Firewall Wizards mailing list archives

Re: HTTP in practice

From: Bennett Todd <bet () rahul net>
Date: Wed, 24 Sep 1997 10:32:35 -0700

On Wed, Sep 24, 1997 at 02:43:26AM -0400, Greg Haverkamp wrote:

[...] assuming that most firewall administrators can't get away with not
allowing https access to the outside (which seems a fair assumption to me),
[...]


It's certainly a fair and reasonable assumption, given a target audience. Like
most assumptions about internet use in general and security in particular,
it's easy to find exceptions:-).

Specifically, in at least one industry, you can expect that protocols which
cannot be secured with available technology --- like https, like downloading
active content, like interactive services that depend on the ability to open
connections to the end user with proprietary protocols --- will be rejected;
the firewall admin explains the risks to senior management, who compare those
risks with business benefits and decide it's too expensive. Of course this
depends on good management, but then good security _always_ depends on good
management.

And of course the above picture --- and all-out ban on new fun stuff --- is
an oversimplification, not the whole story unless you're talking about a
pretty small firm; a larger company can decide that they want to play with
problematic protocols and set up a less-secure net to support such play. But
production users from their production workstations don't play with those
risky toys. In fact, I've set up a playpen for toying with Java on the cheap;
just hang a sacrificial box in its own leg of the DMZ, screened from
everything except the internet and an SSH tunnel from the firewall, and
configure that box so it doesn't listen on any port except with SSH.

But back to target audiences and security policies....

I've worked in Wall St. firms, and sometimes it takes a very clear
presentation to convince people that a security problem is Real, not being
blown out of proportion, but then giving clear presentations of the technical
facts is an important part of the job of a security admin.

For my part, I'm not worried about it; I can explain the tradeoffs to the
decision makers, and they can set the official policy; if I should ever get
into a situation where I seriously believe the decision is badly wrong and
dangerous to the firm, and I can't get it changed, then I can't do my job
there anymore, so it's time to vote with my feet. Hasn't happened yet in my
15-odd years working in the computer admin biz.

-Bennett

Current thread:

HTTP in practice Greg Haverkamp (Sep 22)
- Re: HTTP in practice Marcus J. Ranum (Sep 22)
  - Re: HTTP in practice Greg Haverkamp (Sep 23)
    - Re: HTTP in practice Marcus J. Ranum (Sep 23)
    - Re: HTTP in practice Greg Haverkamp (Sep 24)
    - Re: HTTP in practice Bennett Todd (Sep 24)
    - Re: HTTP in practice Paul D. Robertson (Sep 29)
    - Re: HTTP in practice Joe Klemmer (Sep 26)
- Re: HTTP in practice Justin Mason (Sep 23)
- Re: HTTP in practice Bennett Todd (Sep 23)
- <Possible follow-ups>
- Re: HTTP in practice Anton J Aylward (Sep 24)