At 11:52 AM 09/28/2001 +0200, Walker Andrew wrote: >I read up about SSL as a protocol and about public key encryption, but I'm >still undecided. I have no help from the firms Internet policy to guide me >so I'm looking for advise regarding how one would go about allowing it by a >rule on FW1, if there are any security risks to be aware of, and also if >anyone has any guidelines or experience of internet policies that deal with >this kind of Internet usage from within the firm.
From a technological standpoint, all you need to do to permit this is open the https port, which I believe is 443, for outgoing connections. As for security risks, there aren't any specific to SSL web traffic, that I know of. On the individual level (the user), there is a big difference in security between http and https, but from an overall corporate network perspective, it's basically all just web traffic. There's always the risk of the user downloading some sort of trojan or virus or whatnot, but this risk is no larger than with standard web traffic. In fact, it is probably smaller given the cost and effort required to set up an SSL web server properly (e.g., purchase valid keys and certificates, install and perhaps licence the SSL software, etc). The major decision here, not surprisingly, is one of corporate policy, not technical policy. SSL traffic, on the whole, is more likely to be 'legitimate' use than non-SSL traffic. That is, you will find most SSL traffic being used for internet banking, online shopping, etc. (Of course, you also find it on most adult sites). So the decision comes down to wether or not you want your employees using the web for personal reasons during the day. If you already have an established web-use policy, then it should apply as-is to secure web-use. If you don't have an established web-use policy, then you probably will need input from several higher-ups to create one. Smaller companies I have worked for had basically no usage policy apart from "don't do anything illegal on our equipment." I know of other companies that completely block all traffic except for web traffic, which is all shunted through restrictive and logging proxy servers. Most companies are probably somewhere in between. My own personal opinion is that it's much better to enforce web policy on a management level than a technical level. That is, not to have the firewall and proxy servers enforcing a 'no use' rule, but rather, simply have an established internet usage policy that is enforced by management on a case by case basis. This works out well for my current company, though YMMV. I feel this approach is more flexible, as it allows those who have a (somewhat) legitimate need to access the internet (our developers for support, out MIS department for patches and updates, our accountants for financial news, the CEO for whatever he wants, etc), to do so without intervention from the network administrators.. It's also easier to get an exception from your immediate supervisor than to implement a change to the firewall ruleset. --K
