Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Microsoft

Securing Your Internal Network from Windows? 78

Posted by Cliff from the protecting-your-network-externally-and-internally dept.
acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."
This discussion has been archived. No new comments can be posted.

Securing Your Internal Network from Windows? More

Securing Your Internal Network from Windows?

Comments Filter:

  • Logical segmentation or VLANs (Score:4, Informative)

    by Twylite ( 234238 ) <twylite&crypt,co,za> on Wednesday November 27, 2002 @07:37AM (#4766106) Homepage

    Given the number of computers involved I am assuming you are using switches. One option you have is to configure VLANS - I'm not very clued up on these, but iirc you should be able to construct a logical separate LAN from a group or port or MAC addresses. Then you need a gateway between the Windows VLAN and the Mac VLAN, with a firewall which can protect them from each other.

    This can be a bit nasty to manage though. If its a port-based VLAN you have to make sure the boxes are plugged into the right network sockets, or they'll be on the wrong VLAN. If believe MAC-based VLANs are possible (but I could be wrong); in which case you have to have a list of MACs and whether they are Windows or Mac machines, and assign them ... tedious.

    A simpler solution could be to insist that all Windows boxes use DHCP, and assign them addresses in a particular subnet. If you want the Mac boxes to use DHCP too, you'll have to do MAC reservations for the Windows network cards to make sure they go onto the right subnet. Then have a gateway/firewall. This doesn't protect against lusers who give their computer a static IP on the logical Mac subnet ... but it gives you some ability to manage the situation.

    To detect troublecausers, you could automate a security scanning tool to check the Mac network for computers which appear to be Windows boxes.

  • You are a Law Firm... (Score:4, Informative)

    by Technician ( 215283 ) on Wednesday November 27, 2002 @11:01AM (#4767161)
    Read the EULA carefully. Especialy the part regarding auditing any and all computers in the building. Let your staff know the building can not support the liabiality risk of the other OS.
    Please do not give the BSA a free ticket in the front door.

  • Yes, that's nice and all but... (Score:4, Informative)

    by amarodeeps ( 541829 ) <dave@dubi t a b l e.com> on Wednesday November 27, 2002 @11:05AM (#4767199) Homepage

    ...the reason he's griping about his WinXP boxes is that he doesn't want any viruses banging on his network, crackers hijacking these machines, etc.--Windows IS more susceptible to this stuff, if for no other reason (and there may be other reasons) than it is so popular right now, and it is not exactly set up by default to be secure. So get off your high and mighty standards-compliance horse (no matter that I agree with you--I think you have a good point about what _should_ be the case) and remember this guy has to deal with a real-world situation.

    Plus, MS is not really into standards-compliance last I heard, and that also kinda puts a crimp in your ideology...

  • Re:Who defines policy, IT or the users? (Score:2, Informative)

    by ScuzzMonkey ( 208981 ) on Wednesday November 27, 2002 @02:53PM (#4769207) Homepage
    IT is not in place to tell the users what they can't do.

    Actually, I think this should be exactly what IT is in place to do. Some of the worst messes I've ever had the displeasure of walking into have been the result of an overly permissive "yeah, sure, whatever you need, go ahead and get it and plug it in" policy.

    That's not to say that supporting users and their job requirements isn't important--you're right, it's job one. But the users, generally, should not be dictating the software or equipment they need to do the job. After all, they are not the IT professionals. There is a whole department there to find the right tools for the job. That's the entire point of having an IT department--people to make professional decisions about technology. If the users were capable of doing this, you wouldn't need IT in the first place.

    Instead, typically, the users see a neat new toy at the last trade show or in someone else's business and decide suddenly that it's a requirement for them to get their job done. They don't consider the consequences or how it fits in to the rest of the system. IT should, and it should use that knowledge to set limits. The users should present IT with the business requirements and allow the techs to find and implement the technology that will best support those; they should NOT present IT with a new technology and say "here, make it work".

    Saying no is one of my most important functions as an IT manager, IMHO. The company I am now at is running stable, under-budget, and effective systems because I've been able to cut off all the pie in the sky user-initiated projects off at the knees by saying no. I'm nicer about it than that, of course... usually it's more along the lines of "Wow, that really is a neat piece of gear! But why don't you tell me what exactly it is that you need to accomplish, and let's see if we can do it with something that fits in a little better with our current platform, shall we?"

Slashdot Top Deals

A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson

Close