Re: [fw-wiz] httport 3snf

From: Paul Robertson (proberts@patriot.net)
Date: 10/21/02 

From: Paul Robertson <proberts@patriot.net>
To: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
Date: Mon Oct 21 18:16:00 2002

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

> I think some of the suggestions here are useful, but I don't think the scope
> of the problem is being broadly examined.
>
> Desktop policies on many college campuses are more difficult to implement
> than in corporate environments - more users and much, much less staff.

This isn't all that uncommon in the corporate environment either- and add
profitable business units to the mix and it's about a wash in a ~$3B or so
company and above, or in large counties.

> Usually the campus requires their 10 - 30 K user population to provide their
> own laptop and just enables a dorm room port on request. Of course many

This, is of course the main issue- but then putting dorm networks behind
the same firewall as the other campus networks is probably not the best
architecture, nor is enforcing the same policies.

> other policies are available, but for a typical campus environment assume
> that a user can and will have root/admin access on two boxes - on both sides
> of the firewall.

Just like providing VPN access in a corporate environment, acceptable use
policies for home users using corporate equipment need to cover acceptable
use, and there needs to be enough monitoring to ensure compliance.

> The SSL proxy sounds like an excellent idea but not all these firewalls
> evasion utilities required SSL/Connect.

If tunneling is (a) against policy, and (b) requires active and considered
engineering to achieve, then the technology has done its part. After
that, it's a monitoring and enforcement issue, not a firewall issue. If
you can show active anti-policy malice in achieving the connection- then
it's time to move into the penalty phase.

> Are there application layer routers that can deny all SSL except for MAC
> addresses or IPs on an appoved ACL? I know this could be a nightmare to

IP address filtering is trivial, as is VLAN to MAC filtering, so each part
of this is implementable, but ID/password stuff is probably a more
manageable implementation- proxies are your friend.

> enforce, but I think we may be getting to the point where networks only
> approve certain IP addresses for SSL/connect??.

When I admined a large network, I approved only certain *destination*
sites for SSL access, and it required authentication through an SSL proxy
as well. It was easier to limit the destinations than the sources, though
I could have done both (things like benefits programs made client-side
locks difficult.)

> Check out some of the other tools that are being used for firewall evasion
> across college campuses. I think you will find Robert's problem is more
> strategic than it appears:

It's not much different than a large corporate environment, the issues and
tools and policy issues are mostly equivalent, only the occurance of abuse
is higher, and that has a lot to do with the support that policies get in
colleges versus corporations.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: Analysing and configuring IPS/IDS Policies
    ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
    (Focus-IDS)
  • Re: OWD blocked "Internet Explorer cannot display the webpage"
    ... So, depending on what you have defined in the policies, you may have to undo them, put the computer back on the network and let it get the new policies. ... I'm not entirely convinced that it's Integrated Windows Authentication causing these issues but am option to suggestions. ... Disabling Windows firewall on Vista ... The last thing I was playing with was firewall via group policy, blocking all incoming on the domain network. ...
    (microsoft.public.exchange.clients)
  • Re: CEICW fails during firewall config, ISA 2004
    ... Is there any way to import the SBS Standard Firewall Policies via an XML ... just the default ISA 2004 templates. ... The CEICW wizard failed ...
    (microsoft.public.windows.server.sbs)
  • Re: Newer System.adm ?
    ... I tried configuring the firewall with gpmc, but the policies for the ... inspect the registry of a computer that is operating on the domain and under ... Then of course it works, but when the policy is ...
    (microsoft.public.win2000.group_policy)
  • Re: D-Link 604 Router
    ... > corporate environment of hundreds of employees. ... NAT/SPI makes their product a firewall when it really is just a router ... point to try and explain the difference between a firewall and a router. ... protection that a REAL firewall affords them), ...
    (comp.security.firewalls)