[unisog] Network security police no hubs/switches/routers?
Jim.Dillon at cusys.edu
Mon May 23 19:56:40 GMT 2005
On the not so technical side, allowing this practice obscures accountability. It's real nice to have distributed authority with limited accountability if you are the recipient of the authority. It tends to push debugging and restoration work uphill though, as problem solving can no longer be contained to a known entity, it will require a field examination of the "rogue" networking. So costs are allocated unfairly, and the true TCO is hidden from the end managers who don't understand the value of the service. Not good for strategic planning and workforce development either.
Others have hit most of the technical nits. Of course I've always wondered about wireless APs as they seem to be more of a hub than a switch, and they seem to re-introduce some of these same problems and deficiencies, and we seem wont to favor/allow wireless, so there are more questions in this game than performance, reliability, and accountability.
It's an issue of controllability and risk avoidance. The industry believes (rightfully so in my opinion) that controllability is a best practice/cost-reducing objective better served in a switched environment where endpoints are more actively controlled. This may not fit all situations, but it has its place, certainly in the security thrashed environment we currently face. Reduce the risks/threats, and perhaps this type of control thinking can be relaxed as well, but the risks/threats seem to still continue an exponential growth pattern, so I'd suggest you stick with better controls.
Jim Dillon, CISA
IT Audit Manager
University of Colorado Internal Audit
jim.dillon at cusys.edu
Dept. Phone: 303-492-9730
"There is nothing more difficult to plan, more doubtful
of success, nor more dangerous to manage than the
creation of a new system, for the initiator has the
enmity of all who would profit by the preservation of
the old institution and merely lukewarm defenders
in those who gain by the new one." - Machiavelli
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]On Behalf Of Vijay S Sarvepalli VSSARVEP
Sent: Monday, May 23, 2005 7:29 AM
To: UNIversity Security Operations Group
Subject: [unisog] Network security police no hubs/switches/routers?
We have just spelled out some policies that no hubs/routers are to be connected to the network. There seems to be a lot of
resistance for this policy. I know the technical reasons for not allowing this, but anybody have a lay man explanation in their policy
about "Why hubs/routers are not allowed on the campus network?"
If you have one please do share. If you have a strong network security that limits what type of devices attach to the network, again
in non technical terms please do share this as well.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog