Firewall Wizards mailing list archives

Re: What challenges are security admins facing?

From: ark () eltex net
Date: Wed, 28 May 2003 20:53:27 +0400

nuqneH

On Wed, May 28, 2003 at 12:33:44PM -0400, Paul Robertson wrote:

network usage policy. People DO use computers at their workplace for
personal needs and its OKAY. There are some cases when it is not


Sometimes it's okay, and sometimes it's not- that's highly dependent on 
what that personal usage is (playing pirated copyrighted content would not 
be ok in most places, nor would browsing porn sites, and certainly handing 
out administrative accounts for your friends to use would be frowned 
upon.)


Sure. These restrictions seem reasonable in most places. But restricting
access by limiting it to pre-defined set of "work-related" sites
actually encouraged users to do dirty tricks in almost 90% of
companies i've seen it in.

Enforcing a fascist set of restrictions just makes users extremely
creative to avoid it. Keeping restrictions reasonable makes it possible


Getting rid of the creative ones tends to work like natural selection.


And sometimes it works the wrong way. The remaining ones hide well and
cause more trouble finally ;-). Many comanies that try to enforce
restrictive policies simply do not have enough resources to track down
violations. If they had policy less restrictive, they could.
(talking now with a girl that works for one of those. she is not
allowed to use email at work, thus she spent some WORKING time to
find a way around it. i doubt it is what they want)


[snip]

gets fscked really bad - but to make things work this way the administrator
should allow him to do it if it is really innocent. Otherwise he


How does the admin kno wif it's "really innocent?"


Maintaining the list,if the thing is not on the list he should suggest
something of close functionality..

Another problem is, again, management. Ever seen a big boss that
says "i need this videoconferencing software working today from my
desktop, so please poke a hole in firewall to make it work - it
is IMPORTANT! no, we do not have time for security analisys, we need
it NOW! No, i do not want to do it from dedicated notebook machine". 
The point is obvious. Why designing and implementing
crafty security policy just to have it ruined this way?


My standard answer of "No." worked for everyone from the person in the 
mail room to the CEO of a multibillion dollar company when I was running 
firewalls daily.  Perhaps this too is part of the responsibility?


Yes.

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

What challenges are security admins facing? Paul Ammann (May 27)
- Re: What challenges are security admins facing? Paul Robertson (May 27)
  - Re: What challenges are security admins facing? R. DuFresne (May 27)
  - Re: What challenges are security admins facing? ark (May 28)
    - Re: What challenges are security admins facing? Paul Robertson (May 28)
    - Re: What challenges are security admins facing? ark (May 28)
- RE: What challenges are security admins facing? Ben Nagy (May 27)
- Re: What challenges are security admins facing? R. DuFresne (May 27)
- <Possible follow-ups>
- Fw: What challenges are security admins facing? Paul Ammann (May 29)
  - Re: Fw: What challenges are security admins facing? R. DuFresne (May 29)