Re: Dark Reading: Firewalls Ready for Evolutionary Shift

[jseymour () linxnet com (Jim Seymour)]

"Paul Melson" <pmelson () gmail com> wrote:
>
[snip]
> Additionally, if you have this problem:
>
> Then the user mistakenly checks a box that allows eMule to share its hard
> drive. "That's very easy to do. Some eMule clients have that as a default,"
> he says. "Now your user's entire computer has opened up your network to
> share with the Internet. Anyone can execute a search and find files on your
> network."
>
> Buying a new firewall will not save you.

That all depends on how you define "save."  If we're not talking
laptops [1]; you don't regard random, uncontrolled sharing w/in your
"secure" LAN a problem [2]; and the new firewall stops such things, by
default, from getting outside your "secure" LAN [3], it will indeed
"save" you.

[1] Which opens up a whole new can of worms, discussed here in
    the past
[2] Where I work it's disallowed, btw.
[3] Ours do

>                                          Taking away local admin rights
> from your users, however, is a good start.  And there's nothing to buy.
[snip]

Sometimes, for whatever reason, that's not possible.  And as anybody
who's ever herded cats can tell you: Getting engineering departments to
behave is a non-trivial exercise.  Nonetheless: We do that where we
can.

So we do both.  I've always called it "defense in depth."

I also train my users [4] and we "prohibit" traditionally "unsafe"
applications [5], such as IM clients, MS OutLook and MS Explorer.

[4] Contrary to what most here seem to have experienced, I've found
    end-user training to be relatively effective.
[5] Why in Fluffy's name *anybody* allows ActiveTrojan and
    executable attachments through their corporate firewalls is,
    and always has been, completely beyond me.

Allow me to present an example of the possible effectiveness of that
last bit.  Several years ago, not long after WinXP was shipping, by
default, I reluctantly gave in to my wife's wishes and bought her an MS
Windows box for Christmas.  The first thing I did, upon installation,
was:

    . Remove MS Outlook Express from the desktop and menu
    . Remove MSN Messenger from the desktop and menu
    . Turn off *all* "active" anything in MS Internet Explorer
    . Used MS IE to go to mozilla.org, download and install Mozilla
    . Remove MS IE from the desktop and menu
    . Download and install Pegasus Mail
    . "De-installed" file and printer sharing
    . Configure the appropriate inbound and outbound deny rules
      into the router
    . Add the necessary content checks to the mailserver

Then I instructed her on (relatively) safe 'net behaviour.  *Then* she
got to start playing with her Christmas present :).

At some point I installed Spybot S&D and showed her how to use and
update it.

That computer was used on the 'net regularly for a number of years
before one of her correspondents insisted my wife was sending her
infected JPEGs.  I finally installed AV on it.  It came up clean.  To
make sure, I ran three other AV programs against the entire disk from a
TRK CD.  Clean as a whistle.

It wasn't a firewall that saved her PC.  (Tho perhaps my router rules
helped.  And the email gateway undoubtedly helped.)  It wasn't AV
software.  (She had none until recently.)  It was informed, responsible
behaviour and not using risky applications.

Yes, what works in one, isolated, one-on-one case, with an intelligent,
well-informed user who *can* exercise disipline, does not necessarily
an Effective Corporate Exercise make.  But, as I said: I've done much
the same at work, and it's helped there, too.  So far ;).

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards