Re: Blocking Yahoo Messenger With Firewall??
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/22/05
- Next message: Kutloze Scheefgepoepte: "Re: Kadaitcha Man ~~~~> If it walks like a duck, talks like a duck, looks like a duck ..."
- Previous message: Glass slopper: "Re: Win xp and SATA issue??"
- In reply to: NâCN: "Re: Blocking Yahoo Messenger With Firewall??"
- Next in thread: NâCN: "Re: Blocking Yahoo Messenger With Firewall??"
- Reply: NâCN: "Re: Blocking Yahoo Messenger With Firewall??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Nov 2005 13:57:16 -0600
On Mon, 21 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<9275o11rv3ncj196eapo3eah0ubsae5pqb@4ax.com>, NâCN wrote:
>Could you maybe give me a goolge type search suggestion to look for
>info from the Feds and states for info on making policies, or any
>other type of good sources that come to mind.
>
>I am in Calofornia.
Oh, Je****! California probably has more lawyers per capita than any
state, and that means... Yeah, you REALLY want some policies in place.
As for hints,
Web Results 1 - 10 of about 15,400,000 for California labor relations.
(0.41 seconds)
California Department of Industrial Relations Home Page
First hit. That will get you started. The University of California
also has some good stuff - probably started as class materials.
>We have about 75 computers online on the network, but only about 25 of
>them are users that would be using the Internet.
It's hard to make specifics - you (rightly) can't tell me about your
network setup details any more than I can tell you mine (and I'm also
under an NDA, such that you don't see me mentioning companies or
products). We'll come back to those 25 in a moment. Can the users
get Internet access from those 50? That is, do users have physical
access, or even user accounts on them? Do those 50 need access to the
Internet? I've got two process lines with about 40 systems on each, and
they need to share some data with users on our main networks, but that's
it. The lines are therefore set on a separate subnet, and the routers that
connect them to the main networks don't allow the lines to send/receive
packets from anywhere except the subnet where the authorized users are.
Not only do the lines not have access to the Internet, they don't even
have access to the rest of the company network, never mind unauthorized
subnets locally.
Now, as for your users on those 25, does the world (or even some part of
it) need access to those 25? By this, I mean are they serving anything to
the Internet. No? Firewall prevents incoming access. Yes? They _really_
should be segregated onto a DMZ, so that you can protect the rest of the
internal systems. What kind of access do your 25 need to the world? Are
they grabbing data from some site in China, or Costa Rica, or Costa Mesa?
As part of the business, do they need any access at all? What kind? How
much traffic? How many bucks (which also means time) are you willing to
throw at the problem? Policy (and user training) can often solve the
problem at a lower total cost, and improve productivity. Filtering net
access by IP address can be easiest. For example, do you need access to
Asia/Pacific or Central/South America? If no, then 7 ranges blocked
(58/7, 60/7, 124/6. 200/6, 210/7, 218/7 and 220/6) will block 95%. Need
to block Europe? Six rules blocks a lot. HOWEVER those are just general
concepts that may or may not do anything. Blocking port number outbound
is another technique. Generally, you look in your logs to see what
traffic exists, and then tailor rules based on that. Pain in the butt,
which is why policy is usually a better choice.
>They hired me because of my computer knowledge along with my scientific
>experience. But it was my computer knowledge that seperated me fro the
>crowd. Then after awhile I was in charge of the network.
Oh, fun. Well, TCP/IP has been around for twenty plus years, and the base
concepts haven't changed that much. Of course, what was acceptable from
a security standpoint in 1985 would horrify a modern net-admin, but it's
still building on the basic operation of computers by humans.
>I am getting mt certs now.
Certification may or may not be a good deal. If it's learning by rote
some manufacturers training scheme (Cisco, Microsoft, Novell, what-ever),
these tend to be next to useless. They present material needed to pass
a test, but is may be irrelevant, misleading, or down-right wrong. I
took a Novell class, where we were taught that the old thick Ethernet
used RG-8 or RG-11 50 Ohm coax. This was wrong on two points - RG-11 is
75 Ohm, and the Ethernet specifications require plenum rated cable (the
jacket material prohibits those specific cables). The Microsoft classes
had similar gaffes - a few that were even more blatant.
>Thanks agian... and google suggestions for policy ideas??
Hopefully, my response (and Ken Ward's suggestion of SANS) will point
you in the right directions.
Old guy
- Next message: Kutloze Scheefgepoepte: "Re: Kadaitcha Man ~~~~> If it walks like a duck, talks like a duck, looks like a duck ..."
- Previous message: Glass slopper: "Re: Win xp and SATA issue??"
- In reply to: NâCN: "Re: Blocking Yahoo Messenger With Firewall??"
- Next in thread: NâCN: "Re: Blocking Yahoo Messenger With Firewall??"
- Reply: NâCN: "Re: Blocking Yahoo Messenger With Firewall??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
