41 Do I really want to allow everything that my users ask for? (Firewalls)
Description
This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.
41 Do I really want to allow everything that my users ask for? (Firewalls)
It's entirely possible that the answer is ``no''. Each site has its own
policies about what is and isn't needed, but it's important to remember that
a large part of the job of being an organization's gatekeeper is education.
Users want streaming video, real-time chat, and to be able to offer services
to external customers that require interaction with live databases on the
internal network.
That doesn't mean that any of these things can be done without presenting
more risk to the organization than the supposed ``value'' of heading down
that road is worth. Most users don't want to put their organization at risk.
They just read the trade rags, see advertisements, and they want to do those
things, too. It's important to look into what it is that they really want to
do, and to help them understand how they might be able to accomplish their
real objective in a more secure manner.
You won't always be popular, and you might even find yourself being given
direction to do something incredibly stupid, like ``just open up ports foo
through bar''. If that happens, don't worry about it. It would be wise to
keep all of your exchanges on such an event so that when a 12-year-old
script kiddie breaks in, you'll at least be able to separate yourself from
the whole mess.
Continue to:
My Books
