I whole heartedly agree with Bennet regarding the security
policy. I have found in these political situations it is good
to get a "champion" that will add clout to your campaign.
Preferably one with more clout than the person you are up
against. Politics isn't fun, but it is a neceassary evil.
If I were you I'd:
1. Investigate sample security policies.
2. Determine what type of traffic is going inbound/outbound.
3. Analyze the risk of the inbound traffic.
4. Analyze the business case for outbound traffic
(Why does everyone really need RealAudio at work?)
5. Estimate the costs and liability of not securing the network.
6. Come up with a short and long term list of recommendations
7. Get your bosses permission to "do some research", if needed.
Its alot of work, but you need to present a good case.
BTW: CIOs love this stuff.
8. Present your findings to the highest person you can.
Educate and scare them with sound, substantiated facts.
At this point get your boss in the loop for buy in.
My 2 cents -Art
At 01:54 PM 1/27/00 -0600, Bennett Todd wrote:
>An interesting topic indeed.
>
>I'd say the first step is a security policy. If you don't have one,
>you need one (this is my standing battle cry).
>
>Make the definition of the security policy the battle ground for
>this issue. The security policy should describe what resources need
>protecting, against what threats, and mandate requirements (possibly
>including firewalls) that follow logically from the resources and
>threats.
>
>But that's just setting a sound structure for the debate, it doesn't
>actually address your question.
>
>If you've described resources that need protecting, and threats they
>need protecting against, and the manager still doesn't buy into your
>proposed solution, then either you need a more flexible solution
>(e.g. protect critical servers with a different, tighter policy from
>the one you inflict on desktop clients --- which may also require
>protecting them _against_ the vulnerable desktops) or else they're
>ignoring the problem. In that latter case what I like doing is
>demonstrating the problem. Come up with a clear threat, fantasize a
>plausible attacker, describe the scenario in detail, then offer to
>demonstrate the practicality and effects of the attack by running
>it (with prior agreement, at a scheduled time). If they insist on
>continuing to ignore the threat, and refuse to let you demonstrate
>it, then back off. Carry out these negotiations in email and keep
>file copies, and then when they get burgled you can document that
>the manager deliberately chose to let it happen.
>
>If that last bit (let 'em hang) is unacceptable to you, your choices
>reduce to trying to go over the head of the recalcitrant manager, or
>finding another job.
>
>-Bennett
>
===========================================
Art Coble
Lucent - Netcare Professional Services
Senior Network Consultant
Email: [EMAIL PROTECTED]
Page: 800 INS 1 INS
=============================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
