On Tue, 22 Oct 2002, Robert E. Martin wrote: > Boy, I did'nt think I'd be opening a can of worms here. I gotta hand it It's not really a can of worms, just a soapbox that some of us like a lot, and also a place where people who haven't had managment support have felt the pain- both ends of that perspective can help- experience matters, both good *and* bad. I think it's important that people think about failure modes, not just of software, but also of implementation and even political layer things. > to you all, there is a lot going on here that I have thought of without > the fancy degree and years of Unix experience. AUP here is strong but /me looks around- no fancy degrees here! Heck, the only certification I have is one I helped write the test for... I have been doing this for a while though. > maybe this will put things into perspective: > > This is a military School for 8-12 graders.. The key here is disipline. Certainly that makes banning messaging protocols an easier political sell- the high-profile abduction cases can be good political ammunition. You may want to check the archives, locate the .ca.us district that was mentioned earlier on the list and ask what they're doing. The discipline thing is also an interesting vector. I'd once again recommend considering trying to do some sort of "Computer Ethics" class for newbies to the school. It wouldn't be all that difficult to come up with a one or two day class that would give the school a reason to be administratively proud of your policy. If you can win that- you'll get staff and administrative support like you wouldn't believe. Take and hold the moral high ground and it's a heck of a lot harder for people to move you out of the picture. Most military schools have codes of behaviour, it shouldn't be too difficult to codify a computer code of ethics, responsibilities and behaviour. I'd push for making them sign a hard copy like a contract, and for having the parents do the same. When they get caught, bring the paper in to the interview, and point out where they were told it was wrong, and ask them to explain the delta between their actions and the expectation they'd live up to their side. That could make for some interesting listening. > Most of the kids here are on some sort of chemical to keep the on the > ground. (doggie downers) As you all are aware of, some of the "users" > come in with enough knowlege to be dangerous so I get a lot of ...."so > how does the network work".....types of pre-adolesent questions. And > then there is always one guy who thinks he is above all this and has GOT > to hack the network. That is what we have here. Here are a couple of > snippetts I found applicable during this thread: We get that in the commercial world too. Generally, the thing we don't have to deal with in droves is the self-owned machine issue. > ----No, administrative penalties are an appropriate thing. That may be as > small as "temporarily losing legitimate access" or a letter of reprimand > for the first offense. Subesquent offenses should of course escallate in > punishment. *Heck, if we don't teach the kids that in school, they're sure > gonna find out about it in the real world.* > > > This is the main reason I have got to solve this somehow. If I send the > message to these types of kids that they CAN get away with hacking a > network, You all in bigger buisness have guys like me to thank for the > problems that arise in the future. Our network for the cadets is on it's > own subnet from the admin so security is good. Making changes to the > infrastructure of the network is in the works and all of the content of > this and other discussions dealing with network security and AUP will > play a major role in the redesign. Thanks to everyone for your input. Every school admin we convert helps _everyone_on_the_Internet_. If you have questions off-list, feel free to throw them my way as well. If you're part of the solution, you're not part of the problem :) Personally, I'd think long and hard about creating an ethics class that offenders had to attend before they got their access back. You might manage to convert one or two, and at least you'd have a "why can't Johnny do his research" stick for the first level of parent complaints. Treat it like bad driving, there's a parallel that many of them may understand. > ----Fo*r example, if AIM and ICQ were bad, I can imagine a mandate to provide* > *secure messaging or else the masses might riot.* It is true the security > groups had more power to slap hands than us network/desktop administrators > types - but we usually took more "user heat" for reduced functionality. > > The masses might roit. Hummmmm. I can imagine that a riot over AIM or > it's equal could most likely escalate to a grating whine but not a riot. > This was the whole reason this came up to begin with. I stopped all chat > programs here due to abuse. The cadets would use this to communicate > plans to_ really _riot within the school, talking more to their > girlfriends and friends and lewd content when they did use the Did you just block it without any communication? Sometimes that creates an advasarial relationship. Find the most virulent offenders and have the "you need to understand" talk with them. Acquaint them with the rules, the consequences and the law. Communicate policy changes, give rationale, and give a place for feedback (getting feedback doesn't mean you have to change your position, and may indicate some of the hard cases early on.) > application. So I stopped it. The whinig was unbelievable. Then the > hacking started. Now the chat programs are working again. Crap!!! Coming > into the school the AUP is clear.....Chat programs are forbidden. Now I > am at the "dealing with the parents" stage. Billy can't do his homework > because he does'nt have his computer in his room anymore......Well, you > should tell him the AIM is not allowed.......The parent I believe was > the one who gave him this application to begin with. Let's not get into > the modems in the rooms.... Wesley had an interesting point a while back about MS Proxy being able to block executables by name- putting one of those behind the firewall may offer enough of a deterrant that you'll stop the casual offenders. Otherwise, things like personal firewalls with what's normally an enterprise-type policy might help- if the school gets the license, I can't see where the wiggle room is all that great. > ----When I was the evil firewall BOFH in a large stupid company, your friends > wouldn't have gotten SSH out of my firewall. > > > Ok. I believe you. Did you also have web based e-mail accounts and if > you did, how was authentication taking place without 443 open?. There We didn't do Web-mail, mostly because I wanted more layers of seperation between the users and the Internet than that would have allowed- and we had well north of 30,000 e-mail users spread all over the place. None-the-less, our mail servers were inside the firewall, so it wasn't much of an issue. If it had needed to be outside for external access (nightmare situation) then it would have been an allowed destination for all users. Please note that I didn't do port-based firewalling for general user applications, I required an application layer gateway between any user's machine and anything outside my perimeter unless I'd been given say in the design and use of it and approved a different solution. > are plans to change the e-mail accounts here to something more web > based. There are a slew of mail applications oput there that look and > feel a lot like hotmail and yahoo mail. Outlook has a great web based > app that costs more and really does a nice job. Who invented AOL anyway I wouldn't enable OWA on my closest competitors network ;) > and why are the masses so caught up in it??? I think it's the Pied Piper > syndrome. That will be the next issue with the parents. "Why can't billy > use his AOL mail????" I am interested in heareing about the kind of > firewall you used and how it was set up. Mostly I had internal DNS on a machine I controlled, which talked to an external DNS I controlled which talked to the root servers. I had a Postfix SMTP server with a wildcard MX that handed the mail that wasn't destined to me off to the downstream MS stuff, and an HTTP proxy server capable of blocking active content, doing outbound FTP, and HTTPS. From there on out it was just a matter of permissions. I had a couple of different packet filtering implementations between the proxy and the external routers (one commercial product and IPFilter) and then filtering set up on the external routers. There was a screening router between the internal network and the proxy server as well. The only thing tunneled that would get through was HTTP tunneled traffic, which I could either allow or try to block by URL, site, or if I wanted to write code, content inspection. These days, I'd probably do snort rules, produce a report and go thwap violators (but I generally enjoy the twapping bit.) > I really appreciate all the discussion as I am a 3 year newbee to the > industry. I have learned a lot and there still is a lot to learn. Again, > this discussion started by asking you all how I can stop traffic > generated by software that tunnels out the firewall. The message is > clear, NOT MUCH. I have sniffed packets, blocked ports, stopped services > and almost made a mess out of the ipchains rules in our firewall. There > is no smoke yet, but there is fire to re-think the network security > implimentation here. This is great stuff. Keep going. You can't let it be an escallation game of "what tunnel works?" You *must* be able to correct the behaviour of the offenders. After a while, and it really shouldn't take too long, lots of people will hate you, and you'll be left with the real hard cases, who'll need the formal disciplinary processes that the school can bring to bear. They're offenders, treat them like offenders- restrict their access, isolate them, and try to rehabilitate them. HTH, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 08:14:39 PDT