On Tue, Dec 30, 2008 at 1:03 PM, Kurt Buff <[email protected]> wrote:
> I'm beginning to wonder if all companies should maintain two
> physically separate networks and provide their employees with two
> computers - one that connects to the world, and one that is for core
> applications *only*.
That's the way the NSA, DoD, and other three-letter agencies do
things. If it's a matter of national security ("classified"), it's
not connected to the Internet. The "air gap firewall" is the only
absolute defense against network attackers.
If I could get that to fly for regular business stuff at work, I
would. As it is, we've seriously considered setting up a farm of
Terminal Servers in a firewalled DMZ, and only allowing web browsing
from those, with no direct workstation<->public IP connectivity.
Malware is getting advanced to the point where people are injecting
targeted code in to in-memory executables, without ever needing to
touch the filesystem, and then using that to read data and send it
out, using HTTP as a covert channel. How the heck do you defend
against that without just locking the browser out of the computer
entirely?
If you think about it, web browsing (including HTML email, which is
web browsing with a different transport) are incredibly risky
behaviors. You're letting anyone in the world send instructions to
your computer, and your computer will carry those instructions out to
the best of its ability. We call these instructions by fancy names,
like "HTML" and "JavaScript", but that's what they are. Yikes.
And people btich that we block MySpace. :-(
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
