Firewall Wizards mailing list archives
Re: Highlighting Security Issues
From: Victor Williams <vbwilliams () neb rr com>
Date: Mon, 02 Aug 2004 01:05:36 -0500
More thoughts just on technology...
There's enough interesting things to this that I don't think there's a good basis for too strong an opinion either way, though the whistleblower's actions seem at least a little ill-advised...
http://www.decaturdaily.com/decaturdaily/news/040629/job.shtml When does a firewall just "crash"? Someone explain that to me...
The more interesting question there is how many folks who might have to ever monitor a system have invested in acquiring and testing the software they'd use to do it? Grabbing a Trojan off the Internet and installing it (especially a binary) seems like the *stupidest* path one could take in this situation. But I really didn't want to just push my analysis out there, I think it's worth some discussion in this community.
VNC Anyone? Dameware? In Dameware, you can push installs of software to other machines without the enduser knowing...and then you can display what's onscreen--again, without the end-user knowing. It works on any Windows OS after 95. It contains no spyware, no malware, no trojans, etc etc. You can download a fully functional 30-day eval, or you can purchase one license for between $30 and $100 depending on the license you get. Just about ANY retail software that doesn't modify the Windows LOCAL_MACHINE registry settings can be pushed and installed without rebooting the machine in question, with no interaction to the console.
Yet, something must provide the motivation for change for the better- somehow organizations need to find a way to channel such energy toward the organizational goal, rather than lose valuable talent or even a chance to improve the organization...
Group policy and ghost imaging. You get a stable image of an OS, give a user read/execute access, and write access only to specified directories ( C:\Documents and Settings\%username% ), and you cease to have a misuse problem that would require you to single out a single user for monitoring. At the network level, you could monitor the network destinations and payload of ALL transmissions leaving and coming into the network. If you've done your work on the workstation(s) in question, there's no app abuse. This should be true from the CEO to the mailroom clerk. Only change should be the apps dedicated to certain departments--this then becomes just a granularity of policy issue...only PC's in the accounting department get the accounting software, only the mailroom gets the UPS and Fedex software, etc etc.
I don't think the commercial world is all that different, unless someone *cares* enough to do good policy creation and enforcement. That's one of the reasons that I'd prefer to see people channel such energy, rather thanletting it go off on tangents, no matter how just the cause.
I guess that's what I was trying to get across before. If this is an NT 4 or later system, why don't system and group policies apply (not written organization policies)? It would seem to me you could curb someone's app use pretty quickly if they didn't have administrative access to their workstation and you were deploying NT policies correctly. When deployed correctly, all workstations of a domain should inherit them...this is not new technology, and it's pretty effective when done correctly.
I've always thought such things were stupid. They get in the way of many legitimate sites, and put you into a "if I can get at it, then it's ok" sort of mode. Better to summarize sites surfed and have the employee sign the reports, like larger companies do with phone logs. I also get the stupid bounce messages from lots of e-mail content filters, which are the logical extension, and I know lots of people miss otherwise important messages because of some phrase, tool name, or slightly off remark.
How does restricting stock-trading sites get in the way of legitimates if you're talking about a gov't agency? I can see how this would be true if you work at Ameritrade...but a gov't agency?
I have had experience with SurfControl. You flat-out deny casino sites, adult sites, stock-trading, and you log everything else...you never get locked out of sites you need access to with a well thought-out implementation plan and ruleset.
You then keep the logs for 12 months. If an issue arises, you can go back 1 year from that date and look up anyone in the company working anywhere in that year time period--it's all logged by NT or AD username/machine name/IP address. You are then NOT discriminating...you are just logging everything and everyone. When everyone falls under the same umbrella, no one can complain about being singled out and discriminated against.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Highlighting Security Issues Paul D. Robertson (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- Re: Highlighting Security Issues Paul D. Robertson (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 02)
- Re: Highlighting Security Issues Paul D. Robertson (Aug 02)
- Re: Highlighting Security Issues Victor Williams (Aug 02)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- <Possible follow-ups>
- Re: Re: Highlighting Security Issues firewalladmin (Aug 06)
- Re: Highlighting Security Issues Victor Williams (Aug 06)
- Re: Re: Highlighting Security Issues Dave Piscitello (Aug 06)
- Re: Re: Highlighting Security Issues firewalladmin (Aug 06)
- Message not available
- Re: Re: Highlighting Security Issues Marcus J. Ranum (Aug 06)
- Re: Re: Highlighting Security Issues Christopher Hicks (Aug 12)
- Re: Re: Highlighting Security Issues Adam Shostack (Aug 12)
- Re: Re: Highlighting Security Issues ArkanoiD (Aug 25)
- Re: Re: Highlighting Security Issues Matt Dunn (Aug 12)
- Low Carb Security Dave Piscitello (Aug 12)
- Message not available