On Wed, 19 Feb 1997, Bret Alexander wrote:
> Given the sensitive nature of the environment is the above set-up
> enough?
It's debatable. The final decision must be made by your executives,
because it comes down to a question not of "It is good enough", but one of
"Do the benefits of network access outweigh the costs of lowered
security". Only your suits can answer that one.
> Should Java and ActiveX be allowed past the proxy?
FOR THE LOVE OF GOD, NO!!
> If not can they
> be automatically removed? Just disabling it on the client is not good
> enough.
I'm working this week to hack up the Squid to block ActiveX and Java; if I
have any luck I'll post it to the list. (It should be easy enough.)
> One of my main fears is that allowing the connection without some
> of the more "problematic" features will cause a problem later as
> employees start to look and demand things like pushed data etc.
That's really not that bad of a problem. As long as you have support from
upstairs, you can (and should) be an absolute bastard when it comes to
unsafe technologies. I've found that most people understand the rationale
behind security decisions if you take a second to explain the problem to
them.
__
Todd Graham Lewis Mindspring Enterprises tlewis @
mindspring .
com
References:
|
|
