Firewall Wizards mailing list archives
Re: Security and Audit Policy
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 27 Nov 2004 08:09:45 -0500 (EST)
On Sun, 7 Nov 2004, Servie Platon wrote:
1. Enabled Firewall rules on the network and with Win32 clients;
Enabling firewall rules without a solid security policy and management buy-in of that policy is putting the cart before the horse. How do you know what rules to put on the firewall?
2. Installed Anti Virus Software for the network and enabled automatic updates; 3. Enforced User Permissions for most users; (dilemma) 4. Disabled M$ Outlook and IE and replaced these with Mozilla Thunderbird and Firefox.
Did the security policy discuss client issues?
Problems: 1. I don't know how to keep track of their browsing patterns,
I generally like to force browsing through a proxy, and use the proxy logs to track behavior. I also like to block streaming audio, P2P and whatever else I can there, at the firewall and in the local internal caching nameserver (I don't like clients resolving directly in any circumstance.)
some users have intermediate to advanced browsing skills which they can conceal where they have visited such as maybe porn sites and the like. How do I prove my suspiscion and stop them
Firewall logs? Usage policies? On-system logging?
from doing this? I am afraid that by doing so, our network may be trojaned or may have been infected with spyware or may be a zombie now?
Easy enough to figure out, watch the traffic in and out of the network for Trojan activity. That's why firewall rules are important, lots of zombies use IRC out- few businesses have a case for IRC.
2. I wanted to enforce strict user permissions, but my dilemma would be, bosses or managers take it against me or anyone restricting on what they could or not do on their machine. To make a concrete example, I could do an audit policy for all users with less rights to install programs and the like but some of them, listen to radio, download .exe files or shareware without my knowledge.
This is why you must have a security policy, and management must buy-in to that policy. I've only so far seen one good business case for listening to the radio over the network (I still denied it.) Perhaps in this case, QoS is a better method of enforcing some of the policy.
If I enforce this restrictive permissions, they get back on me. If I don't, I am afraid the network is considerably slows down and I think, some machines may be a compromised already unless the bandwidth is being used up by the users. How do I catch them accessing forbidden sites and how do I stop them from doing such and how do I make them with less capacity without them getting furious?
For the first, monitoring is key. logs, sniffing, or whatever works. For the second, you need to make a business case for security and have buy-in.
3. Though, I have setup and installed Mozilla Thunderbird and Firefox in each client PCs, most of them still use M$ Outlook and IE. How do I justify and convince them not to use this because of security loopholes and problems? Some are so used to Outlook and IE that they don't want change.
This is often a religious issue, so the security policy should have a policy about client properties and what is or isn't acceptable.
Any suggestions, on how to make it less of a burden to administer this network of 12 clients would be appreciated.
Tiny organizations are the most difficult to get buy-in for, since they're generally less formal than large ones when it comes to policy and process. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security and Audit Policy Servie Platon (Nov 27)
- Re: Security and Audit Policy R. DuFresne (Nov 27)
- Re: Security and Audit Policy gmx (Nov 27)
- Re: Security and Audit Policy Paul D. Robertson (Nov 27)