Re: Newsgroup filtering with host server software

On Fri, 28 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
<7kdg45xs1v.ln2@xxxxxxxxxxxxxxxxxxxxxxx>, Flash Gordon wrote:

Moe Trin wrote, On 28/12/07 19:58:

[hole poke through firewall]

Depends

Yes. Where I used to work there was no option of *any* access from the
outside. If you were not in the office you had no access to email.

Here, it's not so much lack of access as

- we're an R&D facility, so we're rather tightly controlled. We
basically don't allow "visiting computers"

BIG signs at all of the entrances warning about that - and the visitor
access agreement that has to be signed (and witnessed) before entry is
granted specifically prohibits visiting computers. People _should_ be
aware, though we manage to have 2 or 3 visitors a year that think it
doesn't apply to them.

though we do have several computers scattered about that are
isolated from our network that can be used by visitors (and
employees for non-business activities).

Some of our customers are like that as well.

We had a problem back in the 1980s - minor lawsuit over viewable
pr0n, and another division in California got dragged through the
barbed wire for it. In ~1990, corporate came down with the no
visiting computers edict, and wouldn't you know the first person
we nailed was the CEO who was visiting our facility a week after
signing the policy, and the bulletins announcing it.

This is where Blackberries and 3G cards come in useful. Then although
you cannot plug in to the customers network you can still get at your
email.

Doesn't do much good in our buildings - heck, even cell-phones don't
work inside (joy of joys).

We tend to frown on web access - especially for mail.

My attitude is that the email has already passed unencrypted through
the internet before it hit my inbox.

Don't see all that much external mail, but the internal mail outnumbers
it by many orders of magnitude. But the main objection is that nearly
all of the main is plain text (we don't run windoze anywhere in this
division, and my understanding is that it's limited to a few boxes in
corporate accounting and marketing - neither function located on this
side of the country). Hypertext offers us nothing in mails. (The other
advantage - no-one is mailing PowerPoint presentations back and forth.)

So if a customer allows me to plug in to their network and allows web
access but not the other email protocols we use or VPN it is useful for
me to have web access to email.

That sounds reasonable - we're restricted here due to _the possibility_
that the mail may be deemed sensitive, so everything gets encrypted.

My company is not large, but all IT in it is underfunded.

I have NEVER known an IT department that was overfunded, and most of
them today have to fight to get the budgets they really need.

One of the users got owned, and through lack of security setups, the
company's network because an open spam relay and mail-drop. That was

Painful.

to put it mildly.

We (when I was not involved in our IT infrastructure) have had
machines "owned" and spewing out spam before.

We're a lot better off because we're a *nix shop (mal-ware is much less
common) and because our users rarely have (let alone use) elevated
(root, like administrator) privilege. Don't have permission to install
anything on the system. Most of my wife's facility has been changed
over as well. There was some resistance, mainly due to "it's different".

Now outbound port 25 is blocked except for our outbound mail server.

There are a slew of other ports used by proprietary mail services and
most of them don't see the light of the Internet day, but you may also
want to be blocking 587/tcp (RFC4409).

Our auditors (internal, and those from customers) won't allow that.

Yes, some companies have more stringent requirements than others.

The combination of a R&D facility and occasional government contracts
can take all of the joy out of things.

Personally I am trying to push my company slowly in to making things
more secure, but as I am the only one who seems to have any real concept
of security or risk (and I am *not* an expert) it is slow going.

Practical UNIX and Internet Security Practical UNIX and Internet
Security , Third Edition
By Simson Garfinkel, Gene Spafford, Alan Schwartz
February 2003 ISBN 0-596-00323-4 984 pages $54.95 USD

This edition of Practical Unix & Internet Security provides detailed
coverage of today's increasingly important security and networking
issues. Focusing on the four most popular Unix variants today--Solaris,
Mac OS...

I'm NOT suggesting that you _buy_ this (as it's mainly *nix,) but the
network and basic security concepts still apply. See if you can find a
copy in a library (here, there is a thing called an "inter-library loan",
where "your" library has arrangements with others in the area, allowing
them to obtain books for you from those libraries - VERY handy). You
may want to look around http://www.oreilly.com, as they also have a
number of books on the windoze end of things as well.

Old guy
.

Relevant Pages

  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: netbios vuln
    ... > finally is it just the author of the article (who is not a security ... <<blah, blah, blah>> ... network protocols and services on thoses OSes such that, by default, ... nearly every such machine with an Internet connection will be ...
    (Incidents)
  • Re: Microsoft declares security is NOT its top priority
    ... | by Bruce Schneier, Network World ... is security Microsoft's top priority? ... | does to secure their computers and networks. ... | When many unsecure computers are connected to the Internet, ...
    (microsoft.public.windowsxp.basics)
  • what did Nelly picture the terrorist by means of the certain aids
    ... Information Security Services'. ... The configurations and passwords to Salomon's network control devices - the ... heart of the network - flew out of our Internet connection to vendor Cisco ... This is a security incident report regarding the Internet ...
    (sci.crypt)
  • [Full-disclosure] Re: [FD] Good security books
    ... Simson Garfinkel, Gene Spafford, Alan Schwartz, "Practical Unix & Internet ... Security, 3rd Edition" and certain other O'Reillytitles. ...
    (Full-Disclosure)