[kwlug-disc] firewall question

unsolicited unsolicited at swiz.ca
Wed Feb 18 19:04:39 EST 2009


Raul Suarez wrote, On 02/18/2009 8:16 AM:
>> From: unsolicited <unsolicited at swiz.ca>
> 
>> Remote users just multiply the complexity by a more than 
>> exponential amount. If the first line of defence is physical 
>> security, that just got thrown out the window.
> 
> Independently of agreeing on the security part.
> 
> Can we agree that remote users are a necessity of modern business
> until instant teleportation is a reality?
.
.
.

Mm, necessity, maybe. I think I would say that VPN is not a reasonable
sole solution (a multi-solution implementation is more reasonable
approach), and more thought than is usual should be given to the human
elements in the equation before implementing anything.

> Users should be educated and made responsible for anything that
> happens under their ID.

That may be, but since we know all users aren't going to be
'responsible' all of the time, (I just clicked on this link, what did
I do wrong?), admins must take some responsibility too. Particularly
as admins may not know / detect at what point a user has been
irresponsible.

Actually, thinking about it, I'll reverse that - admins are
responsible for data integrity, be it on the network, their servers,
their computers (all client computers are just devices the admin has
lent to them temporarily, even if the client paid for it - it's 'my'
network they're connecting to). If users are themselves responsible,
that just makes life easier, but the admin can't count on it. They
don't dare. Users can be held responsible for their data and actions,
but since their data resides on my servers, and their action may
impact others, carte blanche cannot be granted. Which VPN does.

Integrity goes right down to programmers making sure invalid postal
codes can't be entered. Admittedly they can't ensure complete data
integrity - if a wrong address is entered, a wrong address is entered.
But, by that point, there is significantly less chance that that wrong
piece of data will impact other things.

I have no problem with VPN for 'responsible' (computer) people. I do
have a problem with it as a blanket solution for all users, which
would include those just hired today.

A principle of security, which I don't always agree with, is nothing
is allowed except that which is permitted. (vs. Everything is
permitted except that which is disallowed.) Under that principle, VPN
breaks it just about out of the gate.


There have been a lot of threads recently (good stuff), where there is
far more agreement than disagreement, and, I think, less disagreement
than is apparent. I suspect much of the disagreement stems from
different starting positions as to whom the typical user is. For me,
it's the person who doesn't have grade 10, or a receptionist, or
someone on an assembly line, or some authorized user's kid who just
wants to play that internet game while waiting for Mom or Dad. I
cannot possibly gauge the 'responsibleness' of every person (or their
devices) that may attach to my network. I cannot assume 100%
knowledge. I have to assume lowest common denominator - 0%.

Few people are computer-centric, and rightly so - a receptionist needs
to be pleasant to visitors, not know how to defrag a hard drive. They
have no interest in being computer educated, and there's absolutely
nothing wrong with that. As an admin, I cannot afford to not take
defensive steps against 0%. Part of that means not giving them VPN,
and part of that means not expecting them to avidly soak up training.

I can't assume 100%. Heck, not even with you or me - new nefarious
things come out every day. I can't reasonably assume 0%. However,
every user is somewhere between 0 and 100. It cannot be determined in
any reasonable amount of time, or way, where in between a given user is.

Which is why I say, much more thought should be given to the human
element, particularly communication and training, before implementing
most things. And it never happens.

Once that thought has been put into it, then implement VPN - selectively.




More information about the kwlug-disc_kwlug.org mailing list