Re: [fw-wiz] httport 3snf

From: Paul D. Robertson (
Date: 10/21/02

From: "Paul D. Robertson" <>
To: "Ryan M. Ferris" <>
Date: Mon Oct 21 20:00:03 2002

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

> Paul:
> Great Comments! But is this really realistic?:

Well, it's how I administered the HQ and main data center location for a
~US$5B corporation, I'm sure it's possible to do. Given the liberal
working environment that I had to deal with, I'm sure it's something you
can do in almost any given organization.

> > If tunneling is (a) against policy, and (b) requires active and considered
> > engineering to achieve, then the technology has done its part. After
> > that, it's a monitoring and enforcement issue, not a firewall issue. If
> > you can show active anti-policy malice in achieving the connection- then
> > it's time to move into the penalty phase.
> [Bigger question coming...]
> At what point does monitoring and enforcement become unrealistic? In

I guess that depends on what point the policy is unrealistic, and the
level of commitment to policy enforcement in general.

If they're against policy, and folks have been educated, and you're in
such a hostile environment that you have widespread disregard for the
policy, then it's more than likely time to either switch policies,
architectures, or jobs.

> Robert's case, he could be the network administrator of thousands of
> individually configured Windows laptops running some kind of tunneling. It

Ah, but once again, those laptops needent be on the same segments as
"critical" systems. Let's face it, the myth of IT-configured systems in
the corporate world disappeared years ago for all but a few hold-outs.

> could end up as pervasive as napster. Isn't the penalty phase really just
> reserved for very criminal cases?! I have worked at some pretty big places.

No, administrative penalties are an appropriate thing. That may be as
small as "temporarily losing legitimate access" or a letter of reprimand
for the first offense. Subesquent offenses should of course escallate in
punishment. Heck, if we don't teach the kids that in school, they're sure
gonna find out about it in the real world.

> My experience was always that you would have to do something really bad to
> reach "penalty phase" - a hand slap usually at most. If you had ten users
> doing something against policy, you didn't get ten "penalty phases", you got
> a meeting with your boss to help provide alternate functionality so there
> were no deskptops users "against policy".

I've always held a very tight line on acceptable useage. It's sometimes
put me at odds with business growth, and in those cases, I've forced those
who "needed" special circumstances to decouple from my core infrastructure
and pay for the infrastructure to support their risky behaviour- you'd be
surprised how many "critical" daily activities become non-critical when
someone has to pay for them, or when someone has to get off their rear end
and go to another machine to do them.

> For example, if AIM and ICQ were bad, I can imagine a mandate to provide
> secure messaging or else the masses might riot. It is true the security

There's "unacceptable at all" and there's "unaccepable on this segment"-
both of which are supportable with policy, enforcement and corrective
action. It hasn't been more than a month since someone on this very list
was trying to get around such a policy (and probably unsuccessfully too.)

> groups had more power to slap hands than us network/desktop administrators
> types - but we usually took more "user heat" for reduced functionality.

Whilst I've had users who've been well, let's just call it "upset" at my
security policies- I've always articulated *why* something was against
policy (though usually not at the user level, but at executive management
who had to agree with the risk assessment to make the policy enforcable.)

When I left my last company, I was personally *very* taken aback by the
genuine regret expressed by those who had been most surpressed by my
policies. No only did they understand my concerns, they articulated why
it had been a good thing to have someone in the security position who
wouldn't cave in to local politics.

I firmly believe that a large part of that was in the fact that I never
made exceptions, not for CEOs, Exec VPs, and most importantly not for
myself or my friends. I had extremely good support from my CIO and at
least all way up to the Vice Chairman, as well as from the folks in the
General Counsel's office. Network and systems support staff would often
ask for my assistance in helping to lock down a rogue group or user when
their local politics wouldn't allow them to do so. For that to work, you
have to have strong policy and strong policy enforcement. Exceptions,
cries of "that's impossible to do" and "popularity" have to be discarded.

There are quite a lot of solutions that can "fix" this situation or more
importantly combinations of solutions, including DNS interception,
filtering, VPN software, IDS, authenticating proxies, firewalls,
education, training, policies, contracts, etc. School's an ideal time to
introduce the user population to real life- heck you can bill it as "real
world computing environments" in the handbook!

Brokerage firms are legally required to monitor "public wire traffic" and
the law doesn't allow them leeway in regards to privacy or difficulty.
K-12s may wish to enforce "chat" blocking to counter a potential abduction
threat, colleges may wish to block P2P sharing to limit litigious content
owners, etc.

Personally, I'd make all the potential users take a computer ethics and
acceptable usage class before I'd wire up their rooms or let them
authenticate to the network (quite a few years ago, there was a story in
Linux Journal about a college using floppy disks and PKI to enable
computer usage, I'm sure it'd be relatively easy to cook up something like
that with say IPSec gateways, "cafe/airport" style SSL servers, or
something like that.

This is not an unsolvable problem, and it may be that something as radical
as a curriculum change to add an ethics course would both enhance dialog
and produce some downstream social positives.

Heck, in a school you could start with articles in the school paper and
even invite dialog on an interactive forum.

I've heard of at least one major college that requires MAC address
registration prior to connection to their network. I doubt they have
massive revolt or major issues because they've thought the problem through
and made their architecture fit their solution.

This is not an unsolvable problem by any stretch.

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation