RE: Network Access Quarantine

["Adams, Tom" <tom.adams () mci com>]

> > Why not force them to VPN in?

That is one approach but all it buys you that you've strongly authenticated
your user, assuming you allow access to everything from there. 

You might be better off segmenting your Internal Data Network so that
desktop users don't have complete access to the corporate jewels.  You then
require access to the "jewels" segment(s) to be strictly limited requiring
strong authentication and acls allowing them only access to the systems they
need to admin.  The "jewels" segment(s) would be acl'ed denying everything
by default and having acls in place to only allow "necessary" ports and ips
open both inbound and outbound. 

You could use VPN Servers, AppGate clusters, Citrix, etc. to "firewall"
access to your "jewels" segment(s).

One last item...don't allow unlimited access between your desktop segments.
Users "shouldn't" need access from one desktop segment to another :-)...I
would hazard a guess that this is where most of your infections come from
:-(


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------