RE: Another Newbie with questions

[sean.kelly () lanston com]

> From: Rick Smith [mailto:rick_smith () securecomputing com]
>
> At 02:39 PM 8/10/99 -0400, Michael Kelley wrote:
>
> > It's looking more and more like I will be the guy doing the
> > maintainance of the Firewall/Security setup for our company . I don't
> > have much experience, but I'm told that I am the most 
> paranoid person in
> > my department. <heh>
>
> Try to be systematic in your paranoia. Look at what your 
> company needs to
> achieve as an enterprise and deal with the really big risks. 
> Don't sweat
> the small stuff. You'll just give yourself an ulcer and 
> senior management
> won't back you up.

As you say, I think a mixture of paranoia and pragmatism is probably the
best.  I think we all agree that the only impenetrable security is a
sledgehammer, so there has to be some acceptance that someone WILL or COULD
get in, no matter how well a system is secured.  If you turn your network
into fort knox and then settle back and assume you're safe you're only doing
half your job.  Intrusion detection, etc. is the other half (as well as not
having a breakdown when an intrusion is detected).

> You need to establish an Internet usage policy that describes how the
> company will be using the Internet. If general Web browsing 
> and e-mail will
> be available to anyone, you want to have statements about 
> "acceptable use"
> of those capabilities, unless all the users are senior 
> managers (in which
> case it's probably unenforceable).

Policies are generally unenforcable beyond a certain point, the issue is to
have the policy in place for legal purposes more than anything else.

> > I'm looking for is personal opinions regarding this device. I
> > understand it has logging capabilities 
>
> Logging will probably play an important part in enforcing 
> your Internet
> usage policy. People are more likely to behave if their 
> behavior is recorded.

Agreed.  And make that logging known, perhaps coupled with a disclaimer that
the logging isn't specifically to be big-brither so they don't flip out.
People in my office tend to forget their email, etc. is logged and it
becomes an issue every now and then.

> > I've already started putting the bug in the ears of the deciding
> > authorities at the office about restricting internet access 
> to only the
> > places we have to go. Since word got out that we will be 
> getting access,
> > the "Gods' Must Be Crazy" syndrome(#1) has hit the office 
> and suddenly,
> > everyone thinks they have a reason to have access to the Internet.
>
> If you're only using the Internet connection to talk to a 
> single business
> partner, then it might be practical to configure the firewall 
> to only talk
> with that partner. On the other hand, lots of companies 
> provide Internet
> access to employees for business purposes and perceive this as a real
> benefit to getting work done. Don't be surprised at the level 
> of interest
> being generated.

If you plan on restricting web access, expect to be fielding a lot of
questions about why a user can't get to some website for some business
purpose.  This mailing list is a fairly obvious example of an internet
facility that has business application, not to mention the associated
security websites.  The post I'm quoting mentioned filtering applications.
I've never used them myself but I would agree that they're probably the most
reasonable method of restricting web access from all to some.

[other good stuff snipped]


Sean