-------- From academic-firewalls-owner@net.tamu.edu Sun Jun 2 17:19:00 1996 cc: academic-firewalls@net.tamu.edu In-Reply-To: <9604318335.AA833555473@ccmail.wnyric.org> academic-firewalls@net.tamu.edu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Sun, 2 Jun 1996 15:52:16 -0600 (MDT) From: Dave Grisham To: academic-firewalls@net.tamu.edu Subject: Re: Re[2]: Kereberous !! On Fri, 31 May 1996, Adam Pingitore wrote: > why the FUCK AM I ON THIS GODDAMN LIST. The daily reading of mundane security matters would not be the same without your pleasant comments, Adam. -grish -------- From academic-firewalls-owner@net.tamu.edu Mon Jun 3 13:20:37 1996 Date: Mon, 3 Jun 1996 13:42:23 -0400 From: gary flynn To: academic-firewalls@net.tamu.edu Subject: Firewall Policy If we accept the fact that firewalls are designed around security policies, the question arises "Who makes those policies?". Given the nature of the technology, is it realistic to expect management (or auditors) to make policy regarding TCP port usage, SYN packets, proxy applications, etc? How is this handled elsewhere? thanks, gary -------- From academic-firewalls-owner@net.tamu.edu Tue Jun 4 12:10:05 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: <199606031742.MAA10025@net.tamu.edu> from "gary flynn" at Jun 3, 96 01:42:23 pm Organization: NTUA-NOC, National Technical University of Athens, GREECE X-Disclaimer: My opinions do not necessarily represent those of my employer. X-Home-Address: 7 Elvetias St., Agia Paraskevi GR15342, Athens, GREECE X-Home-Phone: +30-1-639-4-638 X-Work-Phone: +30-1-772-1-861 X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Date: Tue, 4 Jun 1996 19:45:57 +0300 (EET DST) From: y.adamopoulos@noc.ntua.gr Reply-To: y.adamopoulos@noc.ntua.gr To: academic-firewalls@net.tamu.edu Subject: Re: Firewall Policy Q: "Who makes those policies?" A: The management does. The staff has to make sure that either the policy can be enforced, or prove that it cannot be enforced. Q: "How can they decide on technical matters (TCP port usage, etc.) ?" A: Educate your management. They don't have to (and don't want to) become Unix, NetWare, PC gurus. They just need to know how the wheels roll. If you do that, they can think of policies and you can say "Yes this can be done" and "No, that cannot be done". - -- Yiorgos Adamopoulos adamo@noc.ntua.gr National Technical University of Athens, NOC -------- From academic-firewalls-owner@net.tamu.edu Tue Jun 4 12:10:09 1996 X-Mailer: exmh version 1.6.5 12/11/95 Cc: academic-firewalls@net.tamu.edu In-Reply-To: Your message of "Mon, 03 Jun 96 13:42:23 EDT." <199606031742.MAA10025@net.tamu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mts: smtp Date: Tue, 04 Jun 96 17:28:12 +0100 From: P.Lister@cranfield.ac.uk To: academic-firewalls@net.tamu.edu Subject: Re: Firewall Policy - -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii > If we accept the fact that firewalls are designed around security policies, > the question arises "Who makes those policies?". Given the nature of > the technology, is it realistic to expect management (or auditors) to make > policy regarding TCP port usage, SYN packets, proxy applications, etc? How is > this handled elsewhere? We don't have firewalls here though this may change, which is why I read this list. We do, however, have Kerberos, as you may have noticed from previous email, and I'm interested in ways to achieve a reasonable degree of security on our network. In my experience, senior management want as much security as possible, even if they don't understand what they're talking about - until they themselves perceive a need for a particular service, at which point all worries about security fly out of the window. Worse, someone like me who raises security objections is perceived as "jobsworth" who is simply trying to stop them doing what they want (presumably out of spite, laziness or incompetence). The same people who have been worrying a few days ago about crackers now tell me that "a policy decision" has been made, with no attempt to consider the feasibility of what is actually required, and that confidential documents are about to start crossing the network. The approach my colleagues and I are taking is to try to make sure every area of network security ultimately has a responsible person who is responsible for the data or service in question. The idea is that they will sign a piece of paper to say that they understand, that even if they can't handle the technology, and