> Marcys J. Ranus Writes:
> > Really, one shouldn't be connected in the first place without
> > having already done all that stuff. You only run into the problem of
> > having users complaining that things have changed if you did it wrong
> > the first time.
Greg Woods writes:
> I am not trying to start a flame war here, just pointing out that
> you can also get into the problem of having to force users to accept
> changes due to circumstances completely beyond your control, such
> as, the net has changed a lot since we first hooked up. And therefore,
> discussing how to break changes to users is an appropriate subject
> for potential firewall administrators to discuss and the fact that
> it is necessary to discuss it does not necessarily indicate poor planning
> or incompetence on the part of those administrators.
No matter what you do to your firewall, it will never be perfect.
There are always going to be things that will need to get changed as
more and newer threats/bugs show up. My personal tack on the
matter of changes has been to notify my users that a problem
exists, and that my change is being made to solve a problem.
If users don't like it, then they need to accept the risks, or
convince their management to accept the risks.
Ususally telling a manager that they will have to allocate X users
for Y hours, with Z hours of overtime to repair the damage usually
solves that problem. (Or... promising to quit if the @#$% hits the
fan because of their poor decisions after you informed them of the
right thing to do.)