> From: Phil Pennock [mailto:lopsa-discuss+p...@spodhuis.org] > > On 2010-07-09 at 20:52 -0400, Edward Ned Harvey wrote: > > And I think this is typical for > enterprise IT. > > You take your laptop to Starbuck's to download the package via SFTP > which > > your customer sent you, because outbound SFTP is blocked by the > firewall. > > > > I personally don't see the benefit of such rules. > > Depends whether or not the systems blocked from external data transfers > hold highly sensitive data, such as health care records, or detailed > financial information. > > There are no absolute rules which always make sense and context is > everything.
We're talking about peoples' laptops. Something which you can carry outside the building, or use a USB fob, or join somebody else's wireless with. I think it makes no sense to restrict internet access from these machines. Even servers which contain sensitive information ... Using our linux compute cluster servers, I am not able to access CPAN, or download rpm's, or access ftp:// url's, as that would give me a way to circumvent the inability to access ftp:// url's from my laptop. Even on servers, I think it makes no sense to restrict internet access. At MIT, every machine has a real world-routable IP address. Because they got that many IP addresses. The way to prevent people from distributing sensitive information is not to put up barriers that restrict their access to the internet. The way to prevent unauthorized access to sensitive information is to protect the information. No matter what you do, within reasonable limits, if you give a user access to sensitive information, that user can find a way to distribute it or compromise it. Restrictions on the internet are not effective at gaining security, and it is a barrier to productivity. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
