[unisog] Network security police no hubs/switches/routers?

Jim Dillon Jim.Dillon at cusys.edu
Mon May 23 19:56:40 GMT 2005


On the not so technical side, allowing this practice obscures accountability.  It's real nice to have distributed authority with limited accountability if you are the recipient of the authority.  It tends to push debugging and restoration work uphill though, as problem solving can no longer be contained to a known entity, it will require a field examination of the "rogue" networking.  So costs are allocated unfairly, and the true TCO is hidden from the end managers who don't understand the value of the service.  Not good for strategic planning and workforce development either.
 
Others have hit most of the technical nits.  Of course I've always wondered about wireless APs as they seem to be more of a hub than a switch, and they seem to re-introduce some of these same problems and deficiencies, and we seem wont to favor/allow wireless, so there are more questions in this game than performance, reliability, and accountability.
 
It's an issue of controllability and risk avoidance.  The industry believes (rightfully so in my opinion) that controllability is a best practice/cost-reducing objective better served in a switched environment where endpoints are more actively controlled.  This may not fit all situations, but it has its place, certainly in the security thrashed environment we currently face.  Reduce the risks/threats, and perhaps this type of control thinking can be relaxed as well, but the risks/threats seem to still continue an exponential growth pattern, so I'd suggest you stick with better controls.
 
Jim Dillon
============================================ 
Jim Dillon, CISA 
IT Audit Manager 
University of Colorado Internal Audit 
jim.dillon at cusys.edu 
Phone: 303-492-9734 
Dept. Phone: 303-492-9730 
Fax: 303-492-9737 

"There is nothing more difficult to plan, more doubtful 
of success, nor more dangerous to manage than the 
creation of a new system, for the initiator has the 
enmity of all who would profit by the preservation of 
the old institution and merely lukewarm defenders 
in those who gain by the new one."  - Machiavelli 
============================================ 

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]On Behalf Of Vijay S Sarvepalli VSSARVEP
Sent: Monday, May 23, 2005 7:29 AM
To: UNIversity Security Operations Group
Subject: [unisog] Network security police no hubs/switches/routers?



We have just spelled out some policies that no hubs/routers are to be connected to the network.  There seems to be  a lot of 
resistance for this policy.  I know the technical reasons for not allowing this, but anybody have a lay man explanation in their policy 
about "Why hubs/routers are not allowed on the campus network?" 

If you have one please do share.  If you have a strong network security that limits what type of devices attach to the network, again 
in non technical terms please do share this as well. 

Thanks 
Vijay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050523/afd7b74d/attachment-0001.htm


More information about the unisog mailing list