NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] [fw-1] Instant Messenger bypass FW-1



Veering slightly off topic...

Joe, I think your approach makes sense, and I try to implement it wherever
*I* go.  However, I find that the ability to use this approach varies with
the intellectual sophistication of the user base, which in turn varies
substantially based on industry and company size (or, roughly translated,
what kind of jobs are folks doing, what brain power does it demand, and how
many folks are there).

I worked at a sub-100 person company that thought the computer was their
personal property and that the "computer guy's" job was to come running
through the building whenever they got frustrated with something, like not
knowing how to underline something in MS Word, and it was als the "computer
guy's" job to write macros because there were too many mouse moves and
clicks to make that underline happen.  No, I'm not kidding.  Needless to say
talking about anything security-related to anyone at that firm was an
exercise in futility, not to mention job suicide.

On the flip side, I have also worked at a couple of sub-100 person companies
where a relationship similar to what you describe was *almost* in place.  In
organizations like this you can say things like "we should implement this in
order to achieve stability and security" without getting an answer back like
"I don't see why I have to give up X...".  People understand and see the big
picture.

So anyway, there's another view of the world... Steering back to on-topic
now... In the good places, you can talk about IM and alternative systems.
In the bad places, you get "you have no business telling/changing/yadda and
I need/want AIM and it works for me."

Ack :)

-----Original Message-----
From: Joe Pampel [mailto:[email protected]]
Sent: Thursday, June 13, 2002 6:33 AM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1


one view of the world...

Our environment is very demanding (Wall St) and so we have taken great pains
to create a stable build for our workstations. They run for months w/o a
reboot which I'm very happy about.. From the POV of keeping the machines
"flat" as well as security everyone knows not to DL anything. The net result
of this is that our staff works efficiently and without the frustration of
machine instability and reboots.

If folks want/need something extra on their desktops that will help them
out, they can always come and ask. There is no reason IMHO for end users to
be installing stuff ad hoc on their workstations. They need to understand
that. Everyone here does, and it's not a "control freak" or "keep them down"
thing.. it's simply letting each group of people do the best job they can
and trusting one another. Everyone is cool about it. I don't know if it
would hold up at a big firm (we're small, <100) but explaining what's up to
everyone rather than just putting in dracronian rules and sending out a memo
stating "because I said so".. has worked well.

Bottom line for me is that the box belongs to the firm, with everything on
it. Part of my job is deciding what goes on it. I am paid for my "expertise"
(such as it is!) in assessing what products will work well together, be
secure, and most importantly - solve our business problem. I use a lot of
end user input/feedback to determine the last bit so it is as participative
as possible.

I don't play with the accounting rules or dabble in marketing..  Why would
someone without the expertise need to alter a machine that our IT dept has
spec'd and built, and potentially put others in the firm at risk?


>>> James Edwards <[email protected]> 06/12/02 04:38PM >>>
We are in the process of changing operating systems on all our PCs and I am
going to seriously attempt to just block my users from installing software
on their PCs.  The theory being of course that if they can't install
anything, they can't put IM clients or any of the other various and sundry
useless, time wasting, PC eating garbage they are so fond of.  I just wonder
if anyone else has managed this and how effective it has been.

Jim Edwards

-----Original Message-----
From: Rocky Stefano [mailto:[email protected]]
Sent: Wednesday, June 12, 2002 9:43 AM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1


This has long been a known problem. Its not a vulnerability with any
firewall. There are several methods available to stop IM's from getting out
of your network.

-----Original Message-----
From: A, Kaustubh [mailto:[email protected]]
Sent: June 12, 2002 9:05 AM
To: [email protected]
Subject: [FW-1] [fw-1] Instant Messenger bypass FW-1


Folks,

I came to know about an article of Gartner saying that their are some IM
bypassing Firewall by scanning open ports. Has anybody tested this CP FW-1
NG? I am afraid if this is a problem with FW-1!!!


 Firewall Bypass Technology


 AOL's Instant Messenger has a uniquely slippery client that is  designed to
bypass firewall port blocking technology, making the  product easy to
configure from behind a firewall. For example, the  AOL client will use any
available port, scanning even those reserved  for domain naming system (DNS)
lookup. This technology enables  unsophisticated users to sneak past a
firewall with relative ease,  effectively establishing breaches in the
corporate firewall.




Kaustubh A.
Technical Consultant
HP Services
----------------------------------------------------------------------------
-------
101-105 Enterprise Center, CTS#55 Off Neharu Road,
Vile Parle (East) Mumbai 400099.
*+91 (0) 22.616.7331 *GSM:*:   [email protected]
URL:  http://www.ho.com/in
----------------------------------------------------------------------------
-------

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


**********************************************************************
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.