Discussion:
another firewall (team) rant
(too old to reply)
hymie!
2017-10-03 12:27:37 UTC
Permalink
(I hope the sacrificed chicken is working. I see my posts, but nobody
responds, so I'm sad and confused.)

I work for a Very Very Large Institution. $VVLI has lots of segmented
networks, which are controlled by firewalls, which are controlled by
locally-autonomous firewall teams.

I have $SOURCE_MACHINE , which needs to access $DEST_MACHINE on port 443.
These two machines are on opposite sides of a certain firewall. The
firewall team will no longer approve requests using port 443[1]. Instead,
all connections on ports 80/443 are expected to use the VVLI Web Proxy,
which means that

(a) $SOURCE_MACHINE will have access to any destination on the VVLI
Web Proxy White List, such as
* akamaitechnologies.com
* amazonaws.com
* aspnetcdn.com
* cpan.org
* freecode.com
* freshmeat.net
* illinois.gov
* pidgin.im
* sony.com (Remember the "root-kit" situation?)

(b) Any VVLI host that uses the VVLI Web Proxy will have access to
$DEST_MACHINE

And they are completely unwilling to accept or even acknowledge any request
that suggests that only allowing $SOURCE_MACHINE to access $DEST_MACHINE
is a better solution than allowing $SOURCE_MACHINE to get to hundreds
of web sites AND allowing hundreds of VVLI machines to access $DEST_MACHINE.

If I'm 47 ... that means I can't retire for at least 23 more years.

[1] it used to be allowed -- so newer machines have to be configured
differently than pre-existing machines

--hymie! http://lactose.homelinux.net/~hymie ***@lactose.homelinux.net
Roger Bell_West
2017-10-03 12:41:23 UTC
Permalink
Post by hymie!
(I hope the sacrificed chicken is working. I see my posts, but nobody
responds, so I'm sad and confused.)
It's fine, it's just that the Secret Masters of USENET have declared
that you're To Blame for this month. I shouldn't say this much, you
know how it is.
Post by hymie!
I have $SOURCE_MACHINE , which needs to access $DEST_MACHINE on port 443.
These two machines are on opposite sides of a certain firewall. The
firewall team will no longer approve requests using port 443[1]. Instead,
all connections on ports 80/443 are expected to use the VVLI Web Proxy,
which means that
lbhe znpuvarf ybfr zbfg bs gur orarsvg bs FFY (nyy, vs gur cebkl
nqzvaf ner va nal jnl yrff guna cresrpg) naq gurersber lbh pna'g qb
lbhe wbo.
Post by hymie!
And they are completely unwilling to accept or even acknowledge any request
that suggests that only allowing $SOURCE_MACHINE to access $DEST_MACHINE
is a better solution than allowing $SOURCE_MACHINE to get to hundreds
of web sites AND allowing hundreds of VVLI machines to access $DEST_MACHINE.
So you get to have your people (i.e. manager) talk to their people.
That's what they're for.
Post by hymie!
If I'm 47 ... that means I can't retire for at least 23 more years.
You could always win the lottery. Playing it makes this a bit more
likely, but not much.
--
Kids are cool. I wanted to do experiments, but they wouldn't let me.
-- Joel Gluth
Satya
2017-10-03 23:59:03 UTC
Permalink
Post by Roger Bell_West
It's fine, it's just that the Secret Masters of USENET have declared
that you're To Blame for this month. I shouldn't say this much, you
know how it is.
I like the term "designated goat".
--
"Two USB ports don't make an eSATA" -- MF
Loading...