[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] somewhat off topic-opening outgoing high ports
Title: RE: [FW1] somewhat off topic-opening outgoing high ports
-----Original Message-----
From: Volker Tanger [mailto:[email protected]]
Sent: Thursday, February 01, 2001 12:11 PM
To: Darrin Johansen
Cc: [email protected]
Subject: Re: [FW1] somewhat off topic-opening outgoing high ports
Thanks for the comments Volker.
Greetings!
Darrin Johansen schrieb:
> The security team at my company is coming under increasing pressure to
> start opening all sorts of outgoing port numbers and protocols every
> time a project manager decides to use a piece of software that needs
> internet access. This is becoming a real problem for us, and I would
> imagine it is for many people? A lot of this software is
> client/server that has been 'adapted' for use over the internet etc
Who is responsible for IT security in your company - that will have to
be a suit, not a techy?
THAT is the person that has to give his/her okay. He should be at least
somewhere near CEO level as he is organizational responsible for all
security (read: keeping his head on his shoulders - or not). Make
legally sure that either the IT-Security-Chief's or the PM's head will
be rolling in case of problems.
>> The above is somewhat undefined, which is obviously the cause of all of the problems.
>> I am I the process of creating the above infrastructure, but it is
>> difficult to change a companies culture overnight :-)
If there is any protocol to go in or out, request a formal security
audit and risk analysis of the proposed application (you have a
formalized change request procedure, do you?!!). Let the project manager
sign a responsibility/liability waiver where he accepts all risks and
liabilities (regardless cause) that come from the application going in
or out.
>> "formalized change request procedure" this caused some confusion when I
>> asked on my first day here. I am writing it now, but I need to keep the
>> wolves at bay for a few months. Or maybe accept that opening outgoing
>> on any port is not such a bad thing? It's one of those subjects that you
>> can tailor your opinion to suit your objectives I think? :-)
About tunneling it via HTTP: most protocols do not tunnel via real HTTP
but only with TCP/80. If you enforce the useage of a proxy or
proxy-firewall (Raptor, Gauntlet etc.) or activate the FW-1 security
servers (create an "empty" HTTP ressource and use that) most "tunneled"
protocols won't be able to pass through the gateway.
>> We use Cacheflow boxes inside the FW, and so the fw only accept tcp/80
>> from them.
>> Nothing else is able to 'access/pass through' the fw directly which
>> is the way we would like it to continue etc
Ah, and if some PM _insists_ on using tcp/80 for his protocol, he will
have to sign the waiver mentioned above - where he assumes all
responsibilities and liabilities that come from (mis)use of port 80.
Someone downloaded a "grettings".EXE from web that destroyed data? No
problem - here's the PM that allowed tcp/80... ;-)
>> Yip, all obvious stuff. Just not in every company.
>> See comment about company culture above :-)
>> I really need some technical reasons to throw back whilst I get
>> the policies in place. Battle them with techno speak sort of thing.
>>I have said "Trojans" till I'm blue in the face, but need case studies
>> of hacks and the like to show actual examples of companies losing
>> money (the language they speak) else its all just techno speak to them etc
Thanks for the comments and kind offer
Cheers, dj