My thoughts:
a) "One size fits all" solutions simply don't fit most organisations. Some e.g.: a. (e.g. "you support users connecting from home today", so obviously you can obviously scale to support the entire organisation doing the same at work, or b. "give each user their own VLAN" - yeah, we'll create 100,000 VLANs - imagine maintaining the FWs, routers, and how much more complex user provisioning and de-provisioning is going to be. What happens when users move between buildings? Telcos can make this happen, but telcos are in the networking business. b) Treating wireless users as "external" and then making them VPN in isn't new - that's been the thinking for 20 years. It was "start of the art" maybe in 2000, but it's not now c) I know Microsoft was arguing for the "hard core" and "soft shell" since circa 2006 or so - so even that's now new. However I disagree that there should be one boundary (around the data centre) and we ignore everything else. Obviously Brian doesn't understand how large organisations (and I'm guessing other sizes as well - I don't have that much experience) work. Most banks (for example) are stuffed full of "knowledge workers" that depend on data being on their client PCs. For example I've seen reconciliations in a large institutional bank being run on over 2,000 excel spreadsheets due to lack of straight through processing between diverse systems. You can treat them as being "on the internet", but that's too difficult to do in practise with granularity. If you make them VPN in, you end up giving them wide-open access anyway. So why not just use 802.1x to guard your physical (including WiFi) access? Surely 802.1x is easier and cheaper to deploy than catering for 100,000+ VPN connections? This looks like just another "magic bullet" - simple solution to a complex problem that only works in simple (i.e. small) environments. Cheers Ken From: James Rankin [mailto:[email protected]] Sent: Monday, 15 April 2013 10:24 PM To: NT System Admin Issues Subject: Some interesting thoughts about network security http://www.brianmadden.com/blogs/brianmadden/archive/2013/04/15/rethinking-network-security-all-your-on-premises-wifi-users-are-actually-quot-remote-quot-users.aspx -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk<http://appsensebigot.blogspot.co.uk/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
