|
Thanks all for the thoughts. I think that the thing I will
need to communicate to these folks is simply the tradeoffs and the risks. They
run many apps that force full admin rights on the workstations and have
concluded that this is an acceptable risk. We’ll see what they say. In
the end, I feel okay about it if they are fully cognizant of the risks and then
accept them. Maybe I’ll put something in about double the hourly rate for
cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC
products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there
a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or
is it a separate device? From: Brian Desmond
[mailto:[EMAIL PROTECTED] They’re keeping me a little busy down at
the fun factory, so I’m up pretty late. Actually I just flew back in
yesterday from a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at
the NAC products most major VPN providers have to handle your fears about
viruses and such? Also realize you don’t need to open a lot of the ports
representative of that sort of stuff. Lock it down by job role. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Thanks, Brian. Don’t you sleep?
It’s late in 802.1x is the direction they are heading.
Right now, it is cost-prohibitive. So the question is less “can I control
this access” but “should I”? Is that over-reacting? Again with the VPN. My thoughts were to
push it with an MSI, so I see how
to control its distribution. The question is should
I limit it to just the domain computers? How big is the risk? If the risk from
home computers is virus and malware, how do I justify preventing folks from
running it on their home Macs? Thanks. -- nme From: Brian Desmond
[mailto:[EMAIL PROTECTED] My suggestion is that you implement 802.1x port
auth to implement port based authentication. You can use this to implement
guest vlans with the policy routing you describe. Isn’t the Cisco VPN a MSI? Use Group
Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well
as the personal firewall built into it. I don’t see how you plan to prohibit OS X
at least – put it on the guest vlan if you must, but, realize that the
marketing, pr, etc people may live in a Mac world. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Hi: I am facing some IT policy questions and wanted to get
some perspectives. In each of these areas, I am trying determine how
restrictive I need to be. The client has four sites connected over high-speed
links. I have good backing from management but will undoubtedly get resistance
on some of these. The client is small, under 200 employees with most in
one office. Some small field offices are not managed (i.e., have workgroup
networks, often with a small server, but no AD). There are no SOX requirements
and the data are not sensitive (e.g., no credit cards). Almost entirely Windows
XP; all DC’s run W2k3. Any thoughts on these topics welcome. Connecting to the wired network.
They do not run any IDS or machine-based authentication. Given that, written
policy carries some weight. I want to require all non-domain machines to
connect only to a “public” VLAN that goes only to the Internet. I
would apply this even to staff “personal” computers, those of
contractors (including me), and machines from those field offices that are not
on the domain. VPN. They run a Cisco VPN. I want to
distribute the client only to domain-based machines. Others want the client for
their home computers, etc. Other Operating Systems. I
don’t want to allow other OS’s on the network, unless we manage
them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- -- -- -- -- |
- RE: [ActiveDir] OT: Securit... Brian Desmond
- RE: [ActiveDir] OT: Se... Noah Eiger
- Re: [ActiveDir] OT... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir] OT... Brian Desmond
- RE: [ActiveDir... Noah Eiger
- RE: [ActiveDir] OT: Se... Brian Desmond
