RE: Network Access Quarantine

From: Adams, Tom (tom.adams_at_mci.com)
Date: 01/26/04

  • Next message: John LeMay: "Re: Securing SMTP service on Exchange 2k/2k3"
    Date: Mon, 26 Jan 2004 20:58:39 +0000
    To: Steve <securityfocus@delahunty.com>
    
    

    >> Why not force them to VPN in?

    That is one approach but all it buys you that you've strongly authenticated
    your user, assuming you allow access to everything from there.

    You might be better off segmenting your Internal Data Network so that
    desktop users don't have complete access to the corporate jewels. You then
    require access to the "jewels" segment(s) to be strictly limited requiring
    strong authentication and acls allowing them only access to the systems they
    need to admin. The "jewels" segment(s) would be acl'ed denying everything
    by default and having acls in place to only allow "necessary" ports and ips
    open both inbound and outbound.

    You could use VPN Servers, AppGate clusters, Citrix, etc. to "firewall"
    access to your "jewels" segment(s).

    One last item...don't allow unlimited access between your desktop segments.
    Users "shouldn't" need access from one desktop segment to another :-)...I
    would hazard a guess that this is where most of your infections come from
    :-(

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------


  • Next message: John LeMay: "Re: Securing SMTP service on Exchange 2k/2k3"