My background in computers has advanced me to the point of being the
security advisor for finding some sort of solution for our domain. I started
as a Unix system administrator, concurrently became the DNS administrator for
our domain and watched it boom to 10 times it size (over 4000) in less than 2
years. I established the domain's main mail relayer (using sendmail-IDA), and
now I am serving a "detail" for 4 months to the Office of Administration as a
consultant in security.
I got picked for this detail (perhaps a curse?) because I knew some things
about firewalls and Unix security and was the only person with a big enough
mouth to get people aware of our emense vulnerabilities, which is why I am
posting anonymously. After observing our computing environments and reviewing
our organizations objectives, I basically have come to a point where I can't
decide if a firewall is worth it or not. Here's the reason why: The
organization's objective is to "serve the public" and, because of this
objective, a firewall is highly restrictive and could possibly impede our
mission. We are not like a University or a company trying to "protect the
family jewels". However, we don't want to become severely crippled by an
outside attack due to the fact that the organization's objectives are mission
critical and life critical!
I find that Brent Chapman has a pristine theology when it comes to
firewalls to which I fully agree with and if we were just a new network, I
would be setting one up right now. In fact, we do have a new network coming
on line in September and I am ferverently trying to get the approval for a
firewall for this net.
Anyway, here's the questions: For a large, well established,
Internet-accessing organization, why can't we source port filter on the Cisco
router connection to the Internet on well known ports in which we should not
be receiving communications on (it is going to block some of the novice
hackers following the 'beginners guide to hacking'). Then, for the rest of
the ports which are allowed through and which require users to login, use a
one time password system like SecureID? I know using something like SecureID
requires the trust of your internal user, but that's an internal problem and
a completely different security issue.
The above is what I feel I will need to recommend. In addition to this, I
want to recommend putting up many mini-firewalls within the organization
(probably divided up by network administration), because it is just far to
complicated to try to meet all the Internet accessing needs for all the
facets of this organization's computing community.
Unfortunately for us, security is a hindsight. We have nailed international
hackers with actual convictions with the help of the FBI, but we still are in
dire need of protection. Any enlightenment on this subject will be greatly
appreciated.
�
Follow-Ups:
-
Re: your mail
From: paul @
hawksbill .
sprintmrn .
com (Paul Ferguson)
|
|