delegate the maintenance work to others, the buck stops with them if there's a breach. A few well chosen metaphors are useful as well; my current favourite is with the brakes of a car; no matter how well designed and maintained they may be, it is ultimately up to the driver to drive safely. That doesn't just mean pressing the brake pedal at the right time, it means limiting one's speed as appropriate to the road, weather and conduct of other drivers. Occasionally one must decide that the conditions are too bad too drive at all, regardless of how much one wishes to. Peter Lister Email: p.lister@cranfield.ac.uk Computer Centre, Cranfield University Voice: +44 1234 754200 ext 2828 Cranfield, Bedfordshire MK43 0AL UK Fax: +44 1234 751814 --- Unfortunately, science isn't about happiness; it's about truth --- - -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMbRkGk0IjEzZ62ARAQFOYAP/dZlrp4sjvucFNYZiaEhUNpJdUKkwurKu wyGwM+s/009nLE4D8sg8pISLtWj8CgH0kev6UpI4/R1aPlQVJ9SMMwXjZwCRNrup L6Ciu493vKFG6wnuBi63Uiedi5mUCzu4c6fWeGX88sVv6aMCHiLoqVg/GzkFOXF7 9DnTXmn22+c= =TWNp - -----END PGP SIGNATURE----- -------- From academic-firewalls-owner@net.tamu.edu Wed Jun 5 00:16:46 1996 Encoding: 37 TEXT, 47 UUENCODE X-Mailer: Microsoft Mail V3.0 X-MS-Attachment: WINMAIL.DAT 1824 00-00-1980 00:00 Date: Wed, 05 Jun 96 14:09:00 PDT From: "Schmidt, Bill, ASQB-OSS" To: academic-firewalls@net.tamu.edu Subject: RE: Firewall Policy Management may enforce the policy, but I'd hesitate to say that they make it. Management and personnel that are familiar with network hardware, operating systems, protocols, etc. need to work together to create the policy. Experienced users (and gurus) are key in creating the policy. If the policy is too lax, it won't be effective. If the policy is too stringent, users will find ways to bypass it and render it ineffective. The policy needs to be a "living" policy, be flexible to changes, and sometimes even allow temporary (momentary) controlled openings in the firewall. --- From: academic-firewalls-owner[SMTP:academic-firewalls-owner@net.tamu.edu] Sent: Tuesday, June 04, 1996 7:45 PM To: academic-firewalls Cc: academic-firewalls Subject: Re: Firewall Policy Q: "Who makes those policies?" A: The management does. The staff has to make sure that either the policy can be enforced, or prove that it cannot be enforced. Q: "How can they decide on technical matters (TCP port usage, etc.) ?" A: Educate your management. They don't have to (and don't want to) become Unix, NetWare, PC gurus. They just need to know how the wheels roll. If you do that, they can think of policies and you can say "Yes this can be done" and "No, that cannot be done". -- Yiorgos Adamopoulos adamo@noc.ntua.gr National Technical University of Athens, NOC The following binary file has been uuencoded to ensure successful transmission. Use UUDECODE to extract. begin 600 WINMAIL.DAT M>)\^(B84`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<` M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0V`!``"`````@`"``$$ M@`$`%````%)%.B!&:7)E=V%L;"!0;VQI8WD`MP8!!8`#``X```#,!P8`!``- M`#4`(P`"`$0!`2"``P`.````S`<&``0`#0`L`!4``@`M`0$)@`$`(0```#8U M.$(W.3(W1$5"1$-&,3%"0T$T-#0T-34S-30P,#`P`!0'`0.0!@!`!@``$``` M``L`(P```````P`F```````+`"D```````,`-@``````0``Y``!VL.574KL! M'@!P``$````4````4D4Z($9I0`"`7$``0```!8````! MNU)7Y8XG>8MFO=X1S[RD1$535``````#``80"K4UQP,`!Q!-!```'@`($`$` M``!E````34%.04=%345.5$U!645.1D]20T542$503TQ)0UDL0E54241(15-) M5$%4151/4T%95$A!5%1(15E-04M%251-04Y!1T5-14Y404Y$4$524T].3D5, M5$A!5$%2149!34E,24%25P`````"`0D0`0```/T$``#Y!```6@D``$Q:1G66 MU5H`_P`*`0\"%0*H!>L"@P!0`O()`@!C:`K`08` M$7!O!O`&X&^Z:P*#-QA"XQ")`V;BF0*N!U$;`1H"`H[2WR M9PAP-R`I+Q,LP!F0SPN`-10QPC6;268IN2S@[P0@*Y`KH`M@>"I@*S`T`?1N M)P5`8BF@#<$%D#&P_'9E.B\[-1/`!1`F`!E!URI@-R0#\&P#(&8+@"K@YS$` M$[`K@F)Y"K`$$3OQ?RWR'8`N`#3!._$+@#RZ5(\]N#.20*0IH&$@(BH@&G8Q MP2(I^"]!;&5X_FD"8"MS$7$_`3)A+?(N8/<'@#&P!X)E/2`#H`=`'1#?!^`3 MT2H`,9`9@2@$8"BR_TEA."`%H`(P`V`_\#.Q,6'_`P`F`$%!`Z`IPD`@'8`Q M`+T_\"XG+P!0,I(\X2`*AT`J$PJ%3_TL,S8G'DW646[`(E=_ M&=`LDSM!&=`1L"GT")!S]#\B<=Q!;L!#4@.!*(;<9&\'D$,E$\!A#=`PL;M` MHRRCRQ3!8%I#;`Q4$NQ!9!H/P,`:T`#(`#``D`W0U1# M_E`I\0`@-Q$H@3,D."!VG]UNP$5;X&M`*V%Y"&%W^?]#)('!/#,1@'X2*Z`W M@X@T_S$`*-$KD#@@/(`%H`>`"H5.50,`.\$'P'17,1-0=D,WQ(>V:C<@!4`S MEFO??O`'X!G02.$IT7%!*<$`@(MA3[Y#<=]R[W/\"H4< MH0"BD`````,`$!```````P`1$`````!````#T``0````4```!213H@`````(0) ` end -------- From academic-firewalls-owner@net.tamu.edu Wed Jun 5 12:21:01 1996 X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Date: Wed, 5 Jun 1996 11:34:00 -0500 From: "Davidson, Clyde" To: academic-firewalls@net.tamu.edu Subject: RE: Firewall Policy Why the Data Security Coordinator makes the policies. Well, I do here anyway. It is important that any organization have an Information Security Officer who is the key management for all security. I do come from a technical and networking background and that can be helpful. However, the key to doing this job right is to communicate with everyone. It is my job to know security and what it takes to make our data secure. I don't have to know all the technology. I do have to be able to communicate with the people who do know the technology. Together we make the system policies and the organization policies. OK, the writing and setting of policy is mine. The implementation is the systems administrators. Clyde Davidson Data Security Coordinator Northwestern Memorial Hospital (teaching hospital of Northwestern University) ---------- From: gary flynn To: academic-firewalls Subject: Firewall Policy Date: Monday, June 03, 1996 7:35PM If we accept the fact that firewalls are designed around security policies, the question arises "Who makes those policies?". Given the nature of the technology, is it realistic to expect management (or auditors) to make policy regarding TCP port usage, SYN packets, proxy applications, etc? How is this handled elsewhere? thanks, gary -------- From academic-firewalls-owner@net.tamu.edu Wed Jun 5 12:41:06 1996 Encoding: 34 TEXT, 41 UUENCODE X-Mailer: Microsoft Mail V3.0 X-MS-Attachment: WINMAIL.DAT 1572 00-00-1980 00:00 Date: Wed, 05 Jun 96 08:20:00 PDT From: "Schmidt, Bill, ASQB-OSS" To: academic-firewalls@net.tamu.edu Subject: RE: Firewall Policy SunSoft offers a FREE guide "How to Develop a Network Security Policy". Simply call 1-800-786-7638 and press prompt "1". Of course they would also like to sell you their Solstice FireWall-1 Firewall! No, I don't work for Sun! Bill ---------- From: academic-firewalls-owner[SMTP:academic-firewalls-owner@net.tamu.edu] Sent: Tuesday, June 04, 1996 7:45 PM To: academic-firewalls Cc: academic-firewalls Subject: Re: Firewall Policy Q: "Who makes those policies?" A: The management does. The staff has to make sure that either the policy can be enforced, or prove that it cannot be enforced. Q: "How can they decide on technical matters (TCP port usage, etc.) ?" A: Educate your management. They don't have to (and don't want to) become Unix, NetWare, PC gurus. They just need to know how the wheels roll. If you do that, they can think of policies and you can say "Yes this can be done" and "No, that cannot be done". -- Yiorgos Adamopoulos adamo@noc.ntua.gr National Technical University of Athens, NOC The following binary file has been uuencoded to ensure successful transmission. Use UUDECODE to extract. begin 600 WINMAIL.DAT M>)\^(AH/`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<` M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0V`!``"`````@`"``$$ M@`$`%````%)%.B!&:7)E=V%L;"!0;VQI8WD`MP8!!8`#``X```#,!P8`!0`( M``P`%P`#``P!`2"``P`.````S`<&``4`"``(`#$``P`B`0$)@`$`(0```#`U M-30T.3-$03E"14-&,3%"0T$T-#0T-34S-30P,#`P`/H&`0.0!@!$!0``$``` M``L`(P```````P`F```````+`"D```````,`-@``````0``Y`*#:\&7Q4KL! M'@!P``$````4````4D4Z($9I0`"`7$``0```!8````! MNU+Q9>D]250&OJD1S[RD1$535``````#``80K_0%_@,`!Q`V`P``'@`($`$` M``!E````4U5.4T]&5$]&1D524T%&4D5%1U5)1$4B2$]75$]$159%3$]004Y% M5%=/4DM314-54DE465!/3$E#62)324U03%E#04Q,,2TX,#`M-S@V+3L"@P!0`O()`@!C:`K`0!"`34`-P MR04Q(C$?0D]F'^`(83,1L!SP:&4>P!X`=6S;(5`'0',=$!\`:R,A'1#;$;`@ M$7D(8",R:07`&R`M)`!T'Q`+=8,@AO0'_`- ML)IM'Q`M+``G%',M'-`";@206U--5%`Z2S,?-"5`-&!T+@&0;>1U+@F`=5TN M_S`-!F`7`C`Q/S)+5`I0\@B0,!LP44B5A-:"'!36RVC+E`IEB!9:06P9U$0_Q2P.[`$8%%0([!T M<755-1`;=,$V<&]@$`(P=6$N>PG``#T``0````4```!213H@``````=] ` end -------- From academic-firewalls-owner@net.tamu.edu Thu Jun 6 11:40:32 1996 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Date: Thu, 6 Jun 1996 11:14:21 -0500 From: "Bruhn, Mark S." To: academic-firewalls@net.tamu.edu Subject: RE: Firewall Policy Clyde, you said that you make policy, then you said that you communicate with a lot of other technical people and you together establish the system and organization policies. If I understand this correctly, I don't see how this can work. Technical people alone setting all system policy is interesting, but technologists setting organizational policy is (frankly) unbelievable. In our academic computing role, we are here to support learning and