Rufus <[email protected]> wrote: >> Of course we don't allow that. And users cannot do it themselves because >> they cannot generate the required certificate that will be trusted. >> There really are two worlds: the managed PCs that are part of the domain >> and completely locked down (including the laptops that can roam but >> only to connect to the company network via VPN), and the private unmanaged >> PCs that can only access applications via the internet, and these are >> either web apps (like webmail) or Citrix ICA. The ICA sessions do not >> map local resources, they are only screen/keyboard/mouse sessions. >> > > What do you do for business travel? We're stuck between total > lock-down, and reliance on a combination of user vigilance and > certificates. But the user is allowed enough freedom to access the open > web...managed or not.
Our users can use a locally available WiFi, as long as it is open (i.e. it can be WPA or WEP protected but it should passs UDP port 500 and 4500 and not use a captive portal). Or they can use a UMTS card/stick if they are really mobile. The browser is locked to use a proxy autoconfig script that it fetches from our server. > This is where SM's usenet ability is a problem for us, IMO...and why > Firefox is ok, but SM is not. Outlook can be locked down, but not so > with SM...at least not as far as I can see. You can lock down SM with the lockPref techniques that I explained in another posting in this thread. Usenet can also be blocked because it requires a TCP connect from the browser to port 119 on a newsserver on the internet. Does not work at all here because we don't have routing between LAN and internet, not even NAT routing. But when you have, it should be possible to block TCP 119 with an access list entry. This can also be done on the PC itself. > We're experimenting in limited areas with using iPads...I *REALLY* wish > I could use an iPad on the job, but so far I think everyone is still > scratching their heads as to how to secure both the device and corporate > wifi. Define a separate network on the WiFi (SSID) that is open to the users and accesses a vlan that is NAT'ed to internet. The iPad users are on the internet just like they are at home. No risk to the company beyond the "problem" that they may abuse the company-registered IP to post libelous content etc. IT security should be unaffected. Any use for job-related acitivities would be via the portals that the company offers for external access. >> One time it has happened that an accountant came in with a trojaned laptop >> that was sending spam. He knew about it but could not get it fixed himself. >> Those people have long lists of requirements for IT security >> certification, but they have their laptops unprotected. We now have a >> different accountant. > > External (non-owned) devices are simply not allowed to connect in any > manner, in our case. It was only a connect to the public internet, but it caused that single IP to be listed on the wellknown spam blocking lists. As there had been no escalation by the lists yet, our own servers had not been blocked. (they are in the same /27 subnet on internet) > Yup. But no matter what you do, someone else will eventually out-do > you. So your only real defense is to remain vigilant. Of course! _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
