On Tue, 22 Feb 2005, ArkanoiD wrote:

> nuqneH,
> Unfortunately there is not always possible to have compartment mode network
> with dedicated "communication" desktops. Small companies cannot afford that.

Sure, but small companies also cannot afford downtime to the same extent
that large companies can.

> And there is an administrative problem: things that everyone needs but people
> do it "inofficial" way. People _do_ need personal communications, instant messaging

There's a significant difference between need and want- and given the
ubiquity of cell phones in most work environments, "need" for personal
e-mail simply isn't true. "Want" very much is, but you're not being paid
to read jokes, flirt and delete your home spam collection while you're at

> and email, disallowing it completely makes users feel uncomfortable and definitely
> does not contrbute to healthy athmosphere unless there are really high security
> requirements (in which case they get paid for it). But - management is unlikely
> to invest much into such matters of personal comfort.

I've been in environments where it's been disallowed, and I've been in
environments where it's allowed- in neither case was it the deciding
factor in workplace comfort- generally there are larger issues at work

Your risk to malcode goes up. Your risk to hostile workplace suits goes
up, your risk to operational work not getting done goes up- there has to
be an offsetting benefit or it's not worth while to allow- "people want
it" isn't quantifyable, and doesn't meet that standard.

> Most companies do allow it anyways, so a solution should be.

Again, not necessarily because they meant to allow it.

> People DO play at work. Ignoring the problem (they should not, so that is not
> a problem) seems plain unwise it most cases.

Authorizing it is also unwise.

> I'd yet to see a company where CEO is not allowed to get his yahoo mail ;-)

I know of one USD$4.5 billion company where the CEO wasn't allowed to IM
his kids in college, despite the politics involved because the BOFH at the
firewall didn't allow IM.

When I asked for a business case justification, the assorted posterior
worshiping minions had a collective heart attack. I didn't give ground,
and the CEO went un-IMed for as long as I was there.

> P.S
> Yes, sure i've seen many companies where people are not allowed to use external
> mail servers. Almost 100% of them just forced people to use business addresses for
> personal communications this way (although that was not formally allowed) and i
> do not think this makes any difference.

Then you've likely never had to deal with hostile workplace lawsuits,
employee termination for non-performance issues, privacy issues during an
investigation of malice, or a host of other things where the systems
belonging to the employer make the security administrator's job
significantly easier. Also, note that for most workplaces, the AUP takes
away privacy protections on the network- suddenly opening your personal
communications to increased scrutiny and decreased legal protections.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
firewall-wizards mailing list