mtg followup - laptops
Rob Windsor
windsor at warthog.com
Tue Nov 22 11:45:08 PST 2005
Alvin Oga wrote:
> always good to have written down policies ... which makes it
> easier for the managers to enforce
>>All laptops pass through the hands of IT before they hit the company
>>network in any way.
> just to play the devil, again, does that mean all incoming laptops after
> its been traveling or coming from the employee's home, gets to go to IT
> and "cleaned" before it gets plugged back into the corp lan ??
> - i doubt that it would be but... one never knows
> each time the laptop leaves the corp lan, it can pick up the nasty's
> and bring it inside
I agree with Alvin.
To add to this, forcing laptops to use software-VPN often effectively
puts them on the corporate LAN anyway.
If you have tools that IT can use manually, there are bound to be
automatic equivalents of those that you can install on every laptop.
(Ignoring visiting [outside non-managed laptops]....)
IMO, Your best first line of protection for 'bad' laptops is on-board
detection software. To keep worms/viruses from propagating, pick up an
IDS-like device that monitors network traffic looking for infected
hosts. I know that Check Point and McAfee both make such network devices.
The best network infrastructure I've seen is the two-DMZ model. There
are two DMZs, one of which is only accessable via VPN or internal
networks (i.e. mail server sits in this one). This gives VPN folks
access to their data and an infected VPN'd device cannot infect the
corporate LAN. Also, the VPN policy on the laptops did not let two
VPN'd laptops see each other, so it cannot spread to other remote users.
On the subject of visiting laptops, everyone has their wireless on an
"external" network segment already, yes? :P
Rob++
--
Internet: windsor at warthog.com __o
Life: Rob at Carrollton.Texas.USA.Earth _`\<,_
(_)/ (_)
"They couldn't hit an elephant at this distance."
-- Major General John Sedgwick
More information about the Baylisa
mailing list