research, and we coordinate academic computing with (primarily) an academic advisory committee, and often with individual faculty members or schools. Most funding for this environment comes from student technology fees and campus academic accounts. A lot of times, the faculty come to us with grant money in hand from IBM or Dec or Apple or somewhere. So, they have leverage for that reason, along with the fact that they are our customers! We make recommendations as to operating systems, system sizing, software, access control, quotas, etc. That is, we give them as much information as we can, and try to make them understand the circumstances and possibilities and reasonings. In the systems arena, if we do a decent job, they most-times defer to our information and experience and tell us to go forth. They generally tell us what software they need also. However, when it comes to security and access control, they must be convinced that the risk and proposed "barrier" outweighs the inconvenience that the solution may cause. They're into the open-and-free-exchange-of-ideas mode of operation, as they certainly should be. In our business or administrative computing role, we do most of the systems decision making within the computing department, though that is changing as well, with the advent of "subject-area only servers". However, in the security and access control arena, we have a Committee on Institutional Data (Deans, Directors, VPs, Audit Director) and a Committee of Data Stewards (delegates of the CID for each subject area). We make recommendations to these two groups, and if we do a good job, then they agree most-times with what we recommend (policies and technical protections). However, they also know that one of their options is to agree to accept the risk of a certain situation. So, I say to these data managers "this thing is happening or this is the situation. It appears to be of (high)(medium)(low) risk because of these circumstances, and we suggest (doing these things)." They can say "thanks -- that does appear to be a bad deal, please go ahead and implement those solutions", or they can say "thanks, and we know the risk, but we don't want to implement that barrier". Our internal audit department, who has members on these groups, also is of great benefit getting these folks to intelligently consider things, because their reports go to the Board of Trustees, and of course these data managers know that. This has worked thus far. Mark. *********************************************************************** Mark Bruhn Senior Manager, Information and Systems Services Information Security Officer University Computing Services Indiana University mbruhn@indiana.edu 812-855-0326 http://www.indiana.edu/~issg/issg.html >---------- >From: Davidson, Clyde[SMTP:CDAVIDSO@IS.NMH.NMH.ORG] >Sent: Wednesday, June 05, 1996 11:34 AM >To: academic-firewalls@net.tamu.edu >Subject: RE: Firewall Policy > > >Why the Data Security Coordinator makes the policies. Well, I do here >anyway. It is important that any organization have an Information >Security >Officer who is the key management for all security. I do come from a >technical and networking background and that can be helpful. However, >the >key to doing this job right is to communicate with everyone. It is my >job to >know security and what it takes to make our data secure. I don't have >to >know all the technology. I do have to be able to communicate with the >people >who do know the technology. Together we make the system policies and >the >organization policies. OK, the writing and setting of policy is mine. >The >implementation is the systems administrators. > >Clyde Davidson >Data Security Coordinator >Northwestern Memorial Hospital (teaching hospital of Northwestern >University) > > ---------- >From: gary flynn >To: academic-firewalls >Subject: Firewall Policy >Date: Monday, June 03, 1996 7:35PM > > >If we accept the fact that firewalls are designed around security >policies, >the question arises "Who makes those policies?". Given the nature of >the technology, is it realistic to expect management (or auditors) to >make >policy regarding TCP port usage, SYN packets, proxy applications, etc? >How >is >this handled elsewhere? > >thanks, >gary > -------- From academic-firewalls-owner@net.tamu.edu Thu Jun 6 23:07:16 1996 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 6 Jun 1996 20:38:51 -0700 From: Masoud Safi To: academic-firewalls@net.tamu.edu Subject: Security in a Windows