RE: "firewalls are obsolete" rant

["Paul Melson" <pmelson () gmail com>]

Subject: RE: [fw-wiz] "firewalls are obsolete" rant


> He actually has what sounds like a reasonable, work-related reason for
wanting to access a 
> technically-related IRC network/channel.  I told him if he wanted to use a
Unix/Linux client 
> approved by I.T., we could discuss it.  But no client/desktop systems,
particularly those 
> from a Certain Large Software Company, and *certainly* no client/desktop
systems over which 
> the end-user has admin rights.

We just went down this road last year.  It was not pretty.  But, this is an
excellent example for those list readers who are ivory tower consultant
types that think the infosec tail should wag the money-making dog. ;-)
Business "needs" will trump security standards, forcing security
practitioners to build controls for those exceptions.  

Being honest, if I had it to do over again, I would've fought harder to keep
it out.  What we came up with* mitigates the threat of bots and other
unauthorized clients getting back to an irc server outside our network, but
we wasted lots of time and energy to get there, all so a handful of people
didn't have to use e-mail to collaborate.  And since I can audit the
conversations that take place, I also know how much it's used.  We're still
"upside-down" on the value proposition that was used to argue for it.

PaulM

* Happy to talk about this off-list if you're still in need of ideas.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards