>>>>> "Bill" == Bill Stout <bill .
Bill> Earlier postings about having an IS person manage security
Bill> policies without being fully educated about firewalls or
Bill> security issues may acutally have a point.
Certainly. This is pretty easy to see in a large environment, where
there is a company with many departments all using the services of the
Internet gateway. It isn't really necessary for everyone on staff to
understand the details about IOS, Solaris, NT, Gauntlet, Firewall-1
and whatever other components you've got in the environment. (My
earlier rants are rooted in the belief that each organization should
have *someone* they trust who *does* understand each component in
detail around, even if it's an outside consultant who can be trusted.)
The day-to-day administration of firewalls seems to be something that
should happen much the way that network management is done now. It
would be nice to have sophisticated tools that could collect feedback
from each of the components to let the administration staff know
what's going on, where it's happening, etc., which will allow them to
do things like plan for capacity, keep lots of data around that can
provide the ability for quantitative analysis of what's going on. (How
much mail is being routed, what's the utilization of various
components, etc.) Security alarms can easily be tied into such a
system, so that if a machine behind an ACL-enabled router gets a poke
where it shouldn't, for example, it can scream to the system that
there's reason to believe a router has been compromised.
Of course, the question still remains: to what degree should people
doing day to day administration of the systems understand the
implications of various configuration changes?
Bill> I think the only way to handle coming internet applications or
Bill> intra-company applications over the internet is to make
Bill> firewalls departmental, with a 'Netview' type application for
Bill> central management and delegation control. Microsoft introduced
Bill> remote management for webservers (Internet Service Manager) and
Bill> probably will also introduce similar (non-HMTL) tools for their
Bill> proxy servers and future firewalls.
Is this to say that there is some sort of corporate-run Internet
gateway that basically gets a fast, dirty connection from the
Internet, to which other parts of the business can connect their
| big fat pipe to the Internet
<R> access router
_____|_________________ 100mbit ethernet or something (untrusted)
| | | "access LAN"
<R> <R> <R>
| | |
dept-a dept-b dept-c dept-a, dept-b, dept-c are all different
| | | departments within the company, each with
their own firewall that protects them from
that 100mbit "access LAN"
There are some questions to be answered in this kind of departmentally
controlled envirnoments. Is there any sort of connectivity among
dept-a, dept-b, and dept-c? If so, does it only take place across the
untrusted access LAN, or are there connections from behind the dept-a
firewall to someplace behind the dept-b firewall? If so, the most
secure of the two departments is now reducing its guard to the
security level of the weakest (since stuff could be interjected into
the weak LAN, and then connection made from the weak LAN into the
strong. (Maybe ... depends on some things about how stuff is set up
between the two.)
Hmm ... lots of questions come to mind...
Is physical site security dicated by department? Typically not. If
there are any special department-specific security, it's usually in
the form of *additional* security, rather than *reduced* security. Why
would we do the same with firewalls then?
Matt Curtin cmcurtin @
com Megasoft, Inc Chief Scientist
http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet