RE: Small company question was Re: Firewall administration.

[Eric <bealls () ix netcom com>]

Agreed, most small companies can get along pretty well with a template that 
says: "deny all except mail and web services".  While the answers to Mark's 
questions may seem obvious, I still think it is very important to ask them 
from a due diligence standpoint.  A mechanism then needs to be in place to 
review, approve, and add services on week 2 when the employees ask why they 
can't access certain web pages or buy stuff, do ftp, irc, etc.  Having gone 
through the comprehensive (and seemingly umimportant) set of questions 
upfront with the IS manager (and company management?), methods of 
addressing these issues can be addressed in a (hopefully) easier fashion.

Mark Teicher wrote:
> [...] What should a small company do? [...]
> Usually I start off with is what would the company like do as in :
>       Ask some of the basic questions:
>               Why does company want to be on the internet?
>               What is the potential issues related to being on the internet?
>               How does this affect our business model?
>               How does it change the business model with the Internet?

<snip>

> > I just couldn't see spending time on the above part; that was really 
simple.
Like everybody these days, they wanted email and www access from their
desktops. A bit of additional questioning showed that they didn't want
anything else. I gave a couple of leading questions ``wanna be able to buy
things with secure web access --- use your credit card over the web to buy
tickets or whatever''? "No", said he, so he doesn't need a crypto tunnel
through his firewall. ``Wanna restrict what machines can send you active
content (aplets)?'' "Sure, as long as I can easily update the list". Sounds
right to me