Is there a thing as to much security



  • So just out of curiosity, is there such a thing as too much network and computer security.

    We moved 700 people into a new building which included NAC Security across the board. If a computer is not trusted it is automatically forced to the guest network. On occasion we have had to add the Mac address to the database for the computer to connect. However in most cases we have not had to do that since the move in.

    However, to set up a new computer or image a old computer we have to go to a special section of the network to receive the image via pixie boot. We must move it from the staging OU to the final division domain before we can leave the network.

    On occasion, a newly imaged PC must be deleted out of active directory and forced off of the domain and re-joined before we can deploy it to the work desk.

    Thus a simple task of imaging a new computer or unboxing a new computer takes twice as long to deploy as previous with a less secure network.

    I respect the necessity of a secure network and restrictions but this seems excessive.

    Is there a point network security exceeds what is practical in a technicians time.



  • This seems completely like a business decision - not a technical/IT one.

    If the company for example has contracts that mandate this level of security - then you must have it. We assume those who agreed to the contract understood the hardships (i.e. extra time for IT) that would be undertaken by this agreement, and are charging accordingly.



  • This sounds pretty standard to me.

    This is exactly the kind of tasks I would expect PC support team to do. This is pretty standard in an enterprise environment. Your environment may be a bit smaller than the typical enterprise, but still this stuff is pretty standard nowadays.



  • @IRJ said in Is there a thing as to much security:

    This sounds pretty standard to me.

    This is exactly the kind of tasks I would expect PC support team to do. This is pretty standard in an enterprise environment. Your environment may be a bit smaller than the typical enterprise, but still this stuff is pretty standard nowadays.

    NAC is standard in enterprises? I don't work in one, and haven't in 20 years... so maybe that's the case.

    I'd guess it's more likely that you'd have a LANLess setup and competely distrust the local LAN, seems a lot easier. But that's likely harder to secure when it comes to using AD.



  • This is for the state, they have the parent domain and about 20 child domains covering all the different agencies.

    And again, I understand the necessity of security but when you hinder the ability to deploy and operate it seems serious overkill.

    I have seen 15 cases where a computer that has been set up for two months has to be added to the database or they need to be patched to a different port on the switch to reconnect.

    In re-patching The workstation we are also rebooting the voip phone. It seems to be about the only way to resolve the issue unless we put in a request to have the entire stack rebooted.



  • @gjacobse said in Is there a thing as to much security:

    This is for the state, they have the parent domain and about 20 child domains covering all the different agencies.

    And again, I understand the necessity of security but when you hinder the ability to deploy and operate it seems serious overkill.

    I have seen 15 cases where a computer that has been set up for two months has to be added to the database or they need to be patched to a different port on the switch to reconnect.

    In re-patching The workstation we are also rebooting the voip phone. It seems to be about the only way to resolve the issue unless we put in a request to have the entire stack rebooted.

    Perhaps you are confusing security with poorly implemented infrastructure. Then I can see why there are so many issues.



  • @gjacobse said in Is there a thing as to much security:

    So just out of curiosity, is there such a thing as too much network and computer security.

    Any security above what is necessary to protect the environment is a waste. And security costs efficiency. So absolutely, we tell companies that they are being "too secure" all the time.



  • @scottalanmiller said in Is there a thing as to much security:

    @gjacobse said in Is there a thing as to much security:

    So just out of curiosity, is there such a thing as too much network and computer security.

    Any security above what is necessary to protect the environment is a waste. And security costs efficiency. So absolutely, we tell companies that they are being "too secure" all the time.

    Sure, when you know their requirements - Gene hasn't told us the State's requirements - so we can't know if they are overkill or not. We only know that he's inconvenienced/slowed down in his job.

    @Obsolesce said in Is there a thing as to much security:

    Perhaps you are confusing security with poorly implemented infrastructure. Then I can see why there are so many issues.

    Then there is this.

    Why do you have to switch ports? do you not have the ability to change the ports in the switch programmatically? And if not you - the LAN department? sometimes pushing back onto other departments helps flush how how necessary something truly is too.



  • @Dashrender said in Is there a thing as to much security:

    Sure, when you know their requirements - Gene hasn't told us the State's requirements - so we can't know if they are overkill or not.

    He didn't ask that in the original question. That was later. I answered the specific question.



  • @Dashrender said in Is there a thing as to much security:

    @IRJ said in Is there a thing as to much security:

    This sounds pretty standard to me.

    This is exactly the kind of tasks I would expect PC support team to do. This is pretty standard in an enterprise environment. Your environment may be a bit smaller than the typical enterprise, but still this stuff is pretty standard nowadays.

    NAC is standard in enterprises? I don't work in one, and haven't in 20 years... so maybe that's the case.

    I'd guess it's more likely that you'd have a LANLess setup and competely distrust the local LAN, seems a lot easier. But that's likely harder to secure when it comes to using AD.

    It's all dependent on requirements. I worked in one where it was required and am in one where it isn't now. If it's ISE prob the reason for moving it is because it doesn't have the certificate when PXE booting so it can't verify. However you can override that with MAC assignments.


Log in to reply