I found another program by microsoft, called Microsoft Desktop, that indexes just as well as google desktop, and it doesn’t have any links back to microsoft.

I’ve been training network administrators to install and configure hardware firewalls for ten years.

I emphasize to all of them that there’s no such thing as ‘perfect’ security. Network security is risk management, but we have to remember that the PURPOSE of the network is not to be secure … the purpose of the network is to GET WORK DONE. Your job as the person configuring security architecture is to determine how to get the work done productively in the most secure manner possible.

You want perfect security … disconnect from the Internet, but accept vastly lowered productivity. You want good risk-management, then understand the structure of your network and the needs of your employees and be prepared to adapt your security policies over time.

It’s a problem old as time. Do you chain your employees to their desks, monitor their every move, and burden them with restrictions in an effort to control their freedom, or do you allow them to gather at the water cooler — or Google Desktop, as the case may be — mingle, chat, waste time… and in the process come up with the innovations that will boost their productivity, boost your stock price, and make you a world leader in your field.

It’s a difficult decision, isn’t it…

Yikes! The title of this post is scary and misleading. I agree that employee use of external social software applications introduces a new set of challenges for companies, but these examples are off-base: BitTorrent and Google desktop are not Enterprise 2.0 applications.

Most E2.0 savvy companies are establishing acceptable use policies designed to protect corporate IP and/or running private collaboration platforms. These strategies aren’t bulletproof, but they go a long way toward preventing the type of security nightmare you describe. I fear that the title of this post may perpetuate misplaced fear and validate wariness of internal information sharing.

Jen Robinson
Emerging Solutions Lead, SAP

Is this really a surprise? Aren’t firewalls designed to keep inbound threats at bay and not necessarily, “authorized” outbound traffic in check–a bit like a one way door? This sounds like a typical SillyValley start-up (of which I am intimately familiar) intending to drum-up business/get some free ink by producing a white paper that announces some “dramatic” findings. A bunch of sound & fury signifying nothing, but the marketing people @ PAN are happy today no doubt.

Network do-hickeys, in general, still are stuck in the argot, disciplines, and mind set of when they were originally created in small academic and living room environments. Configuration of network devices and software at its best still requires an arcane mixture of nomenclature, protocols, and art.

For example, some interfaces to the devices and software allow a range of network addresses to be entered such as xxx.xxx.xxx.xxx to another xxx.xxx.xxx.xxx, while others require xxx.xxx.xxx.xxx/nn. The nn is a number that, when expressed in binary, is a mask that is used to generate a subnet mask… well never mind. Unless you are doing this every day and have that sort of memory, do as I do and get a large sheet of paper and pencil and allow yourself some time.

A great many firewall devices and software implementations of the same are port-based. What this means is that particular types of network activity are conducted not just between network addresses but on dedicated channels. Think of ports as something like channels on walkie talkies. Both sender and receiver talk and listen on the same port. It is a bit more complex than that in many circumstances (start on one port then jump to another pre-defined or randomly chosen port), but that is the general idea.

Unlike walkie talkies, though, the traffic on particular ports is supposed to follow specific rules and have particular content types. It is like assigning different languages or dialects to different walkie talkie channels.

There are three rough categories of ports: well known, registered, and dynamic or user defined. The well known are from the original network designs, the registered coming from dominant software manufactures later on, and the dynamic and user defined are self describing.

With this in mind, firewall devices and software initially attacked security issues by either allowing or denying network messages on certain ports. For example, File Transfer Protocol, or FTP, is assigned to port 21. Cut off port 21 traffic from or to your network and you don’t worry about it becoming a security issue; almost always firewalls allow blocking separately for incoming and outgoing traffic.

Take another protocol, HTTP. When most people think of their network, they think of the Internet and their little place on it. They also think of email and browsing, and browsing uses HTTP protocols. As the article points out, browsing has become a wide range of things, and it will continue to expand.

One reason for this is firewalls themselves. Software developers don’t want to create products that will use ports for network communications that would require opening up new firewall connections; most users wouldn’t have access or control over that, and network administrators would generally not do it. This lead software developers to look for ports that were going to surely be open, pack their information into the format and content requirements of that port’s protocols, and that spawn most of the variants the article refers to.

Some firewall devices and software are performing what is referred to as stateful packet inspection, or SPI. SPI watches the connection state and makes sure it obeys what the protocol describes. Beyond SPI, however, is application filtering, which looks at what is contained in the message itself to make certain it is not doing something that is outside the scope of what is allowed.

I bring up the esoteric world of network lingo and juxtapose it to application packet filtering to illustrate the current problem sets more clearly. Not only are many network mindsets still stuck in the early concepts that, even if they have survived and served us well, but they serve as an on-ramp to continuing the problem by not addressing it. Secondly, all the routers, firewall devices, network cards and servers subscribe to the model, and changing those out is worse than phasing out analog TV. Thirdly, software developers, with good intentions and bad, will continue to exploit the current model to create new protocols without them becoming formal models.

