Scot L. Harris wrote: > Sounds like a recipe for disaster. IMHO any network admin that does not > segregate their network into LANs used for specific purposes and apply > firewalls between those LANs as well as out to the Internet are simply > contributing to the overall problem. It somewhat depends on the size and "shape" of the network. It should be obvious that the threat from inside a network is related to the size of that network (add another hundred workstations and people on them, and you've added a lot more internal threat), the sort of people on them (are you likely to have anyone who is deliberately malicious?), and how much you can lock down the workstations. Small networks don't get attacked from inside nearly as much as big networks do. And I'm not sure that "segregation into specific purposes" is always practical, either. For example, the small (less than one hundred user) networks of which I know have shared disks, printing, access to e-mail and the Web, and access to the appropriate accounting / stock control systems (which is needed practically everywhere). And practically no departments of more than ten people, and lots of inter-departmental working. And servers are per-task or per-several tasks, not per-department or per-building. Security is never absolute. There is always more you could do. But there does have to come a time when you say "we've got enough security in depth to those problems". James. -- E-mail address: james | Today Has Been Two Of Those Days. @westexe.demon.co.uk | -- Mike Andrews
