"Paul D. Robertson" wrote: > On Mon, 21 Oct 2002, Ryan M. Ferris wrote: > > > Paul: > > > > Great Comments! But is this really realistic?: > > Well, it's how I administered the HQ and main data center location for a > ~US$5B corporation, I'm sure it's possible to do. Given the liberal > working environment that I had to deal with, I'm sure it's something you > can do in almost any given organization. > > > > If tunneling is (a) against policy, and (b) requires active and considered > > > engineering to achieve, then the technology has done its part. After > > > that, it's a monitoring and enforcement issue, not a firewall issue. If > > > you can show active anti-policy malice in achieving the connection- then > > > it's time to move into the penalty phase. > > > > [Bigger question coming...] > > > > At what point does monitoring and enforcement become unrealistic? In > > I guess that depends on what point the policy is unrealistic, and the > level of commitment to policy enforcement in general. > > If they're against policy, and folks have been educated, and you're in > such a hostile environment that you have widespread disregard for the > policy, then it's more than likely time to either switch policies, > architectures, or jobs. > Having worked in the Firewall support role at several companies, I need to vent^H^H^H^H share two experiences that are at difference with the above. At a software development firm (Dot Com) related the policy was written to protect property (both physical and intangible). Abuse of resources was prohibited. But if a developer had a need (or made a request) to open FW ports, or gain IM access, "no" was not acceptable, but rather how fast the request was completed. As most developers realize, tying a deadline to any request is the best way around restrictions or "policies". You may just find yourself on the receiving end of a written reprimand from your CIO directed at you from the CEO of the company. Supporting FW's in the corporate offices of a large ISP (now gone), the policies required business justification for opening additional ports, and or relocating segments in front of the firewalls. Note that as a ISP, we were the daily target of hacking attempts. The firewall was set to transparently proxy connections for http (80,443,8080) to unlimited destinations. This seemed to work for all 300+ employees. But IT had a problem, they could not download drivers from HP support. This was a critical problem for them. Their suggestion (request) was to open the FireWall to allow all (TCP ports >1024) outbound from their class C. to any IP as they could not provide me with a list of IPs for HP support. The suggested workaround appeared simple: a: Configure your browser to proxy via the FW ip. b: Use dialup, we are a ISP and its free. Management was informed of the risks. The director of IT support informed my director that it didn't sound too risky to him to just open up the ports. Besides the IT desktop support people would have to remember to turn on proxy support when they needed. Management felt the added risks were justified versus slowing down desktop support, since we had not had anyone actually ever breakin. At least in these two companies the policy only went so far as to interfere with some claimed business need, and we had a exception. Working for smaller companies (<500 employees) policies are usually a after thought, and may have been written by some manager in IT dealing only with abuse of the desktop itself. I have been at 3 Tech. companies where each has the following section in their policies: "XX. Internet usage is only for approved business purposes. Personal use (access) is prohibited." This was in (2) Software (Internet) development and one ISP company policies. On the other hand having worked in a AeroSpace biggie where there are more work rules than one can read in a month, policies tended to be better enforced. Or atleast it was much harder for a requester to get enough management support to force a FireWall change. How this relates to a educational environment, I can't really say. But I would hope that policies that enforce behavior/access are enforced with a network design that is flexible enough to address the differing needs of administration, undergraduates, graduates, and researchers. Yours, Duncan Sharp _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 03:13:53 PDT