On Wed, 24 Jan 2001, Frederick M Avolio wrote:
> I sometimes teach classes, so I am interested in knowing why you are
> blocking it. What are you concerned about? Also, does the corporate
> security policy or acceptable use policy address it?
I was always concerned about any client that did peer-to-peer
communications between untrusted hosts (both internally and externally.)
I'm sure that a very good case for productivity loss could be made, though
the old arguments about technology and social behaviour still apply. I'm
sure that in some instances information leakage concerns might apply, and
potentially "public wire monitoring" stuff at brokerage houses (blocking
is sometimes a better alternative that monitoring and reporting.)
ObBOFH: Because the lusers want to use it. A lot.
For AIM, I'd blackhole the machines it trys to contact- finding those out
is simply an exercise in putting a Win* box out on the DMZ (assuming you
blackhole at the border) and running the client while checking on each
connect. I doubt it'll take too long to get it all out. It also might be
possible to make yourself authoritative for aol.com and just pass queries
for machines you need to allow and MX records through. That's always fun
because you can point the users at 127.0.0.1 or even an internal server
that doesn't communicate externally (or if the protocol allows a server
that responds with "This is against policy cease and desist!"
Finally, there was a (French?) tool for intercepting and FINing TCP
connections on the local network that might be worth digging for. Profile
AIM and I'm pretty sure you could shut it down on the local wire. Don't
forget to prep the help desk first.
FWIW, I'm a big fan of principle of least privilege. My policy always
said what was allowed and explicitly disallowed everything else. Default
deny stances are the easiest to do if you're conservative and concerned
about new things and policy changes (try distribution of new policies to a
few tens of thousands of employees regularly and you'll probably
understand, especially if they're mostly at business units with their own
local policy coverage and turf issues.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
