[chrismsnz]

Circumventing your companies firewall is not a great idea in the first place.

Additionally, if they have aggressive egress filtering, its likely that the only DNS communication will be via an internal resolver which is going to be monitored - iodine is going to leave a LOT of shit in those logs.

[JoshTriplett]

> Circumventing your companies firewall is not a great idea in the first place.

Neither is putting in place a firewall that makes people need to circumvent it to get their jobs done. If you work at the NSA, sure, it makes sense that all access is heavily restricted. (Though if you work at the NSA, please reconsider what you're doing with your life.) But if you work at an ordinary company, and doing your job (note: not goofing off, but actually doing your job) requires you to work around the corporate firewall, that's a serious policy problem. And the answer isn't to sit on your hands until IT fixes the firewall, because IT departments invariably seem to have far too many people in them that forget that you can't create security by preventing work. A system encased in concrete is secure, but not useful.

[chrismsnz]

I'm a security guy so I obviously have a differing viewpoint, but when it comes to ensuring what data comes in and leaves your environment there's little choice. The ability to analyse outgoing traffic is really a requirement for being able to effectively detect and respond to incidents.

If your job involves idling on Freenode maybe take it up with management?

EDIT: phrasing

[buserror]

It's still a bit silly, I can plug my smartphone in the same PC and have a completely un-monitored network link.. So instead of having /some/ sort of control on traffic if their firewall was not rendering the link useless for a lot of case, they get people (I see them) doing just that.

It's not security, it's security-by-the-checkbox, that doesn't prevent them having the whole intranet on a single shared drive, use outlook, flash, java etc etc. Oh, and such a braindead password policy (like, 6 of them) that everyone has to keep them on postits anyway.

[JoshTriplett]

First, security is never a goal in itself; the goal is to get some job done, which involves having something to protect, and security's job is to protect it.

Second, even when your metric is security, creating a policy that people have to circumvent to get their job done seems likely to reduce security.

> when it comes to ensuring what data comes in and leaves your environment there's little choice

The concept of your environment having an "inside" and an "outside" is dangerous. Better to assume that "inside" is just as hostile as "outside", and avoid having any insecure internal services or resources. Use TLS/HTTPS everywhere internally, require authentication for internal services, and otherwise make sure that an attacker gains nothing by compromising an end-user system except what's on that end-user system.

> If your job involves idling on Freenode

Forget "idling"; participating effectively in many Open Source projects (whether developing them or getting support for them) requires the ability to get on IRC.

> maybe take it up with management

Short of C-level executives, management rarely has the ability to change IT policy.

[chrismsnz]

I guess the goal of Security is to not become the next OPM or Hacking Team.

I agree with what you say regarding perimeter security, a concept quickly decreasing in relevance in today's environments. Unfortunately, when you have thousands of people working for you that don't know how to computer, you have to take steps to ensure that the data and functionality that they're handling remains protected.

Additionally, a large amount of attack surface exists on the client side, and with these two factors at play you're dealing with a lot of non-trivial trust relationships within your organisation.

Yes, ideally every system would be an island, and everyone who was supposed to operate it could do so securely and competently enough that they'd realise if something was wrong.

Until then, corporate workstations live in a locked down world where all external access is monitored and scrutinised.

[jac_no_k]

If getting the job done requires exceptional access outside what is allowed by the firewall, a formal exception should be sought. Perhaps there is a solution to put a workstation separate from the corporate network? Maybe it's time to take up the management banner charge up the ranks to have C-level visibility? Someone needs to be the hero. :P

Continuing to circumvent the corporate controls puts your job and possibly your career in jeopardy. Likely you will impact your colleagues as well with even more onerous restrictions.

[buserror]

Well I hope they don't proxy the DNS -- it's quite costly to do so, if they don't it'll be fine. If they do, well, I'll have to find another way using 'long' http transactions and such...

[chrismsnz]

Running an internal DNS resolver is actually very cheap, almost every broadband CPE device runs or can run its own DNS proxy resolver.

It's also a great source of information when monitoring egress communication, so I would just make sure you know what you're doing.

[hueving]

Why would you think that's costly? A cheap home router can do it with dnsmasq.