Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: "firewalls are obsolete" rant

Re: "firewalls are obsolete" rant

From: Brian Loe <knobdy_at_gmail.com>
Date: Thu, 2 Feb 2006 09:05:49 -0600

On 2/2/06, Paul Melson <pmelson_at_gmail.com> wrote:
> Except if they're local admin, they can definitely change that. And unless
> you've fully investigated the issue, I'd wager you've got at least a couple
> of people using MSN to talk outside your network. Feel free to use my
> one-off Snort rule to check and see:

It's monitored, the only off-network IMing that goes on goes over the
link I'm on now, a separate DSL Internet connection.

As for being local admins, I'm not in charge of systems here (or
anything else) so...yes, sadly, everyone is a local admin. I haven't
yet heard their justification for this but I'll almost guarantee it's
the lazy desktop group that doesn't want to be bothered with how to
make such-and-such-app run without local admin rights (probably never
even tried power user). As for the user, even with local admin rights,
changing the behaviour of MSN IM - I don't see how. I've only played
around with it a little, but most of those configuration options are
not available (directly anyway), probably as defined in a group
policy. Even a local admin has to play by the rules if he wants to be
in the domain.

And, when I WAS in charge of the systems (servers and desktops) I
didn't allow users to be local admins. If there was an app that seemed
to need it, it was investigated. If it absolutely could not be done it
was either scrapped for something else or placed on a dedicated
machine with limited access (the one POS app we had there that could
not be ran as a user didn't need network access so it didn't get any).

> The argument for IRC that prevailed here boiled down to "it's the only way
> to communicate with X." To which, several people responded, "Should we rely
> on them, then, if we can't call or e-mail them?" And somehow it was
> concluded that we should because according to someone, X was the only party
> that could provide what we were looking for. Not our finest hour, but not a
> disaster, either.

I don't find any of the reasons given in this thread valid, but I know
how it goes too. Surely this can be mitigated easily though, with a
local server or controlled, centralized client or something.

I haven't personally used IRC for anything for a very long time. Most
vendors have web-based forums and I belong to a lot of lists - if
those and google can't help me I'm just screwed...which I still prefer
to IRC. :)
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]