Firewall Politics

You shouldn't believe a firewall machine is all you need. Set policies first.

Firewalls are used for two purposes.

1. to keep people (worms / crackers) out.
2. to keep people (employees / children) in.

When I started working on firewalls I was surprised to learn the company I worked for were more interested in "spying" on their employees then keeping crackers out of their networks.

At least in my state (Oklahoma) employers have the right to monitor phone calls and Internet activity as long as they inform the employees they are doing it.

Big Brother is not government. Big Brother = Big Business.

Don't get me wrong. People should work, not play at work. And I feel the work ethic has been eroding. However, I have also observed that management types are the biggest abusers of the rules they set. I have seen hourly workers reprimanded for using the Internet to looking for bus routes to get to work while the same manager used hours of work time looking for fine restaurants and nightclubs to take prospective customers.

My fix for this type of abuse is to publish the firewall logs on a Web page for everyone to see.

The security business can be scary. If you are the firewall manager, watch your back.

How it create a security policy

I have seen some really high folutin documentation on how to create a security policy. After many years of experience I know now say, don't believe a word of them. Creating a security policy is simple.

1. describe what you need to service
2. describe the group of people you need to service
3. describe which service each group needs access to
4. for each service group describe how the service should be kept secure
5. write a statement making all other forms of access a violation

Your policy will become more complicated with time but don't try to cover too much ground now. Make it simple and clear.