da...@lang.hm wrote: > On Tue, 20 Oct 2009, Luke Quattrochi wrote: > > >> On Tue, Oct 20, 2009 at 12:14 PM, <da...@lang.hm> wrote: >> >> >>> it may make sense for you, but my initial reaction is why not just use a >>> VPN? >>> >>> why should your remote employees _not_ have access to your corporate >>> resources. >>> >>> this doesn't even need to be a VPN on each machine, the cost of a router >>> that can implement a site to site VPN is very low, that would give you the >>> benifits of being on the WAN without the cost of the WAN connection. >>> >>> David Lang >>> >> I'm still having trouble seeing your perspective on the lock in issue but I >> would rather not sidetrack the thread. >> > > Ok. > > >> Currently my remote sites are not even connected by VPN for a variety of >> legitimate reasons. Rest assured that there are reasons these sites should >> *not* have access to corporate resources. The big one (that I can talk >> about) is that basically these sites don't generate enough revenue to pay >> any forward to IT, so they don't get much in the way of support. >> You did inspire some thought on my part though. The cost issues will still >> be similar for my particular company between DirectAccess and a cheapy VPN. >> The root problem is that our IT department is brutally small for the size >> of our company. We don't have a network admin. Unfortunately I'm not one >> of those brilliant do it all types, and I am best kept out of the Cisco >> equipment. Any type of network configuration is done by consultant (meaning >> they are rare, and this is limiting). This means even if I buy a cheap $400 >> router for site to site VPN I have to pay an expensive hourly rate to get it >> configured. >> >> For DirectAccess I don't need a consultant. I would need to buy a new >> physical server, which means more cost justifcation. Since it can't be >> behind NAT I can't just provision a VM on my ESX cluster like I do for >> everything else. >> > > there is no one right answer for everyone. > > however, the thought of the corporate IT department _not_ managing > desktop/laptop systems for some part of the company sound very > short-sighted. > > yes, they aren't a profit center, and so can't produce cash to put into > the IT group. But neither are the Security, QA, HR, Finance groups, and > for that matter it's hard to quantify the revenue that your executive > management generates. These people all need safe systems to use. In > addition, having someone in one group use a system that hs sending > everything they do to hackers somewhere can cost you a LOT of money (it > usually has little effect, but when it does cost you something it tends to > cost a LOT) > > you really do want to make sure that anti-virus and anti-spyware software > is up to data on all systems, and ignoring some systems because they do > not generate revenue saves money now, but is likely to cost a lot later. > > David Lang > _______________________________________________ > Unless you start treating the desktops/laptops/smart phones like external appliances. The idea of some of these new methods of connecting is that from the service end, you don't care about antivirus and other such software on the client - that becomes completely the client system's owner's responsibility. You download all of the administration of the client to the owner of the client, and only worry about channeling very specific, well protected resources out your firewall and the client machines simply don't get full network access into your facility. Examples of this are https-wrapped email servers. Your services don't get impacted if the client's machine gets infected with a virus because there is no way for the client to propagate that virus directly to others. You would be wise to implement virus checking for any file or attachment that you accept into the mail service, but the rest is outside of your care.
Now - does this mean that one or more of your employees/contractors/parters could be flooded with viruses that they need to deal with? Yes, it does. It simply means that you no longer need to protect everything in the core from the outside client hosts every time that they connect. And 'outside' can become the new 'inside' if you then restrict your desktop networks to getting the same kind of access that external hosts get. I'm not saying that I necessarily agree with this approach, but companies are starting to do it as a both a 'support any kind of device'' initiative while simultaneously cutting costs by downloading support costs to the individuals who then may need to supply the device, software, and hardware&software support! (And yes, I've seen this starting to happen. Ecckkk. ) - Richard _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
