I will tunnel your ass!
Lately my network policies have been changed to very very strict ones, thus I can’t even download my emails anymore! Here’s my favorite quote for you:
The moral is: a firewall cannot protect a network against its own internal users, and should not even try to.
When an internal user asks you system administrator to open an outbound port to an external machine, or an inbound port to an internal machine, then you should do it for him. Of course you should help the user to make sure that his transactions are secure, and that his software is robust. But a flat out denial of service is plain incompetence. For unless he is so firewalled as to be completely cut from the outside world, with no ssh, no telnet, no web browsing, no email, no dns, no ping, no phone line, no radio, no nothing, then the user can and will use firewall piercing techniques to access the machines he wants nonetheless, and the net result for security will be an unaudited connection with the outside world. So either you trust your users, after proper training and selection, or you shouldn’t grant them access to the network at all. You can and you shall protect them from the outside world, but you can’t protect them from themselves.
Because there exists such things as system administrators who are either unresponsive, absent, overworked, plain incompetent, or more generally managed by incompetent people, it so happens that a user may find himself behind a firewall that he may cross, but only in awkward ways.
Just wait, you’ll see…