Re: How safe for firewall rule using 127.0.0.0/8
From: Triffid (triffid_at_nebula.net)
Date: Fri, 28 Oct 2005 00:19:35 -0400
Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <9jU7f.email@example.com!nnrp1.uunet.ca>, Somebody. wrote:
>>"Moe Trin" <firstname.lastname@example.org> wrote
>>>At work, the solution is quite simple - no VPNs period. I know what
>>>my "normal" network traffic looks like, and when I see something out
>>>of the ordinary, I investigate.
>>For this example, your "no vpns policy" would have to include blocking
>>443. Are you prepared to do that?
> No, we have written policy in place - the results of violating it are
> well known to the users and harsh. We don't have a problem with this, as
> our users are not stupid. But let me point you back at the last sentence
> above - and tell you to use a packet sniffer (any - even something like
> ethereal) and notice the difference between Alice checking her bank
> balance (which is prohibited here, but less likely to trigger disiplinary
> action), and Bob using a tunnel for surfing pr0n or mailing the company
> secrets to a competitor.
>>nothing on the network core or permiter can detect/stop this activity in
>>any useful way. It looks like very ordinary https traffic.
> Then perhaps you need experience and more training.
>>All it takes is a single click "OK" and a few prompts that most people are
>>used to sailing through.
> Train your users. See that your users are not operating as a privileged
> user - if you can't get their applications to run without needing that,
> get someone who can. Do not use known broken applications because they are
> included in the desktop or what-ever, and it's the only thing your users
> are capable of running. (Back in the early 1980s, my wife was using a
> spread-sheet as a word processor, database tool, and who knows what else in
> addition to it's primary use as a spread-sheet, because that was the only
> thing her company thought to buy - but then, it was one of 2 PCs in a 40
> person accounting department. Let me assure you that things changed over
> time when they started noting massive productivity gains, even given that
> an IBM PC-XT was a _substantial_ chunk of coin at the time.)
>>Lots of people can be tricked into installing that, very easily,
>>thinking it's something else. I agree, untrained users, etc etc.
> Why are your users visiting such sites? It is required as part of their
> job? (If so, I'd start by asking to disqualify those vendors.)
> It just so happens that the most frequently used vector to date is that of
> user stupidity (why is it that we laugh at the cartoon animal who falls for
> the "stand here and press this button" gag, but so many of us seem content
> to "click here and be amazed"?) (Alun Jones in c.s.f)
> [Remember that one Alun?]
> Social Engineering - Because there is no patch for human stupidity.
> Uncrackable computers are already available. It's uncrackable users that
> are in short supply.
> Really - training makes a HUGE difference.
>>So you have this user that installs something he shouldn't -- how
>>often does that happen? Pretty often.
> Very infrequently - for six reasons.
> 1. We've trained our users.
> 2. Corporate policy prohibits personal use of company computers, and not
> many business sites are so stupid as pull stunts.
> 3. We're not running windoze, never mind Outlook or Internet Exploiter.
> 4. Our users use an appropriate tool other than some crappy browser because
> it's they only piece of software they can (sorta) use.
> 5. Our users do not have root (admin) privileges.
> 6. Our user home directories are network mounted from a file server, and
> most are mounted 'noexec' meaning you can't even create a shell script
> (the *nix equivalent of a batch file) - never mind install shit.
Must be nice.
Around here, the *products* run on windoze, and upper management loves
to say "we eat our own dog food". (Yes, the predictable misquote is
When management won't support policies such as you espouse, one
frequently has little choice but to resort to stoop'n'scoop mode.
Security is PPPT. One might debate the P ordering, but T is indisputably