On Mon, 21 Oct 2002, Ryan M. Ferris wrote: > Paul: > > Great Comments! But is this really realistic?: > > > If tunneling is (a) against policy, and (b) requires active and considered > > engineering to achieve, then the technology has done its part. After > > that, it's a monitoring and enforcement issue, not a firewall issue. If > > you can show active anti-policy malice in achieving the connection- then > > it's time to move into the penalty phase. > > [Bigger question coming...] > > At what point does monitoring and enforcement become unrealistic? In > Robert's case, he could be the network administrator of thousands of > individually configured Windows laptops running some kind of tunneling. It > could end up as pervasive as napster. Isn't the penalty phase really just > reserved for very criminal cases?! I have worked at some pretty big places. > My experience was always that you would have to do something really bad to > reach "penalty phase" - a hand slap usually at most. If you had ten users > doing something against policy, you didn't get ten "penalty phases", you got > a meeting with your boss to help provide alternate functionality so there > were no deskptops users "against policy". > > For example, if AIM and ICQ were bad, I can imagine a mandate to provide > secure messaging or else the masses might riot. It is true the security > groups had more power to slap hands than us network/desktop administrators > types - but we usually took more "user heat" for reduced functionality. Don't limit your thinking and discussion of "against policy" to merely AIM and the various IM toys. There was a recent thread on a few other related lists, vuln-dev being one, about the DCMA(BAD TM), but there to deal with>, and the P2P toys that allow trading in copywrited material. Some of those P2P networks are actively monitored to an extent, and violators as well as their hosting sites <ISP's and even universities> are sent nasty grams from the copywrite holders warning them of committing offenses and fiscal liability. The AUP here is the universities friend here, as well as the network admins best buddy in dealing with these infrations that might well dig into campus pockets for negligence. Additionally, 75+% of the DDOS attacks we've looked into have been launched via compromised uni systems, oftem sitting in the student dorm residences and lounges, but, still on the university backbone. Paul's mention of specialised firewalls/IDS' to enforce policies, contain, and monitor these subnetworks is great advice. You need this to keep the students out of areas of the campus networkk they should not be playing in anyways, a seperation of zones of authority if you will, afterall there has been alot of mention of students altering thier academic status in various institutions of learning, so some seperation is madatory anyways, just take it a step further and deem the renets as internal DMZ's. I'd additionally advise that the AUP be backed up by a minimal use policy, requiring proper anti-virus and perhaps personal firewall software as an additional et of protections. Of course, your other wories are going to be in the wireless realm these days and folks providing access freely to those not intended for the campus networks. SECURITY WIRE DIGEST, VOL. 4, NO. 76, OCTOBER 10, 2002 *UNIVERSITY BANS WINDOWS NT/2000 Citing security reasons, the University of California at Santa Barbara (UCSB) has banned the use of Microsoft Windows NT/2000 on its residential network, ResNet. In a posting on the ResNet site, UCSB officials blame the OSes for "hundreds of major problems on UCSB's residential network during the 2001-2 academic year," including exploited vulnerabilities, denial-of-service attacks, port scanning, and infections by Code Red and Nimda. UCSB recommends that ResNet users switch to Windows XP Home. http://www.resnet.ucsb.edu/information/win2k.html Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 03:08:43 PDT