[Discuss] selecting a subnet

[bill at horne.net (Bill Horne)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry Feldman wrote:
> The reason I suggested password is that it just restricts the ad hoc
> user from using the network. This is a short-term requirement for the
> OP. And, assuming the WAN port of the router is plugged into the
> corporate network. This way the nonroutable addresses will not be
> exposed. However, I have seen (and done) routers connected to corporate
> networks as switches with the wifi turned on.

> In any case, agreeing with Derek that what the OP is doing is not a good
> thing, but in this specific case, you are not going to expose those
> addresses to the corporate network, but you are allowing them onto the
> corporate network rather than an isolated guest network, which is a bad
> thing. While the non-routable addresses are not exposed, anyone on that
> subnet can go through the firewall. They can get at the company intranet
> as well as the Internet.

I'm not writing clearly, for which I apologize. The point I'm trying
to make is that users will *DEMAND* connectivity whenever *they* feel
they need it. It is not productive to say "Call IT", or "The rulebook
says ...", because users are unable to gauge security risks, unwilling to
admit that their actions may have negative consequences, and
unforgiving when told "No".

I've been there. We've *all* been there. In a nutshell, the problem is
that evolution has not prepared human beings to appreciate long-term
costs in the face of short-term pleasure - that's why cigarettes are
still sold - and too many managers feel that technically adept
subordinates are talking gobbledygook just to feel important and that
the solution to every IT problem is to threaten to kick us in the butt
in order to make the magic bits flow.

At the heart of most security concerns is the simple truth that those
in charge often choose not to concern themselves with "maybe" warnings
about "potential" risks in the face of "I want ..." demands from
{anyone but us}. I feel this is a shortcoming of American management
in general, and I have never discovered a polite or effective way to
say "You're being foolish - please don't do that".

FWIW. 

Bill

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUF0HLAAoJEB+Bm2pt7eU7EtsP/1+6KxdZN+TQIqHMN0zj6Qbx
0mbxwKE3/h1XLPIHWpbaHSpglhA9m8pz2LasshyjwQR+Mp/p/RHWtWi7Tgz+vSOk
jp3h6NHGYvNsQr6HU4Rp7Qyv1CvEwXuNp/omgAOjrHC/NoHS7HWUfotG2vOIrmKK
K0lequU2MOUMYaZ6CEReAmQ865++1jFypyMZPEjmdYkiIzVYPeyVXuNyr3Ws7xa1
zv9heQ06XXX5ZF8ZGexVFWpnOGknp7XdVTiwoKo1ypz2zULGshb1eej7e2lNMXcI
OH/kQ2CJPOCkKUR8nPjxoKyOZinuvTLKqQdrD62qjMCc3k8Zt+AeHKqRY+Ihk7Kv
th0fV5WDqxFm2P58CtKty5GFKemVdtLSHD2vcG2ZDrn/hMckFUVLspK94ieS9VW5
XmQdsQsPWKkD875la8nJzRDu0skSS9LPFx+wXoLrxsz5HMm76BtEjTwdwQdnFnyt
AWp6cGcI+Bj4AgJKjU5ajc2FGKpBKIC7L0tniCkVerE0IpzyUSx3fQsaAux6Cw0M
Ju+eRPpflgqx7b1lCIorxm9pMDQzvrfP8wbK6bSSz7hDV1Q7A9LIpDau51MglICM
IFTr87R435cd0bvjCEEQSwkILST/wRYRwxunFkJXcqfr64Dhwdzjrres81lLD5Dj
FyGxri2N8+FpL+2HgVgg
=Phhz
-----END PGP SIGNATURE-----

-- 
Bill Horne
William Warren Consulting
339-364-8487