Firewalls: Re: Advice on Firewall Politics

Firewalls
(May 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Advice on Firewall Politics
From:	Adam Shostack <adam @ bwh . harvard . edu>
Date:	Wed, 18 May 94 12:02:32 EDT
To:	mckenney @ smiley . mitre . org (Brian W. McKenney)
Cc:	firewalls @ greatcircle . com
In-reply-to:	<9405181202 . AA25946 @ smiley . mitre . org . sit>; from "Brian W. McKenney" at May 18, 94 8:02 am

| >I'm from a small liberal arts college and I am trying to fight a political
| >battle with a few faculty to implement a firewall at our site.  The
| >computer science faculty at our college believe that security is only a
| >hindrance and that a firewall will hamper their "academic freedom".

| The other thought is that you can make a case that a firewall can save
| money.  Without a firewall, one has to ensure that all of the campus
| computers are secure on a daily basis.  With a firewall, you can reduce
| your zone of risk to the firewall machines.  Security for campus machines
| is still important.  However, without a firewall, the University is relying

	I've been working closely with my alma mater, Simon's Rock,
which is just such a small liberal arts college, on security issues.
There, we expected some threat from the outside, but couldn't justify
the expense of a PC based firewall + administrating it without a
demonstrated outside threat.

	It turns out that the big problem has not been external, but
local.  Quite a few students have attempted to break in.  I strongly
suspect that local attacks will be much more of a problem at small
schools.  Often, there isn't very much worth breaking into from the
point of view of outsiders.  This is the opposite of large, well known
institutions like AT&T or banks, or even MIT, where the target has
interesting stuff on their computers.

	At companies, the employer has control over every employee,
and has a variety of disciplinary actions that they can take, up to
and including firing &/or suing employees who violate their security
policies.  At a school, the institution has much less control over the
students.  Expulsions for hacking are close to unheard of, although I
suspect that some will occur soon.

| I like Marcus' suggestion.  I wonder if this issue has to be raised to a
| higher faculty level (e.g., President), since the potential damage may
| embarrass the University as a whole.  

	I agree that the issues should be raised with the top levels
of the administration, not because of embarrassment, but because the
school should have a clear cut policy directive that comes from the
top, that the administration is willing to stand behind about what to
do with your student hackers when you catch them.

	Again, I think a firewall, while it may be useful, fails to
address the big problem that you will see with a small college, which
is students with too much time on their hands breaking in.


Adam

-- 
Adam Shostack 				       adam @
 bwh .
 harvard .
 edu

Politics.  From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.

References:

Re: Advice on Firewall Politics
From: mckenney @ smiley . mitre . org (Brian W. McKenney)

Indexed By Date	Previous:	Re: how to automatically put files on external ftp server From: Gustavo Vegas <titan!gustavo @ enuucp . eas . asu . edu>
Indexed By Date	Next:	Re: Authentication/Encryption Telnet & Terminal Emulators for PCs? From: reh @ cs . UMD . EDU (Richard Huddleston)
Indexed By Thread	Previous:	Re: Advice on Firewall Politics From: mckenney @ smiley . mitre . org (Brian W. McKenney)
Indexed By Thread	Next:	Re: Advice on Firewall Politics From: "Louis A. Mamakos" <louie @ alter . net>