Firewall Wizards mailing list archives
Re: Firewalling at the domain users level instead of network level
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 19 Jul 2004 20:56:02 -0400 (EDT)
On Mon, 19 Jul 2004, Chuck Swiger wrote: [snip what I agree with...]
The second concern is a matter of policy: why do you want your firewall to treat users differently? If it's a bad idea for person A to do some type of network connection, why should it be OK for person B to do so?
There are a multitude of reasons, including Person B being more clued than Person A. We don't tout the "Principle of equal privilege" Principle of least privilege works for people, applications and systems. If you restrict things so that only the services which you trust all
users to do are permitted, your security is likely to be much improved compared to a policy based on an ever-growing pile of per-user rules and exceptions.
If you let one user have the Administrator password, why not all of them!? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalling at the domain users level instead of network level Santos (Jul 19)
- Re: Firewalling at the domain users level instead of network level Luca Berra (Jul 19)
- Re: Firewalling at the domain users level instead of network level Devdas Bhagat (Jul 19)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 19)
- Re: Firewalling at the domain users level instead of network level Chuck Swiger (Jul 19)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 19)
- Re: Re: Firewalling at the domain users level instead of network level Steve Lam (Jul 20)
- Re: Firewalling at the domain users level instead of network level Chuck Swiger (Jul 20)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 20)
- Re: Firewalling at the domain users level instead of network level Paul D. Robertson (Jul 19)
- <Possible follow-ups>
- RE: Firewalling at the domain users level instead of network level Melson, Paul (Jul 19)