Changes between Initial Version and Version 1 of Ticket #1962, comment 1

02/09/2015 10:14:20 AM (4 years ago)


  • Ticket #1962, comment 1

    initial v1  
    33The current Eyeo office network (LAN) is kind of a “wild-west” environment where no defined security level can be established because there is no one establishing and enforcing security rules. That is okay from a user’s point of view because no one gets limited in how they setup and use their devices (computers, smartphones, etc.). 
     5But from a company perspective this is probably not so great because it comes with some risks: 
     7Why is the current LAN not secure? 
     8- Everyone can bring any device into the (wireless) network, they just need to know the shared WPA password or simply plug the device into a LAN outlet. These devices might be compromised / infected with viruses/malware/etc without their owners knowing. 
     9- There is no central network access control system (e.g. via Radius), so it is not possible to control which devices are using our network 
     11Such infected devices could be used for hacker attacks from the inside (circumventing the firewall) and currently can directly communicate and therefor attack others users’ devices, servers and infrastructure components (phone system, switches, routers, printers). 
     13Results could be: 
     14- Damage / Denial of service leading to productivity loss 
     15- Data / information leaks / theft 
     17Suggested solution: 
     18A separate secure / managed network would only allow access to defined devices that are known to be safe because they are 
     19- either directly managed by Office-IT or 
     20- by someone following the security rules defined by Office-IT. 
     22Also, all devices in the “secure network” could be subject to regular (automated) vulnerability scans and/or manual inspections. 
     23An IDS (intrusion detection system) could further enhance the security of that secured network. 
     24Certain types of devices (e.g. smartphones which are also used for private use) would not be permitted on the secure network at all. (They can still be used on the unmanaged network as before.)