[Discuss] Security

[Tom Metro]

Dan Ritter wrote:
> Everyone wants to connect their iPad or phone... so we got a
> cheap cable modem from Comcast, wired up a WiFi router, and 
> let them play. 

Good approach. Obviously it can also be implemented using appropriate
router/firewall/VLAN rules, rather than a physically separate WAN
connection.


> I can point to complete physical separation when the auditors
> come. That's worth more than the Comcast bill.

Sure, but aren't there dozens of other places in your infrastructure
where your security *is* dependent on firewall rules, and thus you still
need to assure the auditors of the integrity of those systems?


I bet when these "foreign" devices need access to the corporate network,
you're still using a VPN, which then makes the whole corporate LAN
accessible to the infected machine.

I get that it can be complicated to forward specific ports (via ssh or
otherwise), but never got why large corporations were always so willing
to completely open their internal networks to their employee's home
computers, and always preferred VPNs to port forwarding (which I find
far simpler to setup, than a VPN client).

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/