Re: [fw-wiz] What challenges are security admins facing?

ark_at_eltex.net
Date: 05/28/03

  • Next message: Loxat White: "[fw-wiz] traffic analysis" 
    To: Paul Robertson <proberts@patriot.net>
Date: Wed, 28 May 2003 18:55:59 +0400

    Being a bit offtopic on firewall security audit discussion, i'd like
    to remember a paper i wrote on security management problems. Unfortunately
    the paper is in Russian thus having no value for the mailing list
    subscribers, but i can recite key point here: the major problem is
    responsibility and serious gap between de jure and de facto computers and
    network usage policy. People DO use computers at their workplace for
    personal needs and its OKAY. There are some cases when it is not
    acceptable, say, processing critical data. That means instead of
    declining the problem in whole (this should not happen, but.. everyone
    including senior management does it) and focusing on "wide-range"
    technical countermeasures like installing antivirus software everywhere
    to avoid _personal_ responsibility, we should CONTROL the situation.
    That means it is necessary to face the fact and, if we want an
    employee not to play games and surf the web from computer that is
    connected directly to sanctum sanctorum he just needs _another_
    computer on his desk or maybe a public one somewhere in the office.
    Enforcing a fascist set of restrictions just makes users extremely
    creative to avoid it. Keeping restrictions reasonable makes it possible
    to control remaining and vital ones really strict. That means, say,
    if user installs an unauthorized piece of software on his computer
    without consulting the administrator he is guilty as hell and
    gets fscked really bad - but to make things work this way the administrator
    should allow him to do it if it is really innocent. Otherwise he
    just will not tell. If user gets a trojan by email and clicks on it
    and gets 0wned, then 1) user should be fscked for doing it and 2)
    the administrator should be fscked for allowing authomatic
    attachment execution on users workstation. And it is the matter of
    personal responsibility, not insurance or antivirus software.

    In most cases managers are just coward morons. Thay prefer things
    to look good until *** happens instead of preventing it.

    Another problem is, again, management. Ever seen a big boss that
    says "i need this videoconferencing software working today from my
    desktop, so please poke a hole in firewall to make it work - it
    is IMPORTANT! no, we do not have time for security analisys, we need
    it NOW! No, i do not want to do it from dedicated notebook machine".
    The point is obvious. Why designing and implementing
    crafty security policy just to have it ruined this way?

    On Tue, May 27, 2003 at 09:22:55AM -0400, Paul Robertson wrote:
    > On Mon, 26 May 2003, Paul Ammann wrote:
    >
    > > Hi
    > >
    > > I've working on the firewall security audit at my company, and I've been
    > > getting exposure to many different areas that I normally wouldn't. I work
    > > with the Check Point firewalls. I'm curious as to what people challenges
    > > security admin are facing.
    >
    > Change control is always a big issue.
    >
    > So are things like password managment, backups, ruleset validation,
    > physical cabling verification, and potentially important things like log
    > analysis and the legal aspects of such (for instance, do you regularly
    > review logs, or only when "something bad happens- the answer could change
    > the defensibility of using that analysis in court, are your logs set up to
    > be reported on, and will that ensure the business record exemption for
    > evidentiary submission...) [At this point, you should be asking yourself
    > "Why hasn't Legal been involved in our audits before?" and probably
    > thinking "They might want specific things documented that aren't, and
    > that's a bigger stick than I currently have...]
    >
    > > I'm talking things you might not normally take into consideration. For
    > > example, lack of communication or documentation, inaccurrate network
    > > drawings of firewall locations, no formal change control procedure,
    > > tracking temporary firewall rules, limiting access to firewall policies
    > > and log information, or my favorite, no procedure for when an employee has
    > > left the company or change job functions.
    >
    > If you're doing user-ids, think about automatically expiring ones which
    > haven't been used for some period of time.
    >
    > Paul
    > -----------------------------------------------------------------------------
    > Paul D. Robertson "My statements in this message are personal opinions
    > proberts@patriot.net which may have no basis whatsoever in fact."
    > probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Loxat White: "[fw-wiz] traffic analysis"
    • Quantcast