On Sun, 9 Jan 2000, Roger Marquis wrote:
> In light of these policies/CYAs is there a business case for
> filtering ICQ IP addresses?
If you're trying to fight backwards, you'll never get anywhere useful.
The default policy for most businesses should be that all traffic is
disallowed first, then there needs to be a specific business case to open
it up at all. That case should start with specific sites, and only go to
the general "any site" with sufficient business justification *and* a
security model that allows that justification to override security
concerns.
I've yet to meet a business case for ICQ that held up and wasn't better
solved by e-mail or a Web application on a trusted server housed on the
local DMZ.
A firewall's protection mechanism is based on what it blocks, not on what
it allows through. The more you let through, the more useless it
becomes. If you're already allowing HTTP or SMTP, then try to find
applications that work over those protocols (without tunneling if
possible.)
If you're going to take the stance that everything is allowed unless it's
proven bad, the first trojan in the door will kill your security
enforcement mechanism pretty soundly.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
