Firewall Wizards mailing list archives
RE: Another Newbie with questions
From: sean.kelly () lanston com
Date: Fri, 13 Aug 1999 14:28:16 -0400
From: Rick Smith [mailto:rick_smith () securecomputing com] At 02:39 PM 8/10/99 -0400, Michael Kelley wrote:It's looking more and more like I will be the guy doing the maintainance of the Firewall/Security setup for our company . I don't have much experience, but I'm told that I am the mostparanoid person inmy department. <heh>Try to be systematic in your paranoia. Look at what your company needs to achieve as an enterprise and deal with the really big risks. Don't sweat the small stuff. You'll just give yourself an ulcer and senior management won't back you up.
As you say, I think a mixture of paranoia and pragmatism is probably the best. I think we all agree that the only impenetrable security is a sledgehammer, so there has to be some acceptance that someone WILL or COULD get in, no matter how well a system is secured. If you turn your network into fort knox and then settle back and assume you're safe you're only doing half your job. Intrusion detection, etc. is the other half (as well as not having a breakdown when an intrusion is detected).
You need to establish an Internet usage policy that describes how the company will be using the Internet. If general Web browsing and e-mail will be available to anyone, you want to have statements about "acceptable use" of those capabilities, unless all the users are senior managers (in which case it's probably unenforceable).
Policies are generally unenforcable beyond a certain point, the issue is to have the policy in place for legal purposes more than anything else.
I'm looking for is personal opinions regarding this device. I understand it has logging capabilitiesLogging will probably play an important part in enforcing your Internet usage policy. People are more likely to behave if their behavior is recorded.
Agreed. And make that logging known, perhaps coupled with a disclaimer that the logging isn't specifically to be big-brither so they don't flip out. People in my office tend to forget their email, etc. is logged and it becomes an issue every now and then.
I've already started putting the bug in the ears of the deciding authorities at the office about restricting internet accessto only theplaces we have to go. Since word got out that we will begetting access,the "Gods' Must Be Crazy" syndrome(#1) has hit the officeand suddenly,everyone thinks they have a reason to have access to the Internet.If you're only using the Internet connection to talk to a single business partner, then it might be practical to configure the firewall to only talk with that partner. On the other hand, lots of companies provide Internet access to employees for business purposes and perceive this as a real benefit to getting work done. Don't be surprised at the level of interest being generated.
If you plan on restricting web access, expect to be fielding a lot of questions about why a user can't get to some website for some business purpose. This mailing list is a fairly obvious example of an internet facility that has business application, not to mention the associated security websites. The post I'm quoting mentioned filtering applications. I've never used them myself but I would agree that they're probably the most reasonable method of restricting web access from all to some. [other good stuff snipped] Sean
Current thread:
- Re: Another Newbie with questions, (continued)
- Re: Another Newbie with questions Woody Weaver (Aug 11)
- Re: Another Newbie with questions Paul Alukal (Aug 11)
- Re: Another Newbie with questions Rick Smith (Aug 12)
- RE: Another Newbie with questions Houser David DW (Aug 11)
- Re: Another Newbie with questions Michael Kelley (Aug 11)
- Re: Another Newbie with questions Bill Pennington (Aug 11)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- Re: Another Newbie with questions Bill Pennington (Aug 13)
- Re: Another Newbie with questions Michael Kelley (Aug 13)
- Re: Another Newbie with questions Joseph S D Yao (Aug 13)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- RE: Another Newbie with questions sean . kelly (Aug 13)