ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Network Security - UTM

    Scheduled Pinned Locked Moved IT Discussion
    123 Posts 6 Posters 30.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said:

      Do people really need to be connected to FB, twitter, etc while doing a job that does not include those things?

      Need to, no. Should we block it? Why? It takes time, money and introduces risks to block it.

      Unless you take away their cell phones, pagers, and such when they walk in the door, I'd say this makes no sense. Don't single out services we have a personal feeling about. It undermines IT and management's authority.

      There are jobs that need isolation, and they REALLY take those things away and lock you in and have Faraday cages around the office. I've actually worked there. It really happens.

      Unless you are doing that, you are not blocking access, you are just making things adversarial in the office.

      1 Reply Last reply Reply Quote 2
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said:

        Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

        Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.

        If the owners of the company don't agree, that makes IT the enemy.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.

          Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.

          scottalanmillerS 2 Replies Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said:

            I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.

            Only seems. Isn't really. FB is not a big infection vector. Making people upset and do weird things and disrespect IT and management, is a huge vector.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.

              How do you do that, though? How do you do it without sending them to a different email option? Users will always work around you. Trying to block them is hubris and hubris is the enemy of security.

              If you really need to secure people, give them broad access AND an isolated network. Find ways to make things easier for them, not harder.

              Being secure means working as partners. The moment the company itself is seen as the enemy, security is no longer a possibility. You are into the realm of everyone acting against one another. You need to get people on the same team. Seeing them as the enemy makes that impossible.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said:

                @Dashrender said:

                Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

                Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.

                If the owners of the company don't agree, that makes IT the enemy.

                I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  @scottalanmiller said:

                  @Dashrender said:

                  Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

                  Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.

                  If the owners of the company don't agree, that makes IT the enemy.

                  I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.

                  No, we actually address fixing the problem rather than implementing placebos.

                  Things that we can't do...

                  • Not have users
                  • Not have computers
                  • Not have people with risks

                  So given that any attempt to stop one of those three things will ultimately fail, we don't look to those things for security.

                  Instead we change how we think of security. For example... you are concerned with securing your network. Why the network? What is the risk to "the network?"

                  Let's say User A does something bad. How are they putting User B or the company in general, or the network, at risk? What are the vectors that are a concern? Start there.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender
                    last edited by

                    getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.

                    While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares 🙂

                    scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said:

                      getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.

                      Why not great?

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said:

                        While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares 🙂

                        Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.

                        So not a situation to be concerned about.

                        DashrenderD 1 Reply Last reply Reply Quote 1
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @Dashrender said:

                          While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares 🙂

                          Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.

                          So not a situation to be concerned about.

                          This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.

                          So you're right, from that point - OwnCloud, SharePoint, etc all we can do it restore from that point.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.

                            Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.

                            DashrenderD 1 Reply Last reply Reply Quote 1
                            • hobbit666H
                              hobbit666
                              last edited by

                              OK what abut from a PCI/Data protection standpoint.

                              Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?

                              scottalanmillerS DashrenderD 3 Replies Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                @Dashrender said:

                                This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.

                                Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.

                                I give ya that 😉

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @hobbit666
                                  last edited by

                                  @hobbit666 said:

                                  OK what abut from a PCI/Data protection standpoint.

                                  Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?

                                  Then the best security would be the best, right? The best is always the best.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @hobbit666
                                    last edited by

                                    @hobbit666 said:

                                    Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?

                                    That depends, does "securing" that resource make the security better or worse? Often it makes it worse.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @hobbit666
                                      last edited by

                                      @hobbit666 said:

                                      OK what abut from a PCI/Data protection standpoint.

                                      Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?

                                      You can, by not trusting the local network at all.. not making it important in any way.

                                      What I mean is no more file shares that are just open, logons for anything that is accessed.

                                      Basically treat your local network as if it's the internet, and then you don't have to worry about it as much.

                                      I think you can still use Active Directory in a setup like this.

                                      hobbit666H 1 Reply Last reply Reply Quote 1
                                      • Deleted74295D
                                        Deleted74295 Banned
                                        last edited by

                                        @hobbit666 Did someone say PCI? Hold everything!

                                        What level of PCI compliance are you working towards? Or has the goal not been set yet?

                                        hobbit666H 1 Reply Last reply Reply Quote 0
                                        • JaredBuschJ
                                          JaredBusch
                                          last edited by

                                          ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @JaredBusch
                                            last edited by

                                            @JaredBusch said:

                                            ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.

                                            One huge reason why offline sync clients are a bad thing.

                                            Perhaps a needed thing, but still a bad solution.

                                            It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.

                                            JaredBuschJ 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 4 / 7
                                            • First post
                                              Last post