Remote access

Fri Oct 14 21:04:07 UTC 2011

On Friday 14 October 2011 16:28:17 Ed Greshko wrote:
> All I know is this....  If I were Marko's employer and I read his views
> on circumventing or flouting the rules of a company I'd start to worry.

Oh, I understand you completely! :-)

The opinion that I have comes from the experience of being on both sides of 
the "fence" --- at times, I was the client needing some access, and other 
times I was the admin being asked to provide such sort of things.

The point is that when someone asks me to change firewall rules to allow him 
some type of access, I take it very seriously into consideration. If there are 
no security threats, I would typically grant access. If there are security 
issues, I would invest some effort into helping the client to achieve his goal 
in a different manner, and/or help him understand why his wish is a Bad Idea 
from a security standpoint, and I would not stop until I was sure he 
understood. If I don't do that, I run the risk that he is going to provide 
himself access behind my back, and that would be even worse.

OTOH, whenever I was in a position of a client asking for something, I 
expected nothing less from my admin. If I ask for, say, a firewall rule to 
grant me some access to something, admin's reply "it's against the rules" is 
not enough. I go on to ask which rule, why, how, for what purpose, etc., and 
if the admin has good answers, I get persuaded to give up on my request for 
access.

But quite often, the admin doesn't have a valid response to "which rules", 
"why are those rules in place" and "what could happen if someone disobeys that 
rule". If I am not persuaded that the rule actually makes sense, I go on to 
challenge it in one way or another. Quite often I found out that such rules 
are a consequence of someone's incompetence or a relict from the past, and 
that they are completely useless and artificial (a typical case is when the 
company burocracy doesn't keep up with technological development).

In such cases, as well as when the admin insults my intelligence with an 
answer of type "it's too complicated for you to understand why...", I come to 
the conclusion that the rule can be ignored.

Once I even got caught ignoring one of the rules, and when audited by my boss, 
I presented arguments for my defense that eventually led to removing the 
offending rule from the "terms of service" and company policy (it was about 
allowing access for p2p communication, torrent in particular). I wasn't even 
punished in any way. The rule was just plain stupid and unnecessary.

The point is that I am not some hippie, ignorant of security or other policies 
that are enforced on the users, I just don't want to blindly "uphold the 
rules" without any sanity. :-)

Best, :-)
Marko

P.S. <quote>Rules are made to be broken...</quote> ;-)