[4404] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Jim Harmon)
Thu Feb 13 13:37:31 1997
Date: Thu, 13 Feb 1997 10:23:13 -0500
From: Jim Harmon <jim@telecnnct.com>
To: Jeremy Madea <jdmadea@cs.millersv.edu>
Cc: Phillip M Hallam-Baker <hallam@ai.mit.edu>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jeremy Madea wrote:
>
> On Sun, 9 Feb 1997, Phillip M Hallam-Baker wrote:
>
> >
> > > > >Fire walls are not a panacea. The main idea of a firewall is
> > > > >to allow control of the information going _out_ of a company.
> > >
> > > Minor nit -- Firewalls are best at controlling access INTO a
> > > company, not at controlling information flow OUT of a company.
> >
> > Not so
> [...]
> > The task was to limit the bandwidth from the inside to
> > the outside.
>
> It seems obvious what the misunderstanding is here...
> Firewalls are primarily to control information flow out of
> a company AND
> control access into a company.
I strongly agree...
> These two concepts are fundamentally one
> and the same.
This I don't quite agree with, but that's a syntax peeve, not a
disagreement of practicality...
> How could you control access in without controlling the
> information that goes out?
> A minor clarification of this: firewalls are
> not meant to control the information that a user behind the wall
> wants to send out... they are meant to control access to information > from the outside by people w/o help from the inside.
This is one specific goal --perhaps the greatest-- of firewalls, but not
the only one.
> I might have trouble getting
> through your firewall and stealing your employee records... but if my
> cohort works inside your firewall, he'll have no problem sending them > to me. This serves as an excellent reminder that the most important
> issue in computer security is the human factor.
Here's where the concept of controlling insider's access to the outside
is important, and not because Mr. Hacker has a cohort inside, but
because most of the users inside are not aware of how damaging what
services and abilities they take for granted on a daily basis could be.
The most fundamental "job descriptor" for a firewall is "insulator".
The second choice would be "isolator".
I want to make it possible for my insiders to ignore the outside world
by making their common day-to-day tasks simple, and invisible outside
the wall. I want to make it a noticable extension of work --not
necessarily obstructive-- to push potentially damaging information
through the wall so Mr. User has to think about doing it.
Then it's my job to educate Mr. User about Human Engineering attacks,
viruses, password control, etc., and the potential cost of failing to
meet standards.
The firewall itself isn't intended to meet that need.
I want my firewall to exclude -or at least hold for review- any incoming
active access from unknown sources until identity is validated, even if
my users initiated the transaction from inside the firewall. This is to
be sure I'm not being hacked or infected with viruses (virii? :).
--
Jim Harmon The Telephone Connection
jim@telecnnct.com Rockville, Maryland
