Re: Security and Audit Policy

["Paul D. Robertson" <paul () compuwar net>]

On Sun, 7 Nov 2004, Servie Platon wrote:

> 1. Enabled Firewall rules on the network and with
> Win32 clients;

Enabling firewall rules without a solid security policy and management
buy-in of that policy is putting the cart before the horse.  How do you
know what rules to put on the firewall?

> 2. Installed Anti Virus Software for the network and
> enabled
> automatic updates;
> 3. Enforced User Permissions for most users; (dilemma)
> 4. Disabled M$ Outlook and IE and replaced these with
> Mozilla
> Thunderbird and Firefox.

Did the security policy discuss client issues?

> Problems:
>
> 1. I don't know how to keep track of their browsing
> patterns,

I generally like to force browsing through a proxy, and use the proxy logs
to track behavior.  I also like to block streaming audio, P2P and whatever
else I can there, at the firewall and in the local internal caching
nameserver (I don't like clients resolving directly in any circumstance.)

> some users have intermediate to advanced browsing
> skills which
> they can conceal where they have visited such as maybe
> porn
> sites and the like. How do I prove my suspiscion and
> stop them

Firewall logs?  Usage policies?  On-system logging?

> from doing this? I am afraid that by doing so, our
> network may
> be trojaned or may have been infected with spyware or
> may be a
> zombie now?

Easy enough to figure out, watch the traffic in and out of the network for
Trojan activity.  That's why firewall rules are important, lots of zombies
use IRC out- few businesses have a case for IRC.

> 2. I wanted to enforce strict user permissions, but my
> dilemma
> would be, bosses or managers take it against me or
> anyone
> restricting on what they could or not do on their
> machine. To
> make a concrete example, I could do an audit policy
> for all
> users with less rights to install programs and the
> like but some
> of them, listen to radio, download .exe files or
> shareware
> without my knowledge.

This is why you must have a security policy, and management must buy-in to
that policy.  I've only so far seen one good business case for listening
to the radio over the network (I still denied it.)  Perhaps in this case,
QoS is a better method of enforcing some of the policy.

> If I enforce this restrictive permissions, they get
> back on me.
> If I don't, I am afraid the network is considerably
> slows down
> and I think, some machines may be a compromised
> already unless
> the bandwidth is being used up by the users. How do I
> catch them
> accessing forbidden sites and how do I stop them from
> doing such
> and how do I make them with less capacity without them
> getting
> furious?

For the first, monitoring is key. logs, sniffing, or whatever works.  For
the second, you need to make a business case for security and have buy-in.

> 3. Though, I have setup and installed Mozilla
> Thunderbird and
> Firefox in each client PCs, most of them still use M$
> Outlook
> and IE. How do I justify and convince them not to use
> this
> because of security loopholes and problems? Some are
> so used to
> Outlook and IE that they don't want change.

This is often a religious issue, so the security policy should have a
policy about client properties and what is or isn't acceptable.

> Any suggestions, on how to make it less of a burden to
> administer this network of 12 clients would be
> appreciated.

Tiny organizations are the most difficult to get buy-in for, since they're
generally less formal than large ones when it comes to policy and process.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards