Rob wrote:
Rufus <[email protected]> wrote:
What do you do for business travel? We're stuck between total
lock-down, and reliance on a combination of user vigilance and
certificates. But the user is allowed enough freedom to access the open
web...managed or not.
Our users can use a locally available WiFi, as long as it is open
(i.e. it can be WPA or WEP protected but it should passs UDP port 500
and 4500 and not use a captive portal).
Or they can use a UMTS card/stick if they are really mobile.
The browser is locked to use a proxy autoconfig script that it fetches
from our server.
I'm not user ours can do that - they are supposed to be totally wifi
disabled, but every now and then a new machine slips through that
doesn't get the card removed/shut off, or a PCMCIA card gets mis-used.
This is where SM's usenet ability is a problem for us, IMO...and why
Firefox is ok, but SM is not. Outlook can be locked down, but not so
with SM...at least not as far as I can see.
You can lock down SM with the lockPref techniques that I explained in another
posting in this thread.
Usenet can also be blocked because it requires a TCP connect from the
browser to port 119 on a newsserver on the internet. Does not work at
all here because we don't have routing between LAN and internet, not even
NAT routing. But when you have, it should be possible to block TCP 119
with an access list entry. This can also be done on the PC itself.
I believe that we do, but we blacklist sites and advertisers...using
keywords, I think.
We're experimenting in limited areas with using iPads...I *REALLY* wish
I could use an iPad on the job, but so far I think everyone is still
scratching their heads as to how to secure both the device and corporate
wifi.
Define a separate network on the WiFi (SSID) that is open to the users
and accesses a vlan that is NAT'ed to internet. The iPad users are on
the internet just like they are at home. No risk to the company beyond
the "problem" that they may abuse the company-registered IP to post
libelous content etc. IT security should be unaffected.
Any use for job-related acitivities would be via the portals that the
company offers for external access.
Wifi isn't allowed at all on the job, except at very specific sites. In
fact I'm not sure it would even work at all through the walls in some of
our buildings.
And then there are other things about iPads that aren't allowed or can't
be managed due to how closed they are - but having one would sure make
life easier...
External (non-owned) devices are simply not allowed to connect in any
manner, in our case.
It was only a connect to the public internet, but it caused that single
IP to be listed on the wellknown spam blocking lists.
As there had been no escalation by the lists yet, our own servers had not
been blocked. (they are in the same /27 subnet on internet)
Yes - and something like this seems to be happening on a growing basis
to our e-mail...some of our distribution lists are getting out to
spammers, and we sometime get spear-phishing e-mails to people on those
lists.
Yup. But no matter what you do, someone else will eventually out-do
you. So your only real defense is to remain vigilant.
Of course!
..!
--
- Rufus
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