The developers will always be ahead of the firewall guys a priori. It is good, at least, that more attention on new generation products in that area is happening, but it is not the essential problem.

It’s the companies with the boat anchor mainframes and the old paradigm IT departments that have put their own information at risk on those servers in the first place, and their only solution, having the imagination required to look at those boat anchors and feel competitive, is to impede the employees rather than gut their own shops and cross centuries.

and of course, there will be plenty of companies to make this possible with ever-evolving security strategies, making a handsome profit by postponing the dinosaurs’ extinction in the process.

Security Enhanced Linux, developed by the NSA and supported by (among many others) RedHat and Fedora, can answer some of these problems if users are not allowed to administer their desktop machines.

First, an aside to answer the “no software available” complaint about Linux. The Open Office productivity suite, compatible with the ISO standard Open Document Format (ODF), and generally able to open and write current Microsoft formats, is adequate for a large fraction of desktop users. Microsoft takes the competition very seriously, and over the past year carried out an underhanded and apparently successful battle, extensively documented at http://www.groklaw.net/staticpages/index.php?page=20051216153153504, to railroad their own format, Microsoft Office Open
XML (MS-OOXML) through as an ISO standard.

The Firefox web browser is native to the Linux environment. The Evolution email, calendar, contacts, memos, and to-do list is compatible with Microsoft Exchange and works much like Outlook. Ever increasing numbers of specialized packages are also available.

But to return to the topic at hand, using SELinux, administrators can easily prevent users from installing software, and every machine can run its own firewall to keep the users in rather than keeping others out. Each program can be separately restricted in which of the user’s files it can read or write.

For example, users can be permitted to use Firefox to browse the web, but Firefox can be prevented from reading files it should not have access to. The Mozilla foundation and associated community are working on projects to prevent one website from learning what the user has been doing on other websites.

There are rough edges to this — it is not uncommon to hear “to fix that, turn SELinux enforcement off” but tools for repairing the SELinux security policies are becoming much easier for the administrator to use, and more packages have correctly working policies.

Fedora 9 LiveCD will be available soon from fedoraproject.org (free, as usual). It permits you to test out the software mentioned above without installing any software on the hard disk.

In terms of desktop search, I use a freeware program called Copernic Desktop Search, and it is not only a better local search engine than Google Desktop or MS Desktop, but it is also far less intrusive and faster. Does just what you want, and no more.

I highly recommend it.

The Enterprise version of Google Desktop allows granular control of the desktop application. Administrators can set security policies etc.
http://desktop.google.com/enterprise/about.html

In my opinion this is a good example of how these apps should be written.

Maybe there’s a better answer. Companies who embrace and implement Enterprise 2.0 applications behind the firewall take control, manage the process, keep their proprietary information secure, energize their workforce and reap the collaboration and communication benefits that come from creatively using social network software to get work done.

Managed RSS platforms can be securely set up behind the firewall to automatically and intelligently deliver relevant content from internal and external news sources, blogs, wikis and forums. Analytics and reporting on the content being consumed can be used to identify the most efficient communication channels and sources of the highest value content. And, the organization keeps their data safely on their network and hardware.

http://www.attensa.com/blogs/attensa/2007/11/putting_the_flow_in_enterprise.php

This article was a semi-yawn. It’s no big secret that firewalls are not the be-all and end-all for keeping intruders (internal and external) under control.

The article fails to mention there are many complementary devices/software that address the endless procession of software users should *not* be using. Websense, for example, analyzes all activity at the edge of the network and blocks any protocols defined as not allowed.

You don’t want users hogging up your bandwidth watching the latest pirated video? Pony us some cash and invest in additional perimeter security.

And #11’s suggestion is a bandwidth-saver and keeps the troops happy :-)

Jen @ SAP in comment #4 said it best. The examples cited are NOT Enterprise 2.0, so the article title is completely misleading.

If the author had wanted to accurate AND still used a buzzword (which was surely the only motive), then it should have read “Web 2.0: A Computer Security Nightmare?”

Palo Alto Networks themselves didn’t even use the term in their press release, opting instead for a catchy “The Application Usage and Risk Report: An Analysis of Major End User Application Trends in the Enterprise”.

http://www.enterprise2dot0.com

This article should come as no shock to anyone. People feel that their office computers are their own personal property. To that end, unless they are strictly prohibited, end-users will continue to use torrent sites, YouTube, myspace, etc from their offices. It is up to the corporation to decide if and how it wants to monitor, block, or control access to these sites. We all know of course that a firewall will not do the job (that’s now what firewalls are meant to do). A company would need a system such as BlueCoat to make sure network access is properly controlled.

In terms of 2.0 tools specifically, it is up to the company to decide if any of these tools are useful for their employees. Of course, the use needs to be weighed against the risks based on the specific needs of the company.

It should be noted that a company needs to provide the specifics of the monitoring in their employee training manuals, or other documentation given to employees.
http://conversationstarter.hbsp.com/2008/03/surveillance_a_managers_dilemm.html

MBridge, LLC
http://www.MBridge.com