Firewall Wizards mailing list archives
Re: i-cap proposals
From: ArkanoiD <ark () eltex net>
Date: Tue, 22 Feb 2005 16:51:33 +0300
nuqneH, Unfortunately there is not always possible to have compartment mode network with dedicated "communication" desktops. Small companies cannot afford that. And there is an administrative problem: things that everyone needs but people do it "inofficial" way. People _do_ need personal communications, instant messaging and email, disallowing it completely makes users feel uncomfortable and definitely does not contrbute to healthy athmosphere unless there are really high security requirements (in which case they get paid for it). But - management is unlikely to invest much into such matters of personal comfort. Most companies do allow it anyways, so a solution should be. People DO play at work. Ignoring the problem (they should not, so that is not a problem) seems plain unwise it most cases. I'd yet to see a company where CEO is not allowed to get his yahoo mail ;-) P.S Yes, sure i've seen many companies where people are not allowed to use external mail servers. Almost 100% of them just forced people to use business addresses for personal communications this way (although that was not formally allowed) and i do not think this makes any difference. On Tue, Feb 22, 2005 at 08:31:01AM -0500, Paul D. Robertson wrote:
Because people need access to their personal mailboxes out in the internet from the workplace, and environtments fascist enough to prohibit themThere's a difference between "need" and "want." People also want to take things from the workplace that don't belong to them, but we don't allow that behavior.from doing it are not that common at all. So there should be a way to minimize risks without being BOFH.No- security is based on blocking. The less you allow, the less risk you assume. It's that simple. Every extra thing you allow increases your risk in an unquantifyable manner. When it's vectors like E-mail where there's a high attack rate, then you're increasing risk significantly, because we don't have good protections for Windows desktops for new malware. My take's always been that if you want to do personal e-mail, do it on your time, on your machine. If you can negotiate otherwise, fine, but the generic drooling desktop user doesn't get to play at work. My other take is that it works from most places simply because "Anything out, state or ACK back" is the sum total of most site's firewall rulesets. I've never been anywhere that had a real security policy where mail reader protocols were allowed to external systems. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com [host=TEST]
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- i-cap proposals ArkanoiD (Feb 11)
- RE: i-cap proposals lordchariot (Feb 12)
- Re: i-cap proposals ArkanoiD (Feb 14)
- Re: i-cap proposals Carson Gaspar (Feb 19)
- Re: i-cap proposals ArkanoiD (Feb 19)
- Re: i-cap proposals Paul D. Robertson (Feb 22)
- Re: i-cap proposals ArkanoiD (Feb 22)
- Re: i-cap proposals Paul D. Robertson (Feb 22)
- Re: i-cap proposals ArkanoiD (Feb 22)
- Re: i-cap proposals Paul D. Robertson (Feb 22)
- Re: i-cap proposals ArkanoiD (Feb 22)
- Re: i-cap proposals Paul D. Robertson (Feb 22)
- Re: i-cap proposals ArkanoiD (Feb 22)
- Re: i-cap proposals Paul D. Robertson (Feb 22)
- Re: i-cap proposals ArkanoiD (Feb 14)
- RE: i-cap proposals lordchariot (Feb 12)
- Re: i-cap proposals Julian Gomez (Feb 22)