Unless you're working for an extremely small company, it's not a good
idea to just install software and configure on the fly. (This thread started
with a request for security policy examples.)
The main purpose of a firewall is to enforce policy [No, I won't get into
THAT argument. :) ] which includes protecting network assets. If your
practice is "wide-open", you still need a written policy from your
employer stating such. With any firewall, you should start with
"deny everything" and move towards what "corporate" is comfortable
with, even if it is "no restrictions".
I can only image one case where an ISP would need a firewall: to protect
its internal network where the billing records and logs are kept. (I'm
probably wrong as I've never worked that side of the house.) (Why
have a firewall if the security policy is "no restrictions"?) In this
case, it would not be up to the firewall administrator to set the policy. It
would most definitely be a corporate policy about who is allowed to connect
through the firewall (in either direction).
Anyone who works in the network security field without
a written job description and a written security policy (especially those
getting paid in the high 5-figures+) are in a dangerous position. (Okay,
that's IMHO...)
When installing the initial firewall, it is "good practice" to have:
1) a written security policy (you need this to configure the firewall and the
proxies)(the firewall admin. usually has this)
2) a written contingency plan (this should at least set your day-to-day
operating procedures if not what to do in case of fire/flood/crime/etc.) (it
also
can determine what equipment you should have on "standby") (the firewall
admin. and/or department head usually has this)
3) a written "acceptable usage agreement" (ISP's call this "Terms of
Service")
Unless an employee (or an ISP's user) has agreed to "acceptable usage",
your employer will find it very difficult to terminate that person for
hacking/
viewing porn on company time/etc. etc. etc. (HR/CR usually keep these on
record)
All three of the above should be reviewed periodically and kept up-to-date.
A organization and its network changes over time (sometimes rapidly). Its
written policies (and business plan?) should change change with it.
Politics will always conflict with security when use of your network is
involved. It's good to have that written policy on hand when someone else's
department head comes to you and wants a "hole in the firewall" so that
he can run ICQ at his desk. It allows you to say "No." It helps keep your
company from being sued when things go wrong and it helps you avoid
some of the nastier company politics. (The larger the company that you
work for, the greater the likelyhood of politics defining or conflicting with
how you operate.)
Buy/Beg/Borrow/"Find" a copy of the "Unix System Administration
Handbook". Read chapter 32. It's entitled "Policy and Politics" and
gives examples of some of the things that you will run into as a systems
admin./firewall admin.
Okay, I'm off the soap box,
Tim Kramer
Bennett Todd wrote:
> 1999-09-24-08:37:56 Tim Kramer:
> > The safest security policy to start with is: "deny everything". Then
> > don't add anything until you get "corporate" approval (in writing).
>
> Tim has a reasonable stance for some settings. In other places, other policies
> are appropriate. Examples would include isps and other dotcoms, where
> wide-open internet access is the essential working asset, and the data isn't
> nearly as important to protect.
>
> -Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
