Firewall Wizards mailing list archives
Re: Dark Reading: Firewalls Ready for Evolutionary Shift
From: jseymour () linxnet com (Jim Seymour)
Date: Sat, 1 Dec 2007 10:20:05 -0500 (EST)
"Paul Melson" <pmelson () gmail com> wrote:
[snip]
Additionally, if you have this problem: Then the user mistakenly checks a box that allows eMule to share its hard drive. "That's very easy to do. Some eMule clients have that as a default," he says. "Now your user's entire computer has opened up your network to share with the Internet. Anyone can execute a search and find files on your network." Buying a new firewall will not save you.
That all depends on how you define "save." If we're not talking laptops [1]; you don't regard random, uncontrolled sharing w/in your "secure" LAN a problem [2]; and the new firewall stops such things, by default, from getting outside your "secure" LAN [3], it will indeed "save" you. [1] Which opens up a whole new can of worms, discussed here in the past [2] Where I work it's disallowed, btw. [3] Ours do
Taking away local admin rights from your users, however, is a good start. And there's nothing to buy.
[snip] Sometimes, for whatever reason, that's not possible. And as anybody who's ever herded cats can tell you: Getting engineering departments to behave is a non-trivial exercise. Nonetheless: We do that where we can. So we do both. I've always called it "defense in depth." I also train my users [4] and we "prohibit" traditionally "unsafe" applications [5], such as IM clients, MS OutLook and MS Explorer. [4] Contrary to what most here seem to have experienced, I've found end-user training to be relatively effective. [5] Why in Fluffy's name *anybody* allows ActiveTrojan and executable attachments through their corporate firewalls is, and always has been, completely beyond me. Allow me to present an example of the possible effectiveness of that last bit. Several years ago, not long after WinXP was shipping, by default, I reluctantly gave in to my wife's wishes and bought her an MS Windows box for Christmas. The first thing I did, upon installation, was: . Remove MS Outlook Express from the desktop and menu . Remove MSN Messenger from the desktop and menu . Turn off *all* "active" anything in MS Internet Explorer . Used MS IE to go to mozilla.org, download and install Mozilla . Remove MS IE from the desktop and menu . Download and install Pegasus Mail . "De-installed" file and printer sharing . Configure the appropriate inbound and outbound deny rules into the router . Add the necessary content checks to the mailserver Then I instructed her on (relatively) safe 'net behaviour. *Then* she got to start playing with her Christmas present :). At some point I installed Spybot S&D and showed her how to use and update it. That computer was used on the 'net regularly for a number of years before one of her correspondents insisted my wife was sending her infected JPEGs. I finally installed AV on it. It came up clean. To make sure, I ran three other AV programs against the entire disk from a TRK CD. Clean as a whistle. It wasn't a firewall that saved her PC. (Tho perhaps my router rules helped. And the email gateway undoubtedly helped.) It wasn't AV software. (She had none until recently.) It was informed, responsible behaviour and not using risky applications. Yes, what works in one, isolated, one-on-one case, with an intelligent, well-informed user who *can* exercise disipline, does not necessarily an Effective Corporate Exercise make. But, as I said: I've done much the same at work, and it's helped there, too. So far ;). Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.linxnet.com/contact/scform.php>. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 01)
- <Possible follow-ups>
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Jim Seymour (Dec 01)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Thomas Ptacek (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Marcus J. Ranum (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Frank Knobbe (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift david (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Dave Piscitello (Dec 10)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 11)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Darren Reed (Dec 10)