An interesting topic indeed.
I'd say the first step is a security policy. If you don't have one,
you need one (this is my standing battle cry).
Make the definition of the security policy the battle ground for
this issue. The security policy should describe what resources need
protecting, against what threats, and mandate requirements (possibly
including firewalls) that follow logically from the resources and
threats.
But that's just setting a sound structure for the debate, it doesn't
actually address your question.
If you've described resources that need protecting, and threats they
need protecting against, and the manager still doesn't buy into your
proposed solution, then either you need a more flexible solution
(e.g. protect critical servers with a different, tighter policy from
the one you inflict on desktop clients --- which may also require
protecting them _against_ the vulnerable desktops) or else they're
ignoring the problem. In that latter case what I like doing is
demonstrating the problem. Come up with a clear threat, fantasize a
plausible attacker, describe the scenario in detail, then offer to
demonstrate the practicality and effects of the attack by running
it (with prior agreement, at a scheduled time). If they insist on
continuing to ignore the threat, and refuse to let you demonstrate
it, then back off. Carry out these negotiations in email and keep
file copies, and then when they get burgled you can document that
the manager deliberately chose to let it happen.
If that last bit (let 'em hang) is unacceptable to you, your choices
reduce to trying to go over the head of the recalcitrant manager, or
finding another job.
-Bennett
PGP signature
