RE: Providing Visitor Access

["Robinson, Sonja" <SRobinson () HIPUSA com>]

> -----Original Message-----
> From: Sinha, Amitabh (Amit) [mailto:asinha3 () agere com] 
> Sent: Monday, December 09, 2002 11:21 AM
> To: 'CTillett () harcourt com'; wbjw () mindspring com
> Cc: jon kintner; Rick Darsey; 
> security-basics () securityfocus com; 
> ssgill () gilltechnologies com; wbjw () mindspring com
> Subject: Providing Visitor Access
>
>
> This brings up some interesting questions.
>
> Would there be any legal issue with allowing open access from 
> within your company (for this restrictive network)? 

Absolutely.  Anything done within your network you can potentially be held
liable for.  Harrassment, stalking, porn, hacking, spam, etc.  It's a due
diligence thing and many companies, especially those under Grahm,m Leach
Bliley and HIPAA have serious responsibilties and consequences.  Also, there
are some potential new issues regrading liability for Wireless networks,
whether privately or publicly available (incl. the home users).  There was
an article in Wired yesterday on that.

Is web 
> type access going through a proxy that is filtering? (Could 
> the company be liable if something illegal is done from the 
> company owned IP space (child porn etc.)? 

Absolutely.  Child porn is a felony period - any instance must be reported
to LEO.  Regular porn can set up an environment of sexual harrassment and
leave you open to lawsuits from your own employees,etc..  You are
responsible for your users actions to some extent.  This depends on due
diligence, security measures in place, etc....but it comes down to what a
jury thinks in a civil case.  I wouldn't want to take it that far,
especially when you will probably lose or settle and either would cost a
bundle.  Prevention is best.  Now think also about if someone takes your
confidential, say medical info, files and send them out on the
Internet....how liable do you think you would be and what kind of award do
you tink the jury would give out???  Unrestricted Internet access is NOT due
diligence.

Any due diligence 
> issues?? OR if a visitors information is stolen from the 
> Internet while they were connected from this unrestricted vlan?) 

Unrestricted anything is not a wise policy.  Why do users need unrestricted
Internet access?  So they can check their personal e-mail, download music
(copyright violations), surf, shop, waste time, money and bandwidth, gamble,
chat???  Users should be restricte to AUTHORIZED websites that are for
BUSINESS USE only.  Use something like surfcontrol or websense to monitor
and restrict internet access.

> Are more and more companies providing this type of 
> unrestricted access to their visitors? 

Absolutely not!  Companies are restricting visitors access!!  Why would you
give a visitor access to your network and your Internet access?  You don't
know them, you haven't background checked them.  You shouldn't allow most of
your own employees this unrestricted access so why grant it to a stranger.
How do you know thisperson isn't stealing confidential info, installing
unauthorized software, etc.?  More companies are realizing they are liable
and are restricting access across the board, not opening it up.  

How are others doing 
> this? Is there an industry standard or a general practice ...
>
> Thanks,
> Amit
>
> -----Original Message-----
> From: CTillett () harcourt com [mailto:CTillett () harcourt com]
> Sent: Thursday, December 05, 2002 10:25 PM
> To: wbjw () mindspring com
> Cc: jon kintner; Rick Darsey; security-basics () securityfocus com;
> ssgill () gilltechnologies com; wbjw () mindspring com
> Subject: RE: Preventing DHCP from allocating IPs
>
>
>
> We are dealing with this right now.  We are creating an 
> "area" on each floor that visitors can use.  The ethernet 
> ports in these areas will be using a private vlan that 
> provides IP connectivity and Internet access only.  These 
> areas are ACL'ed off from our enterprise network.  It is not 
> perfect, but since we have good physical security and all 
> other ports on the switch are disabled by default, it allows 
> our vendors to use our network as a transport service only.  
> I hope this helps a little.
>
> Chris Tillett
>
>
>  


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************