*>>This looks like just another “magic bullet” – simple solution to a complex problem that only works in simple (i.e. small) environments.*
** I would substitute the word "limited" for "small". I've seen even small organizations where this could not work as expressed. *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>* **Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…*** On Mon, Apr 15, 2013 at 8:33 PM, Ken Schaefer <[email protected]> wrote: > My thoughts:**** > > ** ** > > **a) **“One size fits all” solutions simply don’t fit most > organisations. Some e.g.:**** > > **a. ** (e.g. “you support users connecting from home today”, so > obviously you can obviously scale to support the entire organisation doing > the same at work, or**** > > **b. **“give each user their own VLAN” – yeah, we’ll create 100,000 > VLANs – imagine maintaining the FWs, routers, and how much more complex > user provisioning and de-provisioning is going to be. What happens when > users move between buildings? Telcos can make this happen, but telcos are > in the networking business.**** > > **b) **Treating wireless users as “external” and then making them > VPN in isn’t new – that’s been the thinking for 20 years. It was “start of > the art” maybe in 2000, but it’s not now**** > > **c) **I know Microsoft was arguing for the “hard core” and “soft > shell” since circa 2006 or so – so even that’s now new. However I disagree > that there should be one boundary (around the data centre) and we ignore > everything else. Obviously Brian doesn’t understand how large organisations > (and I’m guessing other sizes as well – I don’t have that much experience) > work. Most banks (for example) are stuffed full of “knowledge workers” that > depend on data being on their client PCs. For example I’ve seen > reconciliations in a large institutional bank being run on over 2,000 excel > spreadsheets due to lack of straight through processing between diverse > systems. You can treat them as being “on the internet”, but that’s too > difficult to do in practise with granularity. If you make them VPN in, you > end up giving them wide-open access anyway. So why not just use 802.1x to > guard your physical (including WiFi) access? Surely 802.1x is easier and > cheaper to deploy than catering for 100,000+ VPN connections?**** > > ** ** > > This looks like just another “magic bullet” – simple solution to a complex > problem that only works in simple (i.e. small) environments.**** > > ** ** > > Cheers**** > > Ken **** > > ** ** > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Monday, 15 April 2013 10:24 PM > > *To:* NT System Admin Issues > *Subject:* Some interesting thoughts about network security**** > > ** ** > > > http://www.brianmadden.com/blogs/brianmadden/archive/2013/04/15/rethinking-network-security-all-your-on-premises-wifi-users-are-actually-quot-remote-quot-users.aspx > > > -- > *James Rankin* > Technical Consultant (ACA, CCA, MCTS) > http://appsensebigot.blogspot.co.uk**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
