On Wed, 6 Feb 2002, Darryl Luff wrote:
[SNIP]
>
> And internal users or admins playing around. Whether they have malicious
> intentions or not, people seem to enjoy getting access to their mate's
> (or boss's) passwords. Especially in a small site where the server is on
> a user segment.
>
This internal issue is perhaps the greater risk of sniffing one probably
faces in this area. And that does not have to be an issue of folks
reading e-mail externally. Sniffing is not the huge gotcha some believe
it to be really. For one thing, a person has to consider, how much e-mail
traffic is really encrypted, both internally and externally from most/many
corporations? SMTP does not itself employ encryption and is the way such
communication primarily traverese an internal site and leaves there
externally. Now, there are communications and corporate bits of
information that definately should be encrypted, both when sent about the
internal system and especially when transmitted outside, and there are
many packages and applications to handle this kind of traffic in
communication, and this should probably be well documented in the
corporate policies regarding information flow. But, the risk of someone
getting my e-mail to a co-worker setting up a lunch date or the evenings
bowling schedule or our arrangements for their handling my admin chores
while I take my kid to the dentist tomorrow would probably not require
this overkill nor be to tramatic if they had been grabbed and read in
transit. It's certainly dependent upon the kind of work that is
conducted, and the type of information put in transit. A medical
institution sharing personal medical records with another clinic should
take precautions to insure the integrity as well as the privacy of the
information in transit, military secrets certainly do not belong on a
public network like the internet...And any upper mgt person sending
e-mails to his secretary demanding sex, across a network, private or
public, would certainly deserve to have that traffic grabbed in transit,
though the 'electronic paper trail' would probably be damning enough when
the secretary made a sexual discrimination case against him...
A risk analysis should cover such potentials, and the policy derived from
that should document requirements and procedures for handling specific
cases. It's amazing though how many companies lack having ever really
doing a thourough risk analysis nor have policies actually documented.
Most policies are on the fly, off the cuff, exhortations of some upper to
middle level manager to the firewall admin...
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
