Firewall Wizards mailing list archives
Re: What challenges are security admins facing?
From: ark () eltex net
Date: Wed, 28 May 2003 18:55:59 +0400
Being a bit offtopic on firewall security audit discussion, i'd like to remember a paper i wrote on security management problems. Unfortunately the paper is in Russian thus having no value for the mailing list subscribers, but i can recite key point here: the major problem is responsibility and serious gap between de jure and de facto computers and network usage policy. People DO use computers at their workplace for personal needs and its OKAY. There are some cases when it is not acceptable, say, processing critical data. That means instead of declining the problem in whole (this should not happen, but.. everyone including senior management does it) and focusing on "wide-range" technical countermeasures like installing antivirus software everywhere to avoid _personal_ responsibility, we should CONTROL the situation. That means it is necessary to face the fact and, if we want an employee not to play games and surf the web from computer that is connected directly to sanctum sanctorum he just needs _another_ computer on his desk or maybe a public one somewhere in the office. Enforcing a fascist set of restrictions just makes users extremely creative to avoid it. Keeping restrictions reasonable makes it possible to control remaining and vital ones really strict. That means, say, if user installs an unauthorized piece of software on his computer without consulting the administrator he is guilty as hell and gets fscked really bad - but to make things work this way the administrator should allow him to do it if it is really innocent. Otherwise he just will not tell. If user gets a trojan by email and clicks on it and gets 0wned, then 1) user should be fscked for doing it and 2) the administrator should be fscked for allowing authomatic attachment execution on users workstation. And it is the matter of personal responsibility, not insurance or antivirus software. In most cases managers are just coward morons. Thay prefer things to look good until shit happens instead of preventing it. Another problem is, again, management. Ever seen a big boss that says "i need this videoconferencing software working today from my desktop, so please poke a hole in firewall to make it work - it is IMPORTANT! no, we do not have time for security analisys, we need it NOW! No, i do not want to do it from dedicated notebook machine". The point is obvious. Why designing and implementing crafty security policy just to have it ruined this way? On Tue, May 27, 2003 at 09:22:55AM -0400, Paul Robertson wrote:
On Mon, 26 May 2003, Paul Ammann wrote:Hi I've working on the firewall security audit at my company, and I've been getting exposure to many different areas that I normally wouldn't. I work with the Check Point firewalls. I'm curious as to what people challenges security admin are facing.Change control is always a big issue. So are things like password managment, backups, ruleset validation, physical cabling verification, and potentially important things like log analysis and the legal aspects of such (for instance, do you regularly review logs, or only when "something bad happens- the answer could change the defensibility of using that analysis in court, are your logs set up to be reported on, and will that ensure the business record exemption for evidentiary submission...) [At this point, you should be asking yourself "Why hasn't Legal been involved in our audits before?" and probably thinking "They might want specific things documented that aren't, and that's a bigger stick than I currently have...]I'm talking things you might not normally take into consideration. For example, lack of communication or documentation, inaccurrate network drawings of firewall locations, no formal change control procedure, tracking temporary firewall rules, limiting access to firewall policies and log information, or my favorite, no procedure for when an employee has left the company or change job functions.If you're doing user-ids, think about automatically expiring ones which haven't been used for some period of time. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- What challenges are security admins facing? Paul Ammann (May 27)
- Re: What challenges are security admins facing? Paul Robertson (May 27)
- Re: What challenges are security admins facing? R. DuFresne (May 27)
- Re: What challenges are security admins facing? ark (May 28)
- Re: What challenges are security admins facing? Paul Robertson (May 28)
- Re: What challenges are security admins facing? ark (May 28)
- Re: What challenges are security admins facing? Paul Robertson (May 27)
- RE: What challenges are security admins facing? Ben Nagy (May 27)
- Re: What challenges are security admins facing? R. DuFresne (May 27)
- <Possible follow-ups>
- Fw: What challenges are security admins facing? Paul Ammann (May 29)
- Re: Fw: What challenges are security admins facing? R. DuFresne (May 29)