Rob wrote:
Rufus <[email protected]> wrote:When our users take their laptop home, they connect to the company via a VPN and all activity is via the company proxy and firewall, so all scanning and filtering is in effect. Users are not administrators of their laptop. The firewall on the laptop does not allow any internet traffic except to our VPN server....and there's an additional issue if you also allow the user to access your VPN using their home machine - which is why there can still be holes in a roaming situation, IMO.Of course we don't allow that. And users cannot do it themselves because they cannot generate the required certificate that will be trusted. There really are two worlds: the managed PCs that are part of the domain and completely locked down (including the laptops that can roam but only to connect to the company network via VPN), and the private unmanaged PCs that can only access applications via the internet, and these are either web apps (like webmail) or Citrix ICA. The ICA sessions do not map local resources, they are only screen/keyboard/mouse sessions.
What do you do for business travel? We're stuck between total lock-down, and reliance on a combination of user vigilance and certificates. But the user is allowed enough freedom to access the open web...managed or not.
This is where SM's usenet ability is a problem for us, IMO...and why Firefox is ok, but SM is not. Outlook can be locked down, but not so with SM...at least not as far as I can see.
When personal devices are taken into the company, they cannot connect to the LAN. They can use the WiFi to connect to the internet, and there they can use the access to applications that is available for internet users (like webmail).We don't allow personal devices on our premises. Period. They have to be left in at home, or in the car. It *is* possible for internal users to access webmail, but we're on our honor not to do so.It has been like that for a long time, and for employees of the company it is unusual to bring their own equipment, but it is quite customary for consultants, accountants etc to bring their own laptop and I am amazed how often they don't have their own mobile internet and depend on the local WiFi.
We're experimenting in limited areas with using iPads...I *REALLY* wish I could use an iPad on the job, but so far I think everyone is still scratching their heads as to how to secure both the device and corporate wifi.
One time it has happened that an accountant came in with a trojaned laptop that was sending spam. He knew about it but could not get it fixed himself. Those people have long lists of requirements for IT security certification, but they have their laptops unprotected. We now have a different accountant.
External (non-owned) devices are simply not allowed to connect in any manner, in our case.
This isolation is very important. Many companies who did not do this have been in the news as having been hacked.Yup. Because there is *always* a way in if someone targets you hard.I have read about many cases where the entry was made possible by lousy system administration, including having the users operate as administrator or power user, allowing the execution of programs from other places than local directories the user cannot write to, allowing the download or mailing of executable programs, not installing hotfixes, etc etc. It may be true that you cannot detect and prevent *everything*, but in my opinion that is no excuse for doing nothing.
Yup. But no matter what you do, someone else will eventually out-do you. So your only real defense is to remain vigilant.
--
- Rufus
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
