Re: [fw-wiz] httport 3snf

From: Ryan M. Ferris (rferris@rmfdevelopment.com)
Date: 10/21/02 

From: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
To: "Paul Robertson" <proberts@patriot.net>
Date: Mon Oct 21 19:59:02 2002

Paul:

Great Comments! But is this really realistic?:

> If tunneling is (a) against policy, and (b) requires active and considered
> engineering to achieve, then the technology has done its part. After
> that, it's a monitoring and enforcement issue, not a firewall issue. If
> you can show active anti-policy malice in achieving the connection- then
> it's time to move into the penalty phase.

[Bigger question coming...]

At what point does monitoring and enforcement become unrealistic? In
Robert's case, he could be the network administrator of thousands of
individually configured Windows laptops running some kind of tunneling. It
could end up as pervasive as napster. Isn't the penalty phase really just
reserved for very criminal cases?! I have worked at some pretty big places.
My experience was always that you would have to do something really bad to
reach "penalty phase" - a hand slap usually at most. If you had ten users
doing something against policy, you didn't get ten "penalty phases", you got
a meeting with your boss to help provide alternate functionality so there
were no deskptops users "against policy".

For example, if AIM and ICQ were bad, I can imagine a mandate to provide
secure messaging or else the masses might riot. It is true the security
groups had more power to slap hands than us network/desktop administrators
types - but we usually took more "user heat" for reduced functionality.

Ryan