Re: Allowing access to social networking... securely?

[Patrick J Kobly <patrick () kobly com>]

krymson () gmail com wrote:
> I'm not trying to jump down your throat, but I do have to pull out some points. :)
>
> 1- If we evaluated security based on whether it can be bypassed, we'd not be implementing much of what we have now, 
> and certainly we'd never allow the use of Windows or Macs. We really have to look at what it improves, and I can tell 
> you that my web filter technology greatly improves my bandwidth situation, the desktop guys with troubleshooting end 
> user systems, and the number of silly things eating resources on desktops. Yes, there are people who will spend time 
> and know how to get around protections, but there are many people who get blocked once and accept it.
>   
I think the OP's point was far subtler than you give credit for.  He
wasn't arguing "this can be bypassed, so it doesn't give us anything
anyway."  He seems to have been arguing that blocking introduces a new
risk vector that didn't previously exist (or was negligible) - the
bypass mechanism.  This vector was negligible before blocking, because
your users had no reason to use it.

The OP's suggested risk vector - malware infested proxy sites isn't even
the worst one introduced.  I've seen places where blocking has induced
users to use bypass mechanisms including:

- Separate dialup connections
- USB Wifi piggy-backing on nearby offices' signals
- SSH tunneling
- VPN connections out to a machine acting as a proxy (home PC for example)
- GoToMyPC or equivalent to a machine acting as a proxy

Are there technical controls to prohibit these?  Yes, but do you really
want to get into an arms race with your users.  Effectively, you've
created a hostile in your trusted network.  Does the risk introduced by
these bypass mechanisms outweigh the benefits in bandwidth usage,
troubleshooting and "silly things eating resources on desktops"?  I
don't know...  Depends on your user base (How likely are they to use
these mechanisms? How likely are they to do so in a more secure manner?)
> 3) I have yet to really hear or see that employees are held accountable even for things like lost laptops with silly 
> data on them. Let alone holding them responsible for a bad link they clicked. Sad, but too often true. :(
>   
I have seen reasonable accountability imposed.  It's a balance between
administrative controls and technical controls...

PK
-- 

 

Patrick Kobly, CISSP

Attachment: signature.asc
Description: OpenPGP digital signature