Rufus <[email protected]> wrote: >> When our users take their laptop home, they connect to the company >> via a VPN and all activity is via the company proxy and firewall, so >> all scanning and filtering is in effect. Users are not administrators >> of their laptop. The firewall on the laptop does not allow any internet >> traffic except to our VPN server. >> > > ...and there's an additional issue if you also allow the user to access > your VPN using their home machine - which is why there can still be > holes in a roaming situation, IMO.
Of course we don't allow that. And users cannot do it themselves because they cannot generate the required certificate that will be trusted. There really are two worlds: the managed PCs that are part of the domain and completely locked down (including the laptops that can roam but only to connect to the company network via VPN), and the private unmanaged PCs that can only access applications via the internet, and these are either web apps (like webmail) or Citrix ICA. The ICA sessions do not map local resources, they are only screen/keyboard/mouse sessions. >> When personal devices are taken into the company, they cannot connect to >> the LAN. They can use the WiFi to connect to the internet, and there >> they can use the access to applications that is available for internet >> users (like webmail). >> > > We don't allow personal devices on our premises. Period. They have to > be left in at home, or in the car. It *is* possible for internal users > to access webmail, but we're on our honor not to do so. It has been like that for a long time, and for employees of the company it is unusual to bring their own equipment, but it is quite customary for consultants, accountants etc to bring their own laptop and I am amazed how often they don't have their own mobile internet and depend on the local WiFi. One time it has happened that an accountant came in with a trojaned laptop that was sending spam. He knew about it but could not get it fixed himself. Those people have long lists of requirements for IT security certification, but they have their laptops unprotected. We now have a different accountant. >> This isolation is very important. Many companies who did not do this >> have been in the news as having been hacked. > > Yup. Because there is *always* a way in if someone targets you hard. I have read about many cases where the entry was made possible by lousy system administration, including having the users operate as administrator or power user, allowing the execution of programs from other places than local directories the user cannot write to, allowing the download or mailing of executable programs, not installing hotfixes, etc etc. It may be true that you cannot detect and prevent *everything*, but in my opinion that is no excuse for doing nothing. _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
