Re: [fw-wiz] httport 3snf

From: Duncan (
Date: 10/22/02

From: Duncan <>
To: "Paul D. Robertson" <>,
Date: Tue Oct 22 05:51:20 2002

"Paul D. Robertson" wrote:

> On Mon, 21 Oct 2002, Ryan M. Ferris wrote:
> > Paul:
> >
> > Great Comments! But is this really realistic?:
> Well, it's how I administered the HQ and main data center location for a
> ~US$5B corporation, I'm sure it's possible to do. Given the liberal
> working environment that I had to deal with, I'm sure it's something you
> can do in almost any given organization.
> > > If tunneling is (a) against policy, and (b) requires active and considered
> > > engineering to achieve, then the technology has done its part. After
> > > that, it's a monitoring and enforcement issue, not a firewall issue. If
> > > you can show active anti-policy malice in achieving the connection- then
> > > it's time to move into the penalty phase.
> >
> > [Bigger question coming...]
> >
> > At what point does monitoring and enforcement become unrealistic? In
> I guess that depends on what point the policy is unrealistic, and the
> level of commitment to policy enforcement in general.
> If they're against policy, and folks have been educated, and you're in
> such a hostile environment that you have widespread disregard for the
> policy, then it's more than likely time to either switch policies,
> architectures, or jobs.

    Having worked in the Firewall support role at several companies, I need to
    vent^H^H^H^H share two experiences that are at difference with the

    At a software development firm (Dot Com) related the policy was
    written to protect property (both physical and intangible). Abuse of
    resources was prohibited.

    But if a developer had a need (or made a request) to open FW ports, or gain
    IM access, "no" was not acceptable, but rather how fast the request
    was completed. As most developers realize, tying a deadline to any
    request is the best way around restrictions or "policies".
    You may just find yourself on the receiving end of a written reprimand
    from your CIO directed at you from the CEO of the company.

    Supporting FW's in the corporate offices of a large ISP (now gone),
    the policies required business justification for opening additional
    ports, and or relocating segments in front of the firewalls. Note that
    as a ISP, we were the daily target of hacking attempts.

    The firewall was set to transparently proxy connections for http
    (80,443,8080) to unlimited destinations. This seemed to work for all
    300+ employees. But IT had a problem, they could not download drivers
    from HP support. This was a critical problem for them. Their suggestion
    (request) was to open the FireWall to allow all (TCP ports >1024)
    outbound from their class C. to any IP as they could not provide me
    with a list of IPs for HP support.

    The suggested workaround appeared simple:
        a: Configure your browser to proxy via the FW ip.
        b: Use dialup, we are a ISP and its free.

    Management was informed of the risks. The director of IT support informed
    my director that it didn't sound too risky to him to just open up the ports.
    Besides the IT desktop support people would have to remember to turn on
    proxy support when they needed.

    Management felt the added risks were justified versus slowing down desktop
    support, since we had not had anyone actually ever breakin.

    At least in these two companies the policy only went so far as to interfere
    with some claimed business need, and we had a exception.

    Working for smaller companies (<500 employees) policies are usually
    a after thought, and may have been written by some manager in IT dealing
    only with abuse of the desktop itself. I have been at 3 Tech. companies
    where each has the following section in their policies:

    "XX. Internet usage is only for approved business purposes. Personal use
        (access) is prohibited."

    This was in (2) Software (Internet) development and one ISP company

    On the other hand having worked in a AeroSpace biggie where there are
    more work rules than one can read in a month, policies tended to be
    better enforced. Or atleast it was much harder for a requester to get
    enough management support to force a FireWall change.

    How this relates to a educational environment, I can't really say. But
I would
    hope that policies that enforce behavior/access are enforced with a network
    design that is flexible enough to address the differing needs of
    undergraduates, graduates, and researchers.

Duncan Sharp

Relevant Pages

  • Re: Spirited boys in cub scouts revisited
    ... >> with their policies make different choices about how to handle that fact ... >> To accuse anyone who supports BSA of supporting bigotry is just wrong. ... If you support the organization, ... That particular policy is, and, I hope, will one day be changed -- but, ...
  • Re: [fw-wiz] httport 3snf
    ... >> that, it's a monitoring and enforcement issue, not a firewall issue. ... I guess that depends on what point the policy is unrealistic, ... he could be the network administrator of thousands of ... I had extremely good support from my CIO and at ...
  • Re: [fw-wiz] httport 3snf
    ... > I had my CIO approve my security policy. ... security policies of most of the companies I have worked for. ... Desktop support can't be expected to support that level of control over ... My understanding of support for such policies is that if my management has the ...
  • Re: Serialization Issues and bloated objects
    ... Are you referring to the default profile provider that is using SqlExpress ... private Policies _policies; ... Microsoft Online Community Support ...
  • Re: Now Thats Ironic
    ... >>> Because they support the people who do the kidnapping. ... Dissent toward U.S. policy!= support for the policies ...