In a message dated: Thu, 22 Jun 2000 09:42:34 EDT
Bob Bell said:
>On Thu, Jun 22, 2000 at 02:15:41AM -0400, Derek Martin <[EMAIL PROTECTED]
>aone.net> wrote:
>> > Since engineers are obviously completely untrustworthy, how do you preve
>nt
>> > them from bring their own laptop in and hooking it up to that same etherne
>t?
>>
>> What, you didn't think we'd have an answer? Statically assigned IP
>> addresses via DHCP based on MAC addresses.
>>
>> What's that? Unrealistic you say? WE'RE DOING IT. RIGHT NOW.
>>
>> No MAC address? No network resources. Period.
>
> So couldn't I remove that network card and use it in my own
>machine?
Well you could, but you'd also be restricted to that particular subnet. And
again, there are other levels of security we have in place above and beyond
DHCP.
> There's *always* a way; the goal is really to make it too
> hard to be reasonable, right?
Absolutely. The only completely secure computer is the one that's not plugged
in and has absolutely no physical access to it in any way shape or form by
anyone. But talk about hindering productivity :)
The goal is to make it more inconvenient than it's worth. Anyone dedicated to
getting access to something which they're not meant to have access to will
eventually find away, it's inevitable. We're not trying to say that we can
totally and ultimately secure every scrap bit on our network. We are trying
to say that there are a lot of different mechanisms for securing a network and
the data on it and that they are all dependant upon each other. Remove one
link, and you've weakened the entire chain, but maybe not enough quick enough
for our other mechanisms to kick into place and warn us.
No one should rely on just one thing to base their security on, and we never
stated that we did. But we do want to point out that any weakening in the
overall plan is just making the risk greater than it needs to be.
--
Seeya,
Paul
----
"I always explain our company via interpretive dance.
I meet lots of interesting people that way."
Niall Kavanagh, 10 April, 2000
If you're not having fun, you're not doing it right!
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
