Some thoughts on this...
> Date: Tue, 12 Dec 2000 22:38:37 -0800
> From: "Stephen Gutknecht \(firewalls\)" <[EMAIL PROTECTED]>
> Subject: Undesired outbound data "leaking" - the next frontier?
> ....
> Solutions I can see off the top of my head:
>
> 1) Allow only outbound traffic to pre-authorized destinations and keep a
> list of only those allowable destinations on your firewall. Using "net
> nanny" (censoring) type technology for security purposes.
I could do this now, but if I did so, my entire life would be spent managing
this list... My compromise is to allow HTTP, HTTPS and the streaming media
ports open to everywhere, FTP only via our proxy, and all other ports/IP's
restricted IB AND outbound.
2) Develop a list "safe client pc programs" and some type of scanning
> technology to detect "undesired" programs.
>
I can kind of do this now (list part with NT), but the amount of time spent
establishing what executables are allowed, and which aren't, and locking things
to the point that my end users can't change things to run the newest widget that
they downloaded and brought in from home while still being able to do the work
they need to do, and the lost productivity from the inevitable side effect of
restricting something that you didn't intend to... it's just not going to
happen. Our operating environment changes daily - I could never keep up with it
- it would take me two years to roll out a new platform.
>
> ...
> Stephen Gutknecht
> Renton, Washington
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
"Personal Firewalls aren't Safe"
My real concern in the "Personal Firewalls" issue has to do solely with
Symantec's response to the issue as reported by ZDNet- i.e. ""We were recently
made aware of this, and we are looking into this as we speak"
This is eerily reminiscient of the "embedded Worm's can't be detected via
Symantec's NAV for MS Exchange scanner" and the "attachments can be delivered
before scanning" issues for me, and further causes me to doubt the credibility
of the companies who are writing the software packages that I trust the security
and integrety of my companies systems to. It doesn't take a rocket scientist to
realize that with the embedded code support in the extensions to HTML supported
by Exchange clients, the message itself can contain the virus/worm - nor does it
take a rocket scientist to realize that if the call to your scanner happens
after the message and attachment is placed in the mailbox that the attachment
might be downloaded before it gets scanned.
Likewise, it doesn't take a rocket scientist to realize that the name of the
file can be changed. So having to have these fundamental flaws in architecture
pointed out to them before they begin to concern themselves with addressing them
severely damages their credibility at a very fundamental level for me.
The core of the problem for me is that I purchase these packages, install them,
and am granted a comfort level based on a belief that the sofware works as I
have been lead to expect and that I and my company are secure, only to find that
the barn door is not only wide open - but has been left wide open at that.
(NAV-MSE I mean more than the PF's - allowing my users to determine themselves
what applications can communicate on the Internet seems stupidity bordering on
foolhardiness, when I have to confront some them regarding running Napster Music
Servers on my work machines - and have others that after 3 years still ask me
twice weekly how to get a full screen DOS box.)
{shrug} Dunno exactly what to do about it... I can't write the software instead.
Guy Skaggs
Director of Technology
Martingale Asset Management
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
