Date: Thu, 8 Nov 2001 12:01:43 -0500 From: "Andrew C. Hornback" <achornback@worldnet.att.net> To: "Kutulu" <kutulu@kutulu.org>, "Anthony Atkielski" <anthony@atkielski.com> Cc: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: Lockdown of FreeBSD machine directly on Net Message-ID: <012801c16877$0aa3fa00$6600000a@columbia> In-Reply-To: <20011108104248.D10218@pr0n.kutulu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Kutulu [mailto:kutulu@kutulu.org] > Sent: Thursday, November 08, 2001 10:43 AM > To: Anthony Atkielski > Cc: Andrew C. Hornback; FreeBSD Questions > Subject: Re: Lockdown of FreeBSD machine directly on Net > > On Thu, Nov 08, 2001 at 09:19:55AM +0100, Anthony Atkielski wrote: > > Andrew writes: > > > > > > b) Calling the sysadmin and pretending to be his > > > > boss and convince him to open a hole. > > > > > > Most organizations require something like that in > > > writing, or at least as part of a face to face > > > conversation. That negates this loophole. > > > > I've never encountered an organization that has a policy like > that, but my > > personal policy is along those lines. If any manager wants me > to compromise > > One of the few things my company seems to do completely right all > the time, > is implement good person-to-person security policy. In order to > get anything > changed on our firewall or systems, we need to provide the VP and > both net. > eng. maangers a Visio diagram and accompaying justification of > what machines, > ports, directions, purposes, etc. need to be opened. > > It's a royal pain in the keester when all I want is to open FTP > for an hour > to let a contractor send us something, but I certainly know > enough to realize > it's better than the alternatives, and not complain too much :) This may be a pain, but you're right in that it is better than the alternatives. Imagine, if you will, stepping into an environment that has absolutely no network documentation, services aren't running properly, and there is no one left from the previous administration staff. The only things you have to go on are the manuals (which are for 3 versions of software prior to the version you're running) and a new management team that have decided to make wholesale changes that destroy the current configuration and need your help immediately to fix those problems. What would you do? I, for some reason, took the job and it ended up being a lot of fun... 'course, I'm one of these sick people that enjoys stepping into the middle of a sh*tstorm and trying to sort things out. During my first month there, I tore everything down, documenting the old system, and rebuilding it properly, documenting the new system. That, in my opinion, is the only way that you can truly get something like that fixed. When my clients have had me come on-site to make any sort of changes, I keep two logs -- one for them, and one for me. That way, when I go back, I can see what they've done, and compare it with the notes that I've got. Along with that, I tell them that I'll fix anything that I manage to break on my own dime (haven't had to yet), but if they have someone else in and they mess things up that they should expect a good sized bill. > > > If a secretary does this, they need to be fired, > > > period. > > > > In some organizations (many, in fact), she might be fired for > _not_ doing it, as > > few people understand the risk to security that doing something > like this > > represents, and they would interpret her refusal as a lack of > team spirit or > > cooperation or some such. > > Our company used to have this problem: everyone at level one on > the internal corp. > help desk has full admin rights to the Novell network. They > would get in trouble > for making unauthorized changes when unimportant people (me) > asked, but also get > reprimanded when important people (VPs of other departments) > asked and were told > to fill out change reqs. Finally their manager put an > authorization code on the > admin tools, so they need managerial authorization to make those > changes. At > first it was annoying, but in the end everyone was happier, > safer, and more > secure. Documentation, organization and hierarchical authorization... three keys to a successful IT department. --- Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012801c16877$0aa3fa00$6600000a>