Greetings,
I would like to ask for the expertise of this list regarding a matter of
selective blocking of traffic from inside a company to the
Internet. Specific tools that we have or will soon have in place are
Checkpoint Firewall-1, Checkpoint Meta-IP for internal DNS (and user to
machine association via LDAP database), and a new tool called the
R-2000/XStop site blocking appliance from Logon Data.
Our highest level officers have decided on a stated policy course that is
at odds with what many of the departments think is effective business
practice (I tend to agree simply from a network management business
case). I work at a company that has a large number of field offices
staffed by customer service agents and other hourly-paid service personnel
with very specific job tasks that require localized application access, and
we have four large call centers that also require specific application
access. Our CEO has declared that we will provide Internet access for
everyone, but this makes life very difficult at the call centers and
customer service counters where the managers want the employees to be doing
their work rather than surfing the net.
Selective firewall blocking based on subnets will not work,
unfortunately. The remote sites have too many exceptions (this manager
needs full access, that supervisor, etc...) and the rule housekeeping would
be a huge problem.
Using the Meta-IP product we will soon be able to associate a user with a
given (DHCP addressed) workstation for the duration of their login session
and store the resulting data in an LDAP database. Supposedly Checkpoint
have integrated the ability of FW-1 to query this LDAP database to allow us
selective permissions through the firewall based on user names and/or NT
permission groups. Unfortunately, our firewall VAR has no experience with
doing this sort of thing, and in fact it seems that few in business today
are doing such selective blocking of Internet access (with most it seems to
be an all or nothing proposition).
Would anyone out this audience care to propose or discuss any models of
selective blocking other than that provided by Checkpoint? Has anyone
specifically validated the Checkpoint model of selective blocking in
practice, and if so what were the hard spots if any?
I'm open to all ideas and I hope that this question initiates a discussion
thread on this list. I've inherited this selective blocking mess and your
contributions to my knowledge base are very much appreciated.
Cheers.
Rob
Take chances, Get messy, Make mistakes. (Miss Frizzle)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Scott, mailto:[EMAIL PROTECTED]
Langley, Washington on Whidbey Island (a suburb with a moat)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
