Why use the firewall?

147 views
Skip to first unread message

hymie!

unread,
Oct 21, 2019, 12:15:30 PM10/21/19
to
I work for a Large Government Agency.

My machines are on an internal network. Even though I have valid IPv4
addreses, my network is behind numerous firewalls that control all incoming,
outgoing, and even internal access.

...except the Web.

If I want to connect to a site over port 80 or 443, the network team
will not approve any firewall requests. I must use the designated "web
proxy", which provides my machine access to a list [1] of over 450 web
sites, including numerous that end with amazonaws.com .

I can't have access to just the one web site I want. I can access all
of them, or I can access none of them.

Somehow, that qualifies as "network security".

--hymie! http://lactose.homelinux.net/~hymie hy...@lactose.homelinux.net

[1] I went to download the list so that I could count its length. The
$LGA web site hosting the list has an SSL certificate that expired
this past Thursday.

The Horny Goat

unread,
Oct 21, 2019, 12:38:24 PM10/21/19
to
On Mon, 21 Oct 2019 16:15:26 GMT, hymie! <hy...@lactose.homelinux.net>
wrote:
Do I correctly understand you're saying you have to have 450 web tabs
open AT ONCE? Or none?

That would definitely provide security by bringing your system to its
knees and prevent you getting any work done at all.....

hymie!

unread,
Oct 21, 2019, 2:05:58 PM10/21/19
to
In our last episode, the evil Dr. Lacto had captured our hero,
The Horny Goat <lcr...@home.ca>, who said:
> On Mon, 21 Oct 2019 16:15:26 GMT, hymie! <hy...@lactose.homelinux.net>
> wrote:
>
>>If I want to connect to a site over port 80 or 443, the network team
>>will not approve any firewall requests. I must use the designated "web
>>proxy", which provides my machine access to a list [1] of over 450 web
>>sites, including numerous that end with amazonaws.com .
>>
>>I can't have access to just the one web site I want. I can access all
>>of them, or I can access none of them.

> Do I correctly understand you're saying you have to have 450 web tabs
> open AT ONCE? Or none?

No. If I want permission to access a particular web site, it comes
with permission to access 450 other web sites. I can't restrict
my machine to access only the web sites I want to allow it to access.
I have no choice but to give my machines access to a wide range of
web sites that I would rather not have access to.

--hymie!

The Horny Goat

unread,
Oct 21, 2019, 11:46:56 PM10/21/19
to
On Mon, 21 Oct 2019 18:05:56 GMT, hymie! <hy...@lactose.homelinux.net>
wrote:

>> Do I correctly understand you're saying you have to have 450 web tabs
>> open AT ONCE? Or none?
>
>No. If I want permission to access a particular web site, it comes
>with permission to access 450 other web sites. I can't restrict
>my machine to access only the web sites I want to allow it to access.
>I have no choice but to give my machines access to a wide range of
>web sites that I would rather not have access to.

Glad you clarified - I figured that COULDN'T be true. I remember about
15 years ago when my mother asked me to figure out why her machine (a
900 mhz Celeron which for 2003 wasn't so slow) had >28< MS Word
windows open. Apparently Mom knew how to ctrl-N but not how to close
the documents. Needless to say that was a very quick fix!

Juancho

unread,
Oct 25, 2019, 6:14:17 PM10/25/19
to
On 21/10/19 18:15, hymie! wrote:
> If I want to connect to a site over port 80 or 443, the network team
> will not approve any firewall requests. I must use the designated "web
> proxy", which provides my machine access to a list [1] of over 450 web
> sites, including numerous that end with amazonaws.com .

So what happens if the web site you want to reach is not among those 450
web sites?

--
EOT.

hymie!

unread,
Oct 25, 2019, 9:03:30 PM10/25/19
to
In our last episode, the evil Dr. Lacto had captured our hero,
They will happily add my site to the list [2], and then my machine --
and every other machine using the web proxy -- can access the site I
requetsed.

[2] Presumably they check it first

--hymie!
Reply all
Reply to author
Forward
0 new messages