At 02:51 PM 10/25/01 -0400, hesselsp_at_ashaman.dhs.org wrote:
>Anyone want to help me out here?
>
>I have had a request to put tcpdump on our firewall by one of our tech
>guys.
>
>I have told him that I will not do so, and he wants a good reason why.
HE wants a good reason why? HE?
Your security policy should cover this (and probably doesn't). Everything
you add on a firewall makes it more complex. Complexity and security are
inversly proportional. But wait! He doesn't have a user account on the
firewall does he? No one should except the firewall admin, and that should
be tightly controlled. The good reason is you don't add things on the
firewall unless there is no other way to do what needs to be done, and then
only if it is a business requirement (not a desire).
Push right back and ask him for a requirement not a solution. What does he
want to do? He probably wants to monitor packets on the outside network (or
maybe on both). I can think of more than one way to accomplish this that
doesn't require putting anything new on the firewall.
Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 26 2001
Intro
