Firewall Wizards mailing list archives
Re: httport 3snf
From: Paul Robertson <proberts () patriot net>
Date: Mon, 21 Oct 2002 18:23:21 -0400 (EDT)
On Mon, 21 Oct 2002, Ryan M. Ferris wrote:
I think some of the suggestions here are useful, but I don't think the scope of the problem is being broadly examined. Desktop policies on many college campuses are more difficult to implement than in corporate environments - more users and much, much less staff.
This isn't all that uncommon in the corporate environment either- and add profitable business units to the mix and it's about a wash in a ~$3B or so company and above, or in large counties.
Usually the campus requires their 10 - 30 K user population to provide their own laptop and just enables a dorm room port on request. Of course many
This, is of course the main issue- but then putting dorm networks behind the same firewall as the other campus networks is probably not the best architecture, nor is enforcing the same policies.
other policies are available, but for a typical campus environment assume that a user can and will have root/admin access on two boxes - on both sides of the firewall.
Just like providing VPN access in a corporate environment, acceptable use policies for home users using corporate equipment need to cover acceptable use, and there needs to be enough monitoring to ensure compliance.
The SSL proxy sounds like an excellent idea but not all these firewalls evasion utilities required SSL/Connect.
If tunneling is (a) against policy, and (b) requires active and considered engineering to achieve, then the technology has done its part. After that, it's a monitoring and enforcement issue, not a firewall issue. If you can show active anti-policy malice in achieving the connection- then it's time to move into the penalty phase.
Are there application layer routers that can deny all SSL except for MAC addresses or IPs on an appoved ACL? I know this could be a nightmare to
IP address filtering is trivial, as is VLAN to MAC filtering, so each part of this is implementable, but ID/password stuff is probably a more manageable implementation- proxies are your friend.
enforce, but I think we may be getting to the point where networks only approve certain IP addresses for SSL/connect??.
When I admined a large network, I approved only certain *destination* sites for SSL access, and it required authentication through an SSL proxy as well. It was easier to limit the destinations than the sources, though I could have done both (things like benefits programs made client-side locks difficult.)
Check out some of the other tools that are being used for firewall evasion across college campuses. I think you will find Robert's problem is more strategic than it appears:
It's not much different than a large corporate environment, the issues and tools and policy issues are mostly equivalent, only the occurance of abuse is higher, and that has a lot to do with the support that policies get in colleges versus corporations. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- httport 3snf Robert E. Martin (Oct 21)
- Re: httport 3snf Devdas Bhagat (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
- Re: httport 3snf Paul Robertson (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Paul Robertson (Oct 21)
- Re: httport 3snf Ryan M. Ferris (Oct 21)
- Re: httport 3snf Paul D. Robertson (Oct 21)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul D. Robertson (Oct 22)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)
- Re: httport 3snf R. DuFresne (Oct 22)
- Re: httport 3snf Robert E. Martin (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)
- Re: httport 3snf m p (Oct 22)