| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
- To: [email protected]
- Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
- From: Steve McNutt <[email protected]>
- Date: Thu, 13 Jun 2002 14:33:10 -0400
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcITBdxoYnEgrbjjRS+Q9j4H3po0pAAAF0IA
- Thread-topic: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Last year I did a network assessment for one of the larger companies in
the United States, and I was shocked to find that company-wide, users
could do whatever they wanted with their desktops and servers. Yes,
users ordered their own servers. IT had no budget of its own. This
company was literally flushing millions of dollars down the drain every
year because the corporate culture would not allow for anything else.
Get this, the reason we were there was because the brass was looking for
ways to cut IT staff and changes to the IT funding model were off the
table. We ended up telling them the truth and it was not a pleasant
experience.
On the other hand I've seen shops with 500 desktops that were tightly
managed and only needed 1 pc technician per 250 computers.
In my own experience, size or even technical capability doesn't really
have much to do with it. It's more a matter of how the top brass wants
to run the company.
Of course, tightly controlled desktops might be a good idea in some
organizations and a bad one in others. It depends. Each company is
like a snowflake and no two are exactly alike.
-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Thursday, June 13, 2002 12:06 PM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Veering slightly off topic...
On the flip side, I have also worked at a couple of sub-100 person
companies
where a relationship similar to what you describe was *almost* in place.
In
organizations like this you can say things like "we should implement
this in
order to achieve stability and security" without getting an answer back
like
"I don't see why I have to give up X...". People understand and see the
big
picture.
-----Original Message-----
From: Joe Pampel [mailto:[email protected]]
Sent: Thursday, June 13, 2002 6:33 AM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
one view of the world...
Our environment is very demanding (Wall St) and so we have taken great
pains
to create a stable build for our workstations. They run for months w/o a
reboot which I'm very happy about.. From the POV of keeping the machines
"flat" as well as security everyone knows not to DL anything. The net
result
of this is that our staff works efficiently and without the frustration
of
machine instability and reboots.
If folks want/need something extra on their desktops that will help them
out, they can always come and ask. There is no reason IMHO for end users
to
be installing stuff ad hoc on their workstations. They need to
understand
that. Everyone here does, and it's not a "control freak" or "keep them
down"
thing.. it's simply letting each group of people do the best job they
can
and trusting one another. Everyone is cool about it. I don't know if it
would hold up at a big firm (we're small, <100) but explaining what's up
to
everyone rather than just putting in dracronian rules and sending out a
memo
stating "because I said so".. has worked well.
Bottom line for me is that the box belongs to the firm, with everything
on
it. Part of my job is deciding what goes on it. I am paid for my
"expertise"
(such as it is!) in assessing what products will work well together, be
secure, and most importantly - solve our business problem. I use a lot
of
end user input/feedback to determine the last bit so it is as
participative
as possible.
I don't play with the accounting rules or dabble in marketing.. Why
would
someone without the expertise need to alter a machine that our IT dept
has
spec'd and built, and potentially put others in the firm at risk?
>>> James Edwards <[email protected]> 06/12/02 04:38PM >>>
We are in the process of changing operating systems on all our PCs and I
am
going to seriously attempt to just block my users from installing
software
on their PCs. The theory being of course that if they can't install
anything, they can't put IM clients or any of the other various and
sundry
useless, time wasting, PC eating garbage they are so fond of. I just
wonder
if anyone else has managed this and how effective it has been.
Jim Edwards
-----Original Message-----
From: Rocky Stefano [mailto:[email protected]]
Sent: Wednesday, June 12, 2002 9:43 AM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
This has long been a known problem. Its not a vulnerability with any
firewall. There are several methods available to stop IM's from getting
out
of your network.
-----Original Message-----
From: A, Kaustubh [mailto:[email protected]]
Sent: June 12, 2002 9:05 AM
To: [email protected]
Subject: [FW-1] [fw-1] Instant Messenger bypass FW-1
Folks,
I came to know about an article of Gartner saying that their are some IM
bypassing Firewall by scanning open ports. Has anybody tested this CP
FW-1
NG? I am afraid if this is a problem with FW-1!!!
Firewall Bypass Technology
AOL's Instant Messenger has a uniquely slippery client that is
designed to
bypass firewall port blocking technology, making the product easy to
configure from behind a firewall. For example, the AOL client will use
any
available port, scanning even those reserved for domain naming system
(DNS)
lookup. This technology enables unsophisticated users to sneak past a
firewall with relative ease, effectively establishing breaches in the
corporate firewall.
Kaustubh A.
Technical Consultant
HP Services
------------------------------------------------------------------------
----
-------
101-105 Enterprise Center, CTS#55 Off Neharu Road,
Vile Parle (East) Mumbai 400099.
*+91 (0) 22.616.7331 *GSM:*: [email protected]
URL: http://www.ho.com/in
------------------------------------------------------------------------
----
-------
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
**********************************************************************
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
