.

Treat it like bad driving, there's a parallel that many of them may 
understand.

> ----Fo*r example, if AIM and ICQ were bad, I can imagine a mandate to provide*
> *secure messaging or else the masses might riot.*  It is true the security
> groups had more power to slap hands than us network/desktop administrators
> types - but we usually took more "user heat" for reduced functionality.
>
> The masses might roit. Hummmmm. I can imagine that a riot over AIM or 
> it's equal could most likely escalate to a grating whine but not a riot. 
> This was the whole reason this came up to begin with. I stopped all chat 
> programs here due to abuse. The cadets would use this to communicate 
> plans to_ really _riot within the school, talking more to their 
> girlfriends and friends and lewd content when they did use the

Did you just block it without any communication?  Sometimes that creates 
an advasarial relationship.  Find the most virulent offenders and have the 
"you need to understand" talk with them.  Acquaint them with the rules, 
the consequences and the law.  Communicate policy changes, give rationale, 
and give a place for feedback (getting feedback doesn't mean you have to 
change your position, and may indicate some of the hard cases early on.)
 
> application. So I stopped it. The whinig was unbelievable. Then the 
> hacking started. Now the chat programs are working again. Crap!!! Coming 
> into the school the AUP is clear.....Chat programs are forbidden. Now I 
> am at the "dealing with the parents" stage. Billy can't do his homework 
> because he does'nt have his computer in his room anymore......Well, you 
> should tell him the AIM is not allowed.......The parent I believe was 
> the one who gave him this application to begin with. Let's not get into 
> the modems in the rooms....

Wesley had an interesting point a while back about MS Proxy being able to 
block executables by name- putting one of those behind the firewall may offer 
enough of a deterrant that you'll stop the casual offenders.  Otherwise, 
things like personal firewalls with what's normally an enterprise-type 
policy might help- if the school gets the license, I can't see where the 
wiggle room is all that great.

> ----When I was the evil firewall BOFH in a large stupid company, your friends 
> wouldn't have gotten SSH out of my firewall.
>               
>
> Ok. I believe you. Did you also have web based e-mail accounts and if 
> you did, how was authentication taking place without 443 open?. There 

We didn't do Web-mail, mostly because I wanted more layers of seperation 
between the users and the Internet than that would have allowed- and we 
had well north of 30,000 e-mail users spread all over the place. 

None-the-less, our mail servers were inside the firewall, so it wasn't 
much of an issue.  If it had needed to be outside for external access 
(nightmare situation) then it would have been an allowed destination for 
all users.

Please note that I didn't do port-based firewalling for general user 
applications, I required an application layer gateway between any user's 
machine and anything outside my perimeter unless I'd been given say in 
the design and use of it and approved a different solution.

> are plans to change the e-mail accounts here to something more web 
> based. There are a slew of  mail applications oput there that look and 
> feel a lot like hotmail and yahoo mail. Outlook has a great web based 
> app that costs more and really does a nice job. Who invented AOL anyway

I wouldn't enable OWA on my closest competitors network ;)

> and why are the masses so caught up in it??? I think it's the Pied Piper 
> syndrome. That will be the next issue with the parents. "Why can't billy 
> use his AOL mail????" I am interested in heareing about the kind of 
> firewall you used and how it was set up.

Mostly I had internal DNS on a machine I controlled, which talked to an 
external DNS I controlled which talked to the root servers.  I had a 
Postfix SMTP server with a wildcard MX that handed the mail that wasn't 
destined to me off to the downstream MS stuff, and an HTTP proxy server 
capable of blocking active content, doing outbound FTP, and HTTPS.  From 
there on out it was just a matter of permissions.  I had a couple of 
different packet filtering implementations between the proxy and the 
external routers (one commercial product and IPFilter) and then filtering 
set up on the external routers.  There was a screening router between the 
internal network and the proxy server as well.  The only thing tunneled 
that would get through was HTTP tunneled traffic, which I could either 
allow or try to block by URL, site, or if I wanted to write code, content 
inspection.  These days, I'd probably do snort rules, produce a report and 
go thwap violators (but I generally enjoy the twapping bit.)

> I really appreciate all the discussion as I am a 3 year newbee to the 
> industry. I have learned a lot and there still is a lot to learn. Again, 
> this discussion started by asking you all how I can stop traffic 
> generated by software that tunnels out the firewall. The message is 
> clear, NOT MUCH. I have sniffed packets, blocked ports, stopped services 
> and almost made a mess out of the ipchains rules in our firewall. There 
> is no smoke yet, but there is fire to re-think the network security 
> implimentation here. This is great stuff. Keep going.

You can't let it be an escallation game of "what tunnel works?"  You 
*must* be able to correct the behaviour of the offenders.  After a while, 
and it really shouldn't take too long, lots of people will hate you, and 
you'll be left with the real hard cases, who'll need the formal 
disciplinary processes that the school can bring to bear.  They're 
offenders, treat them like offenders- restrict their access, isolate them, 
and try to rehabilitate them.

HTH,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards