Re: Fw: What challenges are security admins facing?

["R. DuFresne" <dufresne () sysinfo com>]

        [SNIP]
> I think 2 areas that are completely overlooked at web servers and remote 
> users. For the web servers, I've looked at web application firewalls such 
> as Sanctum and Kavado. The industry is still relatively new, but I think 
> the demand for these products will decline as web servers mature.

For these 'open' access systems, I still preffer, when possible, to do the
old hardened systems that runs it's own firewall of some sort and an ids
or two <triwire that many liken to an IDS, while I still prefer to think
of it as a AV type of product, and file integrity checker, and snort or
some such to warn if un-natural traffic patterns emerge to/from the
system>.  And if possible a screening router and firewall in front of that
if I want to feel extra warm and fuzzay about the deployment.  Of course,
it is often the case that for one reason or another, something less the
this is forced into a production mode and sign-offs from those demanding
less and imeadiate pull the responsibility from my realm of constant
concern...

> As for remote users, there has been discussion about personal distributed 
> firewalls. We've had 2 major viruses hit us because of remote users. In 
> this area, my favorite is Sygate. 

We've grown to like sysgate for home users as it is fairly intitive and
simple to setup and maintain even for those challeneged users.  But, the
biggest issue with the VPN for remotes and homers is that they tend to be
dropped into place and then considered majik that is just plain drop and
use -=safe=-.  Little if any training tends to accompany such rollouts,
and it's amazing how often little or no monitoring of these connections
tends  to be maintained after everything is 'working'.  Not every person
that wishes to work from home perhaps should be so allowed.  And for those
it is really deemd a nessecity, training about at least the basics of what
are safe and unsafe actions for a user should be given prior to the
rollout and perhaps at least once a year there after.  It's been
interesting from time to time to 'test' the ability of a home vpn users
capability to do the right  thing when sent a viri or trojan via an e-mail
that has all the trappings of a spooifed sending address and such.  I've
actually seen users drive home after such training, and infest their
system moments after firing up their vpn and reading mail from work or
home...So,  are these folks in need of retraining already, and cluebat to
the back of the head, or have they proven an inability to adapt and learn?

Of course, considering how many admins tend to view those anacronyms<sp?>
consisting of three or four letters <i.e. VPN, ssh, etc> as majik bullets,
drop and deploy and forget, this is not too shocking.  And perhaps it's
considered bad of me to occasionally 'test' those users I deploy and
maintain for, but, better I test them and findout how well the training
was absorbed then someone else test them and get into  our network, yes?

Little is this area seems to have changed in the past 10 years, only some
of the names have changed <smile>.  Twas a good topic, for this very
reason I think.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards