Brian Steele wrote:
>
> ..but isn't the reverse referred to as "security through obscurity"?
> >It makes it so much harder for
> >us to do our jobs when vendors like that go around telling people how to
> get
> >around security.
This isn't a security issue at all -- it's the problem of enforcing
a policy. Not necessarily a hardware or software problem, is it?
The first step is to articulate what the real requirement is --
is it to use the firewall as a baby sitting tool to be sure that
employees don't have too much fun at work, or listen to subversive
broadcasts from NPR? ;-) What is the perceived risk? Pop quiz --
is there a single CERT advisory with the words "Real" and "Audio" ??
If you don't want employees doing something, make a lucid and concise
statement of the policy IN WRITING. Insubordination is subject to
dismissal in the civilian sector, and various forms of punishment in
the military, as someone else has mentioned.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
