Hi, On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote: > > I thought security people would recommend havin a per-port ACL for > > allowed traffic, and port visibility set to limit the view to only the > > router when not otherwise required. > I don't think you have seen many corporate (i.e. hundreds of nodes) networks. > I've "seen" a few, and, from my "limited" experience:
Uh, I never said that's what I would expect to see on a corporate networks. I've connected to networks at HP, I've connected to network of security firms, and they didn't have the measures I mentionned. I've read about using such drastic limitations in the interview of a famous security guy (and considered the idea was too impractical to applu to the networks I manage). It was someone famous, like some Netfilter or OpenBSD architect, but I can't find the article where I've read that (help welcome to find it back). > So even if the "security people" as you so put it, would recommend per-port > ACL allowed traffic they would (and do) get shunned by other IT departments. > At most, IT security can get a bridge firewall [1] setup between sensible > networks to isolate and try to control traffic between them. Right, _in practice_ no one can follow very strict security guidelines, which is the point I was making in mentionning extreme security measures. In practice, security has limits. > With people bringing laptops (and all kind of devices) from the outside of > the network, unprotected/uncontrolled WiFi access points, etc. there is no > such thing as an "internal trusted network". But you're still way more secure while sitting behind a NAT with responsible coworkers than connected to the Internet directly, without any firewall, and that's where desktops sit most of the time. Bye, -- Loïc Minier <[EMAIL PROTECTED]> Current Earth status: NOT DESTROYED -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
