Re: Internal trusted networks? (was Re: avahi-daemon)
Hi,
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> > I thought security people would recommend havin a per-port ACL for
> > allowed traffic, and port visibility set to limit the view to only the
> > router when not otherwise required.
> I don't think you have seen many corporate (i.e. hundreds of nodes) networks.
> I've "seen" a few, and, from my "limited" experience:
Uh, I never said that's what I would expect to see on a corporate
networks. I've connected to networks at HP, I've connected to network
of security firms, and they didn't have the measures I mentionned.
I've read about using such drastic limitations in the interview of a
famous security guy (and considered the idea was too impractical to
applu to the networks I manage). It was someone famous, like some
Netfilter or OpenBSD architect, but I can't find the article where I've
read that (help welcome to find it back).
> So even if the "security people" as you so put it, would recommend per-port
> ACL allowed traffic they would (and do) get shunned by other IT departments.
> At most, IT security can get a bridge firewall [1] setup between sensible
> networks to isolate and try to control traffic between them.
Right, _in practice_ no one can follow very strict security guidelines,
which is the point I was making in mentionning extreme security
measures. In practice, security has limits.
> With people bringing laptops (and all kind of devices) from the outside of
> the network, unprotected/uncontrolled WiFi access points, etc. there is no
> such thing as an "internal trusted network".
But you're still way more secure while sitting behind a NAT with
responsible coworkers than connected to the Internet directly, without
any firewall, and that's where desktops sit most of the time.
Bye,
--
Loïc Minier <lool@dooz.org>
Current Earth status: NOT DESTROYED
Reply to: