begin quoting Andrew Lentvorski as of Sun, Nov 18, 2007 at 09:55:11PM -0800: > Stewart Stremler wrote: > >Before you set up a firewall, define the acceptable use policy for the > >network. > > Uh, no. That misses the point, nowadays. > > Don't set up an outbound firewall that blocks anything, anymore.
I like my outbound firewalls. It's how I know that Firefox calls home to the mothership, for example. Deny that connection, and Firefox falls over. This is good to know. Firefox shouldn't call home to the mothership. Thus.... I don't use Firefox. It breaks my policy. Bad developers. No biscuit. > All you do is inconvenience your users and you don't even slow down the > bad guys (if it ever did). This is why you have a policy *first*. (Necessary, but not sufficient.) Granted, it has to be a /reasonable/ policy. > Right now, my favorite (lack of) security demo is to put Wireshark on a > net and have the IT folks watch while I install Skype. > > It's a beautiful thing. That might be fun. Of course, it indicates why you need a policy and a monitoring system, so that if Skype and friends are disallowed, you can fire the employee (or take appropriate remedial action). You can't keep your users from subverting security unless you have a way to catch 'em and penalize 'em for it. This is just like having keys and locks on the doors, and users who use duct-tape on the latches so they don't have to carry their key with 'em. ... The big problem I have with firewalls is that everyone and their brother responded to firewalls by tunnelling everything through port 80[1]. So a simple packet-filtering firewall with non-compliant[2] users no longer will do the job -- we have to /proxy/ everything of interest through a DMZ. That's a lot of work. And it'll impact everyone. ---- 1. This is primarily the fault of the administrators, who failed to keep track of what their users needed to get done, and denied anything that would make them do any work. It is secondarily the fault of the developers, who kept on writing programs that were insecure, dangerous, and shiny. 2. The most dangerous user is a clever user who thinks he's smarter than the IT guys, but isn't really. They can be clever enough to bypass the security measures, but not smart enough to keep out the bad guys. -- The externalization of cost from the responsible parties is how security breaks. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
