RE: FW: [fw-wiz] The Death Of A Firewall
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 27 Oct 2005 10:15:51 -0400
Your last one is the approach the local University takes... Too much of
a pain to enforce, so they wall themselves off from their students.
Then again, there isn't much to wall off, considering almost everything
is web-based.
9,000 students, only a couple of (moderately ignorant) student workers
to enforce it... I see why they did it that way. That, and the
moral/legal quagmire where the students claim they're paying for it with
their tuition (actually only a small part of the budget), and they have
a right to run whatever program they darn-well desire!
The biggest pain in the butt is when someone familiar with their network
comes over here and says "I've used a wireless network before, and it
isn't supposed to work this way" when they encounter security for the
first time.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, October 27, 2005 10:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW: [fw-wiz] The Death Of A Firewall
http://www.ISAserver.org
Hmm.
Conundrum.. I think not.
Let's see, as the school's IT team:
1. do I own (or at least control) the network? - yes
2. have I published an AUP? - yes
3. have all users acknowledged the AUP and consequences of violating
said restriction? - yes
..then I don't need no stinkin' openaport button.
Joe Schmuckatelli got hissef a "500 HTTP Filter blocked your silly ass"
message and posted to isaserver.org message board; well, TFB!
If I can't enforce an AUP, then let the students hack each other to
death and I'll keep the servers walled off from the unwashed masses.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, October 27, 2005 6:58 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW: [fw-wiz] The Death Of A Firewall
http://www.ISAserver.org
Hi Dan,
Yea, I can see how that would be a disaster in an unmanaged environment,
where the clients are not subject to any secure policy or management at
all. The only advantage I see is that the firewall admins don't have to
deal with finding the Open Port buttons on their firewalls. Its
everything in and out. They must not have to pay for Internet use
though, since the worm traffic would bring the utilization through the
roof.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, October 27, 2005 8:43 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW: [fw-wiz] The Death Of A Firewall
>
> http://www.ISAserver.org
>
> That is kinda the approach our local University takes. The student
> laptops (which ALL students are required to lease) basically
> have their
> own public IP address via WAPs all over campus.
>
> Horrendous design, but takes all the pressure off their IT
> department as
> everything is web-based, and the rest is unsupported.
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, October 26, 2005 10:48 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] FW: [fw-wiz] The Death Of A Firewall
>
> http://www.ISAserver.org
>
> This is a very interesting article:
>
> http://www.securitypipeline.com/165700439
>
> I'll forgive the guy for thinking of high speed packet filters as the
> only type of "firewall" and some other conceptual blubobs. We can also
> ignore the title, since there are still firewalls segmenting different
> security perimeters, which is the thrust of the current article series
> on the www.isaserver.org Web site, and two more article series showing
> some other ways to do network security perimeter segmentation
> using ISA
> firewalls.
>
> What's interesting is that only the servers and other core network
> assets are protected and only to and from these assets are strong
> network access controls enforce. All the clients are considered
> untrusted, and sit behind an Internet router that lets
> everything in and
> out. I suppose this guy has a lot of public addresses to get away with
> this, but some companys have hundreds and thousands and tens of
> thousands to throw around.
>
> I'm going to chew on this idea some more, and see if I can tell a good
> ISA firewall story around it. It certainly would solve the "Open Port"
> button issue.
>
> Tom
>
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
