mtg followup - data

Jim Dennis jimd at starshine.org
Tue Nov 22 09:10:19 PST 2005 

On Fri, Nov 18, 2005 at 09:10:21PM -0800, Alvin Oga wrote:
 
> hi ya
 
> On Fri, 18 Nov 2005, Paul M. Moriarty wrote:
 
>>> that's the whole point isn't it ?? .. to protect the data ..
>> 
>> Yes, but it is a different approach from not permitting employees
 
> the point too, is that how to make sure that all the laptops
> coming into and going out of the corp lan is "secure"
> 	- if people and plug it anytime and remove anytime,
> 	there's been many cases where their "important presentation"
> 	was never backed up ...
 
> the whole point, is not permitting it, requires some paperwork
> and some paper trails, and you're on notice, that will hopefully have
> everybody playing by the same rules .. vs total chaos of stuff coming in
> and leaving without "management" approval
 
> x> Security = 1/Convenience  It's a hard balance
 
> there's a missing fudgeFactor(1/convenience ) in the equation :-)
 
> c ya
> alvin

 I suspect that your ratio (security is the inverse of convenience) 
 can be mitigated with some constant for intelligent IT choices and 
 effort.  If not then we're all in a futile business.

 There might be a very reasonable argument in favor of configuring
 the building wiring so that all laptops can only be plugged into
 a "red" (untrusted) LAN segment.  So, effectively, all wireless and
 mobile devices can only access the company networks via VPN.

 So far the only meaningful wifi security model seems to be to
 trap the wifi segments on their own non-routable nets which can
 only access the company VPN nodes.  This makes such a segment
 basically useless to war drivers and crackers since they can only
 see one another on the segment --- given that we use decent forms
 of crypto for authentication and session data among all approved
 devices on that wifi segment.  (By encryption I'm NOT referring
 to any WEP or WPA crap in the card firmware: IPSec, OpenVPN/SSL,
 or ssh)

 So I'm just saying that the policy might be extended to all
 wired nodes in all conference rooms and to the wired nodes into
 which all cubicle and office docking stations are plugged.

 By isolating those segments from the company LANs and from the
 Internet at large you also mitigate some of the risks posed by
 viruses and spyware.  (Personally I refer to mitigate that much
 further by refraining from running Windows).

 (Actually you might find it necessary to put the conference rooms
 on a segment which is routed or NAT'd to the 'net; so that visiting
 business associates, guests and customers can access their remote
 resources therefrom).

 One can also make an argument in favor of VMware for reducing
 the virus and spyware risks.  If you get people off of Outlook
 then you minimize their chance of infection via e-mail vectors.
 (Woe is me!  They'll have to use two different applications for
 messaging and scheduling!).  However, VMware has to be used
 with aggressive snapshot branching to be useful for this purpose;
 and it's probably too much to expect to train a significant number
 of employees in how to use it for that effect.


-- 
Jim Dennis

More information about the Baylisa mailing list