Re: IRC in corporate enviroment

[Todd Haverkos <infosec () haverkos com>]

Dennis Dayman <dennis-lists () thenose net> writes:

> Looking for some pros cons to having IRC connectivity in a corporate environment. Our R&D guys would like to join 
> some coding channels to get ideas and help, but we are hesitating to allow them for fear of a possible hole being 
> opened via an IRC channel and client.
>
> thoughts on pro's or cons?
>
> what is the beat way to implement if it is deemed ok?

Cons -- you can't log it.  If you don't have a regulatory driver
requiring this, then who cares.    Also, you have to start thinking
about what irc clients to suggest/allow, and do the usual patch/vuln
management dance of "what if Joe and his outdated pidgin client
suddenly want to do internet irc too, or internet chat and gets
owned?" 

Much of this risk can be entirely mitigated by implementing strong
ingress and egress filtering which you may be doing already. 

Pros - cheap and easy.  My prior 2 employers had internal IRC and it
was enormously helpful, especially in situations where disparate
geographies need to collaborate and team build. 

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------