"Paul D. Robertson" wrote:
> On Mon, 21 Oct 2002, Ryan M. Ferris wrote:
>
> > Paul:
> >
> > Great Comments! But is this really realistic?:
>
> Well, it's how I administered the HQ and main data center location for a
> ~US$5B corporation, I'm sure it's possible to do. Given the liberal
> working environment that I had to deal with, I'm sure it's something you
> can do in almost any given organization.
>
> > > If tunneling is (a) against policy, and (b) requires active and considered
> > > engineering to achieve, then the technology has done its part. After
> > > that, it's a monitoring and enforcement issue, not a firewall issue. If
> > > you can show active anti-policy malice in achieving the connection- then
> > > it's time to move into the penalty phase.
> >
> > [Bigger question coming...]
> >
> > At what point does monitoring and enforcement become unrealistic? In
>
> I guess that depends on what point the policy is unrealistic, and the
> level of commitment to policy enforcement in general.
>
> If they're against policy, and folks have been educated, and you're in
> such a hostile environment that you have widespread disregard for the
> policy, then it's more than likely time to either switch policies,
> architectures, or jobs.
>
Having worked in the Firewall support role at several companies, I need to
vent^H^H^H^H share two experiences that are at difference with the
above.
At a software development firm (Dot Com) related the policy was
written to protect property (both physical and intangible). Abuse of
resources was prohibited.
But if a developer had a need (or made a request) to open FW ports, or gain
IM access, "no" was not acceptable, but rather how fast the request
was completed. As most developers realize, tying a deadline to any
request is the best way around restrictions or "policies".
You may just find yourself on the receiving end of a written reprimand
from your CIO directed at you from the CEO of the company.
Supporting FW's in the corporate offices of a large ISP (now gone),
the policies required business justification for opening additional
ports, and or relocating segments in front of the firewalls. Note that
as a ISP, we were the daily target of hacking attempts.
The firewall was set to transparently proxy connections for http
(80,443,8080) to unlimited destinations. This seemed to work for all
300+ employees. But IT had a problem, they could not download drivers
from HP support. This was a critical problem for them. Their suggestion
(request) was to open the FireWall to allow all (TCP ports >1024)
outbound from their class C. to any IP as they could not provide me
with a list of IPs for HP support.
The suggested workaround appeared simple:
a: Configure your browser to proxy via the FW ip.
b: Use dialup, we are a ISP and its free.
Management was informed of the risks. The director of IT support informed
my director that it didn't sound too risky to him to just open up the ports.
Besides the IT desktop support people would have to remember to turn on
proxy support when they needed.
Management felt the added risks were justified versus slowing down desktop
support, since we had not had anyone actually ever breakin.
At least in these two companies the policy only went so far as to interfere
with some claimed business need, and we had a exception.
Working for smaller companies (<500 employees) policies are usually
a after thought, and may have been written by some manager in IT dealing
only with abuse of the desktop itself. I have been at 3 Tech. companies
where each has the following section in their policies:
"XX. Internet usage is only for approved business purposes. Personal use
(access) is prohibited."
This was in (2) Software (Internet) development and one ISP company
policies.
On the other hand having worked in a AeroSpace biggie where there are
more work rules than one can read in a month, policies tended to be
better enforced. Or atleast it was much harder for a requester to get
enough management support to force a FireWall change.
How this relates to a educational environment, I can't really say. But
I would
hope that policies that enforce behavior/access are enforced with a network
design that is flexible enough to address the differing needs of
administration,
undergraduates, graduates, and researchers.
Yours,
Duncan Sharp
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 03:13:53 PDT