envoironment. Hi people, I have observed that most internet and intranet security issues are = somehow linked to UNIX platform. Is there any security issues under = windows (MS) that I should be aware of? Any input would be appreciated. Thanks. - ---------- From: Davidson, Clyde[SMTP:CDAVIDSO@IS.NMH.NMH.ORG] Sent: Wednesday, June 05, 1996 9:34 AM To: academic-firewalls@net.tamu.edu Subject: RE: Firewall Policy Why the Data Security Coordinator makes the policies. Well, I do here=20 anyway. It is important that any organization have an Information = Security=20 Officer who is the key management for all security. I do come from a=20 technical and networking background and that can be helpful. However, = the=20 key to doing this job right is to communicate with everyone. It is my = job to=20 know security and what it takes to make our data secure. I don't have to = know all the technology. I do have to be able to communicate with the = people=20 who do know the technology. Together we make the system policies and the = organization policies. OK, the writing and setting of policy is mine. = The=20 implementation is the systems administrators. Clyde Davidson Data Security Coordinator Northwestern Memorial Hospital (teaching hospital of Northwestern=20 University) ---------- From: gary flynn To: academic-firewalls Subject: Firewall Policy Date: Monday, June 03, 1996 7:35PM If we accept the fact that firewalls are designed around security = policies, the question arises "Who makes those policies?". Given the nature of the technology, is it realistic to expect management (or auditors) to = make policy regarding TCP port usage, SYN packets, proxy applications, etc? = How=20 is this handled elsewhere? thanks, gary -------- From academic-firewalls-owner@net.tamu.edu Fri Jun 7 08:05:24 1996 Date: Fri, 7 Jun 1996 08:46:47 -0400 From: gary flynn To: academic-firewalls@net.tamu.edu Subject: Re: Security in a Windows envoironment. > From: Masoud Safi > Sender: academic-firewalls-owner@net.tamu.edu > To: academic-firewalls@net.tamu.edu > Subject: Security in a Windows envoironment. > > Hi people, > > I have observed that most internet and intranet security issues are = > somehow linked to UNIX platform. Is there any security issues under = > windows (MS) that I should be aware of? Besides the usual vulnerabilities implied by a single-user desktop with no authentication or controls, Windows has network file sharing. If a machine is misconfigured, anyone on the Internet can access the hard drive (and any mapped "network" drives accessible by that machine). You can prevent this by blocking ports 137-139 where you want to disable these services. Another file sharing service is offered by Windows 95. The "File and Print Sharing for Netware" service makes the Windows 95 desktop look like a file server. Severe problems can result with duplicate server names or if users attempt to login or attach. Although you can disable this feature through the Policy Editor and Push Installation features, these can easily be circumvented. Win95 also has the password cache feature that I find to be a wonderful ease of use feature. However, the desktop must be properly secured and users aware of the security implications for it to be safe. There are probably a lot of other issues but these are my main hot buttons. gary -------- From academic-firewalls-owner@net.tamu.edu Fri Jun 7 16:20:18 1996 X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Date: Fri, 7 Jun 1996 14:49:00 -0500 From: "Davidson, Clyde" To: academic-firewalls@net.tamu.edu Subject: RE: Firewall Policy That is how I make policy. The writing and the setting of the policy are mine. Of course, to make it work and to get everyone to actually implement the policy there is a lot of education, selling, and cooperation with everyone. I'm not sure exactly what you mean by "technologists", but it is possible to know something about technology and management at the same time. Alas, it is rather rare to see. ---------- From: Bruhn, Mark S. Sent: Thursday, June 06, 1996 6:40 PM To: academic-firewalls Subject: RE: Firewall Policy Clyde, you said that you make policy, then you said that you communicate with a lot of other technical people and you together establish the system and organization policies. If I understand this correctly, I don't see how this can work. Technical people alone setting all system policy is interesting, but technologists setting organizational policy is (frankly) unbelievable.