Re: [fw-wiz] What challenges are security admins facing?

ark_at_eltex.net
Date: 05/28/03

  • Next message: Frank Knobbe: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network" 
    To: Paul Robertson <proberts@patriot.net>
Date: Wed, 28 May 2003 20:53:27 +0400

    nuqneH

    On Wed, May 28, 2003 at 12:33:44PM -0400, Paul Robertson wrote:

    > > network usage policy. People DO use computers at their workplace for
    > > personal needs and its OKAY. There are some cases when it is not
    >
    > Sometimes it's okay, and sometimes it's not- that's highly dependent on
    > what that personal usage is (playing pirated copyrighted content would not
    > be ok in most places, nor would browsing porn sites, and certainly handing
    > out administrative accounts for your friends to use would be frowned
    > upon.)

    Sure. These restrictions seem reasonable in most places. But restricting
    access by limiting it to pre-defined set of "work-related" sites
    actually encouraged users to do dirty tricks in almost 90% of
    companies i've seen it in.
    >
    > > Enforcing a fascist set of restrictions just makes users extremely
    > > creative to avoid it. Keeping restrictions reasonable makes it possible
    >
    > Getting rid of the creative ones tends to work like natural selection.

    And sometimes it works the wrong way. The remaining ones hide well and
    cause more trouble finally ;-). Many comanies that try to enforce
    restrictive policies simply do not have enough resources to track down
    violations. If they had policy less restrictive, they could.
    (talking now with a girl that works for one of those. she is not
    allowed to use email at work, thus she spent some WORKING time to
    find a way around it. i doubt it is what they want)

    >
    > [snip]
    >
    > > gets fscked really bad - but to make things work this way the administrator
    > > should allow him to do it if it is really innocent. Otherwise he
    >
    > How does the admin kno wif it's "really innocent?"

    Maintaining the list,if the thing is not on the list he should suggest
    something of close functionality..

    >
    > > Another problem is, again, management. Ever seen a big boss that
    > > says "i need this videoconferencing software working today from my
    > > desktop, so please poke a hole in firewall to make it work - it
    > > is IMPORTANT! no, we do not have time for security analisys, we need
    > > it NOW! No, i do not want to do it from dedicated notebook machine".
    > > The point is obvious. Why designing and implementing
    > > crafty security policy just to have it ruined this way?
    >
    > My standard answer of "No." worked for everyone from the person in the
    > mail room to the CEO of a multibillion dollar company when I was running
    > firewalls daily. Perhaps this too is part of the responsibility?

    Yes.

                                         _ _ _ _ _ _ _
     {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
     (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
     [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Frank Knobbe: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"