Re: httport 3snf

[Paul Robertson <proberts () patriot net>]

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

> I think some of the suggestions here are useful, but I don't think the scope
> of the problem is being broadly examined.
>
> Desktop policies on many college campuses are more difficult  to implement
> than in corporate environments - more users and much, much less staff.

This isn't all that uncommon in the corporate environment either- and add 
profitable business units to the mix and it's about a wash in a ~$3B or so 
company and above, or in large counties.

> Usually the campus requires their 10 - 30 K user population to provide their
> own laptop and just enables a dorm room port on request. Of course many

This, is of course the main issue- but then putting dorm networks behind 
the same firewall as the other campus networks is probably not the best 
architecture, nor is enforcing the same policies.

> other policies are available, but for a typical campus environment assume
> that a user can and will have root/admin access on two boxes - on both sides
> of the firewall.

Just like providing VPN access in a corporate environment, acceptable use 
policies for home users using corporate equipment need to cover acceptable 
use, and there needs to be enough monitoring to ensure compliance.  

> The SSL proxy sounds like an excellent idea but not all these firewalls
> evasion utilities  required SSL/Connect.

If tunneling is (a) against policy, and (b) requires active and considered 
engineering to achieve, then the technology has done its part.  After 
that, it's a monitoring and enforcement issue, not a firewall issue.  If 
you can show active anti-policy malice in achieving the connection- then 
it's time to move into the penalty phase.

> Are there application layer routers that can deny all SSL except for MAC
> addresses or IPs on an appoved ACL? I know this could be a nightmare to

IP address filtering is trivial, as is VLAN to MAC filtering, so each part 
of this is implementable, but ID/password stuff is probably a more 
manageable implementation- proxies are your friend.

> enforce, but I think we may be getting to the point where networks only
> approve certain IP addresses for SSL/connect??.

When I admined a large network, I approved only certain *destination* 
sites for SSL access, and it required authentication through an SSL proxy 
as well.  It was easier to limit the destinations than the sources, though 
I could have done both (things like benefits programs made client-side 
locks difficult.)

> Check out some of the other tools that are being used for firewall evasion
> across college campuses. I think you will find Robert's problem is more
> strategic than it appears:

It's not much different than a large corporate environment, the issues and 
tools and policy issues are mostly equivalent, only the occurance of abuse 
is higher, and that has a lot to do with the support that policies get in 
colleges versus corporations.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards