Re: Newsgroup filtering with host server software

Moe Trin wrote, On 29/12/07 17:37:
On Fri, 28 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
<7kdg45xs1v.ln2@xxxxxxxxxxxxxxxxxxxxxxx>, Flash Gordon wrote:

Moe Trin wrote, On 28/12/07 19:58:

<snip>

- we're an R&D facility, so we're rather tightly controlled. We
basically don't allow "visiting computers"

BIG signs at all of the entrances warning about that - and the visitor
access agreement that has to be signed (and witnessed) before entry is
granted specifically prohibits visiting computers. People _should_ be
aware, though we manage to have 2 or 3 visitors a year that think it
doesn't apply to them.

Personally I always ask *before* connecting my notebook (personal or company) in to another companies network. Not only does it save me getting a bollocking but it is only the polite thing to do. In my office though I am one of the people to be asked, so I give myself permission ;-)

Actually, I was given permission to hook my personal notebook in to the company network before I had anything to do with our IT department.

<snip>

This is where Blackberries and 3G cards come in useful. Then although
you cannot plug in to the customers network you can still get at your
email.

Doesn't do much good in our buildings - heck, even cell-phones don't
work inside (joy of joys).

Where I used to work the rule was that you were not allowed to have a mobile switched on in the office (security) so I don't know if they would have worked. One place I visited you were not allowed to take a mobile on-site, not even if it was switched off!

We tend to frown on web access - especially for mail.
My attitude is that the email has already passed unencrypted through
the internet before it hit my inbox.

Don't see all that much external mail, but the internal mail outnumbers
it by many orders of magnitude.

For some in our company external email outnumbers internal. For almost everyone in our company external email is more likely to be sensitive.

But the main objection is that nearly
all of the main is plain text

Plain text email works extremely well in a webmail portal :-)

(we don't run windoze anywhere in this
division, and my understanding is that it's limited to a few boxes in
corporate accounting and marketing - neither function located on this
side of the country). Hypertext offers us nothing in mails. (The other
advantage - no-one is mailing PowerPoint presentations back and forth.)

I agree that hypertext in email is bad, and so are large attachments.

So if a customer allows me to plug in to their network and allows web access but not the other email protocols we use or VPN it is useful for
me to have web access to email.

That sounds reasonable - we're restricted here due to _the possibility_
that the mail may be deemed sensitive, so everything gets encrypted.

Well, if something could be deemed sufficiently sensitive I would agree that only company machines should be able to access it, after all any other machine could log it even if it was encrypted in transit.

My company is not large, but all IT in it is underfunded.

I have NEVER known an IT department that was overfunded, and most of
them today have to fight to get the budgets they really need.

Agreed.

<snip>

We (when I was not involved in our IT infrastructure) have had machines "owned" and spewing out spam before.

We're a lot better off because we're a *nix shop (mal-ware is much less
common)

I'm in the *nix part of our shop (says the only person in the company with a company MSDN subscription). Some development (I've slowly been getting one of our applications to use some sensible security where I have been rewriting them), some consultancy (for which I believe I should understand enough about security not to make a fool of myself), some work on our internal systems (the *nix boxes) and various other things.

So my personal notebook runs Linux (which helps make it safe) and my company notebook runs Vista (so I hit problems *before* customers), but none of my Windows machines over the years have ever had a virus as far as I know, and the AV SW is only triggered when I *deliberately* trigger it (in known safe ways).

and because our users rarely have (let alone use) elevated
(root, like administrator) privilege. Don't have permission to install
anything on the system. Most of my wife's facility has been changed
over as well. There was some resistance, mainly due to "it's different".

Well, late last year I suggested we lock down the machines (currently everyone has Admin access on their Windows machines). We shall see what happens. However, since then we have already had a couple of incidents which we would not have had with locked down machines.

Now outbound port 25 is blocked except for our outbound mail server.

There are a slew of other ports used by proprietary mail services and
most of them don't see the light of the Internet day, but you may also
want to be blocking 587/tcp (RFC4409).

Thanks, I will get that done.

Our auditors (internal, and those from customers) won't allow that.
Yes, some companies have more stringent requirements than others.

The combination of a R&D facility and occasional government contracts
can take all of the joy out of things.

I used to work in the defence industry so I know all about *that* sort of security.

Personally I am trying to push my company slowly in to making things more secure, but as I am the only one who seems to have any real concept of security or risk (and I am *not* an expert) it is slow going.

Practical UNIX and Internet Security Practical UNIX and Internet
Security , Third Edition By Simson Garfinkel, Gene Spafford, Alan Schwartz
February 2003 ISBN 0-596-00323-4 984 pages $54.95 USD
This edition of Practical Unix & Internet Security provides detailed
coverage of today's increasingly important security and networking
issues. Focusing on the four most popular Unix variants today--Solaris,
Mac OS...

Thanks.

I'm NOT suggesting that you _buy_ this (as it's mainly *nix,) but the
network and basic security concepts still apply.

I may well try and get my company to buy a copy. We *do* use Linux a lot including for hosted services that we provide.

See if you can find a
copy in a library (here, there is a thing called an "inter-library loan",
where "your" library has arrangements with others in the area, allowing
them to obtain books for you from those libraries - VERY handy).

We have something similar here in the UK.

You
may want to look around http://www.oreilly.com, as they also have a
number of books on the windoze end of things as well.

I'm sure there are. However, currently I'm taking the attitude that Windows is Somebody Else's Problem. Apart from stirring up trouble on the Windows side by pointing out problems, that is.
--
Flash Gordon
.

Relevant Pages

  • Re: Newsgroup filtering with host server software
    ... you cannot plug in to the customers network you can still get at your ... the internet before it hit my inbox. ... Practical UNIX and Internet Security Practical UNIX and Internet ...
    (comp.security.firewalls)
  • Re: Active Directory Setup Advice
    ... A domain is really an entity with a single security remit. ... seen as on the same network it will be like one big network. ... Under one domain all machines have to be unique in naming scheme. ... sub domains you can have same names under different domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to access I/O port directly in VC6.0?
    ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ...
    (microsoft.public.vc.mfc)
  • Re: Biometrics
    ... computer to the Internet, it will get attacked. ... They're interesting for learning about attacker behavior and motivations, but they aren't security devices. ... Use Windows 98 Second Edition Machines as a safety internal protocol as ... MVP suggests how the internal safety of 9x is awesome and makes ...
    (microsoft.public.security)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)