Your reply sounds good for a beginner like me. Thanks a lot.
Rgds
Radhakrishnan
Systems Executive
India
-----Original Message-----
From: Tim Kramer [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 25, 1999 1:48 AM
To: Bennett Todd
Cc: Michael Cunningham; [EMAIL PROTECTED]
Subject: Re: security policy examples
Unless you're working for an extremely small company, it's not a good
idea to just install software and configure on the fly. (This thread
started
with a request for security policy examples.)
The main purpose of a firewall is to enforce policy [No, I won't get
into
THAT argument. :) ] which includes protecting network assets. If your
practice is "wide-open", you still need a written policy from your
employer stating such. With any firewall, you should start with
"deny everything" and move towards what "corporate" is comfortable
with, even if it is "no restrictions".
I can only image one case where an ISP would need a firewall: to protect
its internal network where the billing records and logs are kept. (I'm
probably wrong as I've never worked that side of the house.) (Why
have a firewall if the security policy is "no restrictions"?) In this
case, it would not be up to the firewall administrator to set the
policy. It
would most definitely be a corporate policy about who is allowed to
connect
through the firewall (in either direction).
Anyone who works in the network security field without
a written job description and a written security policy (especially
those
getting paid in the high 5-figures+) are in a dangerous position.
(Okay,
that's IMHO...)
When installing the initial firewall, it is "good practice" to have:
1) a written security policy (you need this to configure the
firewall and the
proxies)(the firewall admin. usually has this)
2) a written contingency plan (this should at least set your
day-to-day
operating procedures if not what to do in case of
fire/flood/crime/etc.) (it
also
can determine what equipment you should have on "standby") (the
firewall
admin. and/or department head usually has this)
3) a written "acceptable usage agreement" (ISP's call this "Terms of
Service")
Unless an employee (or an ISP's user) has agreed to "acceptable
usage",
your employer will find it very difficult to terminate that person
for
hacking/
viewing porn on company time/etc. etc. etc. (HR/CR usually keep
these on
record)
All three of the above should be reviewed periodically and kept
up-to-date.
A organization and its network changes over time (sometimes rapidly).
Its
written policies (and business plan?) should change change with it.
Politics will always conflict with security when use of your network is
involved. It's good to have that written policy on hand when someone
else's
department head comes to you and wants a "hole in the firewall" so that
he can run ICQ at his desk. It allows you to say "No." It helps keep
your
company from being sued when things go wrong and it helps you avoid
some of the nastier company politics. (The larger the company that you
work for, the greater the likelyhood of politics defining or conflicting
with
how you operate.)
Buy/Beg/Borrow/"Find" a copy of the "Unix System Administration
Handbook". Read chapter 32. It's entitled "Policy and Politics" and
gives examples of some of the things that you will run into as a systems
admin./firewall admin.
Okay, I'm off the soap box,
Tim Kramer
Bennett Todd wrote:
> 1999-09-24-08:37:56 Tim Kramer:
> > The safest security policy to start with is: "deny everything".
Then
> > don't add anything until you get "corporate" approval (in writing).
>
> Tim has a reasonable stance for some settings. In other places, other
policies
> are appropriate. Examples would include isps and other dotcoms, where
> wide-open internet access is the essential working asset, and the data
isn't
> nearly as important to protect.
>
> -Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
