Re: i-cap proposals

["Paul D. Robertson" <paul () compuwar net>]

On Sat, 19 Feb 2005, ArkanoiD wrote:

> Because people need access to their personal mailboxes out in the internet
> from the workplace, and environtments fascist enough to prohibit them

There's a difference between "need" and "want."  People also want to take
things from the workplace that don't belong to them,  but we don't allow
that behavior.

> from doing it are not that common at all. So there should be a way to
> minimize risks without being BOFH.

No- security is based on blocking.  The less you allow, the less risk you
assume.  It's that simple.  Every extra thing you allow increases your
risk in an unquantifyable manner.  When it's vectors like E-mail where
there's a high attack rate, then you're increasing risk significantly,
because we don't have good protections for Windows desktops for new
malware.

My take's always been that if you want to do personal e-mail, do it on
your time, on your machine.  If you can negotiate otherwise, fine, but the
generic drooling desktop user doesn't get to play at work.

My other take is that it works from most places simply because "Anything
out, state or ACK back" is the sum total of most site's firewall rulesets.

I've never been anywhere that had a real security policy where mail reader
protocols were allowed to external systems.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards