Firewall Wizards mailing list archives
Re: What challenges are security admins facing?
From: Paul Robertson <proberts () patriot net>
Date: Wed, 28 May 2003 12:33:44 -0400 (EDT)
On Wed, 28 May 2003 ark () eltex net wrote:
Being a bit offtopic on firewall security audit discussion, i'd like to remember a paper i wrote on security management problems. Unfortunately the paper is in Russian thus having no value for the mailing list subscribers, but i can recite key point here: the major problem is responsibility and serious gap between de jure and de facto computers and network usage policy. People DO use computers at their workplace for personal needs and its OKAY. There are some cases when it is not
Sometimes it's okay, and sometimes it's not- that's highly dependent on what that personal usage is (playing pirated copyrighted content would not be ok in most places, nor would browsing porn sites, and certainly handing out administrative accounts for your friends to use would be frowned upon.)
Enforcing a fascist set of restrictions just makes users extremely creative to avoid it. Keeping restrictions reasonable makes it possible
Getting rid of the creative ones tends to work like natural selection. [snip]
gets fscked really bad - but to make things work this way the administrator should allow him to do it if it is really innocent. Otherwise he
How does the admin kno wif it's "really innocent?"
Another problem is, again, management. Ever seen a big boss that says "i need this videoconferencing software working today from my desktop, so please poke a hole in firewall to make it work - it is IMPORTANT! no, we do not have time for security analisys, we need it NOW! No, i do not want to do it from dedicated notebook machine". The point is obvious. Why designing and implementing crafty security policy just to have it ruined this way?
My standard answer of "No." worked for everyone from the person in the mail room to the CEO of a multibillion dollar company when I was running firewalls daily. Perhaps this too is part of the responsibility? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- What challenges are security admins facing? Paul Ammann (May 27)
- Re: What challenges are security admins facing? Paul Robertson (May 27)
- Re: What challenges are security admins facing? R. DuFresne (May 27)
- Re: What challenges are security admins facing? ark (May 28)
- Re: What challenges are security admins facing? Paul Robertson (May 28)
- Re: What challenges are security admins facing? ark (May 28)
- Re: What challenges are security admins facing? Paul Robertson (May 27)
- RE: What challenges are security admins facing? Ben Nagy (May 27)
- Re: What challenges are security admins facing? R. DuFresne (May 27)
- <Possible follow-ups>
- Fw: What challenges are security admins facing? Paul Ammann (May 29)
- Re: Fw: What challenges are security admins facing? R. DuFresne (May 29)