Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
another firewall (team) rant
106 views
Skip to first unread message
hymie!
Oct 3, 2017, 8:27:39 AM10/3/17
to
(I hope the sacrificed chicken is working. I see my posts, but nobody
responds, so I'm sad and confused.)
I work for a Very Very Large Institution. $VVLI has lots of segmented
networks, which are controlled by firewalls, which are controlled by
locally-autonomous firewall teams.
I have $SOURCE_MACHINE , which needs to access $DEST_MACHINE on port 443.
These two machines are on opposite sides of a certain firewall. The
firewall team will no longer approve requests using port 443[1]. Instead,
all connections on ports 80/443 are expected to use the VVLI Web Proxy,
which means that
(a) $SOURCE_MACHINE will have access to any destination on the VVLI
Web Proxy White List, such as
* akamaitechnologies.com
* amazonaws.com
* aspnetcdn.com
* cpan.org
* freecode.com
* freshmeat.net
* illinois.gov
* pidgin.im
* sony.com (Remember the "root-kit" situation?)
(b) Any VVLI host that uses the VVLI Web Proxy will have access to
$DEST_MACHINE
And they are completely unwilling to accept or even acknowledge any request
that suggests that only allowing $SOURCE_MACHINE to access $DEST_MACHINE
is a better solution than allowing $SOURCE_MACHINE to get to hundreds
of web sites AND allowing hundreds of VVLI machines to access $DEST_MACHINE.
If I'm 47 ... that means I can't retire for at least 23 more years.
[1] it used to be allowed -- so newer machines have to be configured
differently than pre-existing machines
--hymie! http://lactose.homelinux.net/~hymie hy...@lactose.homelinux.net
responds, so I'm sad and confused.)
I work for a Very Very Large Institution. $VVLI has lots of segmented
networks, which are controlled by firewalls, which are controlled by
locally-autonomous firewall teams.
I have $SOURCE_MACHINE , which needs to access $DEST_MACHINE on port 443.
These two machines are on opposite sides of a certain firewall. The
firewall team will no longer approve requests using port 443[1]. Instead,
all connections on ports 80/443 are expected to use the VVLI Web Proxy,
which means that
(a) $SOURCE_MACHINE will have access to any destination on the VVLI
Web Proxy White List, such as
* akamaitechnologies.com
* amazonaws.com
* aspnetcdn.com
* cpan.org
* freecode.com
* freshmeat.net
* illinois.gov
* pidgin.im
* sony.com (Remember the "root-kit" situation?)
(b) Any VVLI host that uses the VVLI Web Proxy will have access to
$DEST_MACHINE
And they are completely unwilling to accept or even acknowledge any request
that suggests that only allowing $SOURCE_MACHINE to access $DEST_MACHINE
is a better solution than allowing $SOURCE_MACHINE to get to hundreds
of web sites AND allowing hundreds of VVLI machines to access $DEST_MACHINE.
If I'm 47 ... that means I can't retire for at least 23 more years.
[1] it used to be allowed -- so newer machines have to be configured
differently than pre-existing machines
--hymie! http://lactose.homelinux.net/~hymie hy...@lactose.homelinux.net
0 new messages