Great Circle Associates Firewalls
(February 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Full Internet Access Through a FireWall
From: Bob Beck <beck @ obtuse . com>
Date: Wed, 19 Feb 1997 09:54:28 -0700 (MST)
To: bret @ alexa . co . uk (Bret Alexander)
Cc: firewalls @ GreatCircle . COM
In-reply-to: <01BC1E5C . B8EB8AC0 @ ae211 . du . pipex . com> from "Bret Alexander" at Feb 19, 97 12:01:59 pm 
> Given the sensitive nature of the environment is the above set-up 
> enough?
> 

	It can always be "enough", but depending on what you let
in and out it may be more or less secure.

> Should Java and ActiveX be allowed past the proxy? If not can they 
> be automatically removed? Just disabling it on the client is not good 
> enough.
> 
	I probably would err on the side of caution and not allow them
(yes it can be done in a proxy). *HOWEVER* you must remember that
there are other ways of accomplishing the same thing (To get the user
to run something on their machine). Stopping all of these is very
difficult.  You will incur some risk, so part of this will also be
training the users. Why would I try to leave a malicious ActiveX
program and wait for your user to stumble across it if I can simply
e-mail them what I want them to run. There is always risk for anything
more than the 2 inch air gap firewall, so the question is then is a
small risk worth whatever benefit the company gains from an internet
connection, bearing in mind that the internet is certainly not the
only way for your data to be exposed.   

>
> One of my main fears is that allowing the connection without some
> of the more "problematic" features will cause a problem later as
> employees start to look and demand things like pushed data etc.
> 

	This is why before you put up a firewall you need to know
exactly what it is supposed to do. This means you need a properly
designed security policy, along with a procedure for the periodic
review of the same. It needs to clearly state what is and is not
permitted. If you do this first, you have said, and gotten approval
for how the world works and assuming you have a reasonable manager,
the only way the world changes is subject to changing the policy. It
isn't a case of "The users want this so I have to do it". it's a case
of "The users would like this, so when we review the security policy
we will see if there is a reasonable way to accomodate it." I prefer
to have the review policy and timeframe spelled out, that way you
don't become a "crisis-driven automata" being forced to review and
change every time someone has a favorite new piece of stupidity.

	-Bob
--
Bob Beck					 Obtuse Systems Corporation
beck @
 obtuse .
 com					 http://www.obtuse.com/	
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.
References:
Indexed By Date Previous: Re: remove
From: eddie @ iserve . net . mx (Eddie Castaneda)
Next: Re: How to configure two network interface into a same subnet?
From: Ruben Sajnovetzky <ruben @ is . com . ar>
Indexed By Thread Previous: Full Internet Access Through a FireWall
From: Bret Alexander <bret @ alexa . co . uk>
Next: Re: Full Internet Access Through a FireWall
From: Todd Graham Lewis <lists @ reflections . mindspring . com>
Google
 
Search Internet Search www.greatcircle.com