[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: Dial-out risks
From:       "HEROLD.BECKY" <Herold.Becky () principal ! com>
Date:       1996-00-08 10:56:27
[Download RAW message or body]

OUCH!

Judging by a couple of responses I received to the message I posted yesterday,
and rereading my post, I obviously did NOT make the point of my message clear!

The point I was trying to make was that people need to be made aware of why
they SHOULD use the firewall to access the Internet, and not just slap a modem
on their networked PCs.  Putting a modem on the networked PC is the "bad
thing" I was referring to in the following.  (I should have written as
"...explain to people why putting a modem on a PC is a bad thing...")  I've
found employees are more willing to follow policies when we can provide an
explanation of the risks involved instead of just saying "Don't do that
because we said so!"  And, reality is, many people will take it upon
themselves to reconfigure their PC if they feel they have a business need...
unless (perhaps) they understand the risks involved.

>An important key to the success of a firewall is ensuring employees use it!
>This can require quite the sales job.  In order to get buy-in (hopefully
>going from top management down through the ranks) it is necessary (in our
>organization anyway) to explain to people why what they want to do is a bad
>thing for the corporate network.  One of the bad things people will want to
>do is install modems on PCs that are attached to the WAN and use them for
>"dial-out only".  It is a challenging task to convince them that doing this
>DOES create a risk, even if they are using a non-DID phone line.  (Especially
>if the WAN has tens of thousands of nodes spread across a geographically huge
>area.)

Yes, I agree that dialing out is a necessity for most businesses, and
that dial-out access needs to occur through a single point on the network, or
some other secured system.  I'm looking for details that I can share with
employees explaining WHY they need to use the corporate solution (eg.,
firewall) to accomplish their dial-out business needs.  Since many of these
folks are technical, it would help if I had some technical information to go
along with the general reasons.  I don't think giving them information on
these risks is trying to control them with fear...it's just a way of
explaining what can happen.

If any of you can provide more details on the risks I listed yesterday (for
PCs with modems), or have even more risks to add, I'd appreciate receiving
them!


Thanks,

Becky Herold, Sr. Systems Analyst, Information Protection
herold.becky@principal.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The opinions expressed here are strictly my own and do not necessarily
represent those of my employer.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[prev in list] [next in list] [prev in thread] [next in thread]