Re: More on garbage

Bryan Olson wrote:
> Kelly Hall wrote:
> > Bryan Olson wrote:
> >
> >> There is no proxy for information employees need in pursuit of their
> >> job duties; no filter for trade secrets. Heck, even "no porn" is
> >> beyond the state of the art.
>
> > I guess you aren't familiar with the Websense and SurfControl software
> > products, or the iPrism appliance for web filtering. If the policy
> > includes "no spam", you can use a variety of software and hardware
> > techniques for that goal, too. Ditto for "no Denial of Service
> > traffic". Ditto for "no intruders".
>
> You guess right that I am not familiar, in any significant
> sense, with those two products. Nevertheless, I stand by my
> reporting.
>
> "No spam", "no Denial of Service traffic", and "no intruders"
> are objectives, and perhaps names of rule-sets, but are not
> enforcible criteria. More importantly, they are expressed in
> terms of what to deny, while the rest is allowed, and that is a
> mistake. Better firewall policies start from a default of "deny
> all," then express those exceptions to allow.

I certainly don't debate that best practice for configuring a layer-3
firewall is to close it down and then allow just the traffic you want.
For the firewalls I've used, specifying the allowed traffic comes down
to some syntax on top of a big list of (source_ip, source_port, dest_ip,
dest_port) tuples.

However, I think most IT groups have other criteria beyond layer-3 that
they would like to enforce - DoS, no porn, no spam, no viruses, no
intruders, etc. These categories are themselves vague, so enforcing
them isn't going to be as cut and dried as enforcing layer-3 traffic.
Is this vagueness a showstopper for you?

Kelly
Received on Thu Sep 29 21:44:27 2005