Unfortunately there is not always possible to have compartment mode network
with dedicated "communication" desktops. Small companies cannot afford that.
And there is an administrative problem: things that everyone needs but people
do it "inofficial" way. People _do_ need personal communications, instant messaging
and email, disallowing it completely makes users feel uncomfortable and definitely
does not contrbute to healthy athmosphere unless there are really high security
requirements (in which case they get paid for it). But - management is unlikely
to invest much into such matters of personal comfort.

Most companies do allow it anyways, so a solution should be.
People DO play at work. Ignoring the problem (they should not, so that is not
a problem) seems plain unwise it most cases.

I'd yet to see a company where CEO is not allowed to get his yahoo mail ;-)


Yes, sure i've seen many companies where people are not allowed to use external
mail servers. Almost 100% of them just forced people to use business addresses for
personal communications this way (although that was not formally allowed) and i
do not think this makes any difference.

On Tue, Feb 22, 2005 at 08:31:01AM -0500, Paul D. Robertson wrote:
> > Because people need access to their personal mailboxes out in the internet
> > from the workplace, and environtments fascist enough to prohibit them

> There's a difference between "need" and "want." People also want to take
> things from the workplace that don't belong to them, but we don't allow
> that behavior.
> > from doing it are not that common at all. So there should be a way to
> > minimize risks without being BOFH.
> >

> No- security is based on blocking. The less you allow, the less risk you
> assume. It's that simple. Every extra thing you allow increases your
> risk in an unquantifyable manner. When it's vectors like E-mail where
> there's a high attack rate, then you're increasing risk significantly,
> because we don't have good protections for Windows desktops for new
> malware.
> My take's always been that if you want to do personal e-mail, do it on
> your time, on your machine. If you can negotiate otherwise, fine, but the
> generic drooling desktop user doesn't get to play at work.
> My other take is that it works from most places simply because "Anything
> out, state or ACK back" is the sum total of most site's firewall rulesets.
> I've never been anywhere that had a real security policy where mail reader
> protocols were allowed to external systems.
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> which may have no basis whatsoever in fact."
> email protected and scanned by AdvascanTM - keeping email useful -
> [host=TEST]

firewall-wizards mailing list