On Thu, 2005-03-10 at 08:40, James Wilkinson wrote:
> Scot L. Harris wrote:
> > Sounds like a recipe for disaster. IMHO any network admin that does not
> > segregate their network into LANs used for specific purposes and apply
> > firewalls between those LANs as well as out to the Internet are simply
> > contributing to the overall problem.
>
> It somewhat depends on the size and "shape" of the network. It should be
> obvious that the threat from inside a network is related to the size of
> that network (add another hundred workstations and people on them, and
> you've added a lot more internal threat), the sort of people on them
> (are you likely to have anyone who is deliberately malicious?), and how
> much you can lock down the workstations.
>
You need to plan for malicious inside users always. :)
> Small networks don't get attacked from inside nearly as much as big
> networks do.
>
Small networks are easier to police, I agree. This discussion was based
on a university network which typically has thousands of users if not
more with access to the network.
> And I'm not sure that "segregation into specific purposes" is always
> practical, either.
>
> For example, the small (less than one hundred user) networks of which I
> know have shared disks, printing, access to e-mail and the Web, and
> access to the appropriate accounting / stock control systems (which is
> needed practically everywhere). And practically no departments of more
> than ten people, and lots of inter-departmental working. And servers are
> per-task or per-several tasks, not per-department or per-building.
>
Again I agree it depends on the number of users and devices you put on a
network. In this case at a university there are literally thousands of
users that have access. Not segregating the data center servers from
student lans, from teacher lans, from research lans is just asking for
trouble. Yes, there will be a need to provide firewalls/routers between
these LANs. This allows you to limit the protocols and access to those
that need it and to setup tools to watch for malicious activity. Having
all of those types of users dumped on a flat network with no
restrictions is going to keep the IT department busy trying to figure
out why all their network resources are used up and your professors can
not do their research because of it.
> Security is never absolute. There is always more you could do. But there
> does have to come a time when you say "we've got enough security in
> depth to those problems".
True, you have to balance the costs and convenience factors to the level
of security you need to achieve. This normally means figuring out what
the cost of losing your data or business means to the users. Just like
getting users to spend money and time on backups is left as an after
thought. Until a harddrive crashes and someones work is lost, then
backups become a major issue, for awhile. Security falls into this same
category when it should not.
--
Scot L. Harris
webid@xxxxxxxxxx
Flat tire on station wagon with tapes. ("Never underestimate the bandwidth of a station wagon full of tapes hurling down the highway" Andrew S. Tanenbaum)
