1999-05-13-19:56:06 Adam Spatz:
> Why not just spec a digital PBX?
In some settings, a digital PBX (or more precisely, digital telephone
instruments on the desks) can reduce the problem somewhat; the remaining
untracked dialout use will be from people who get themselves a Konexx
Konnector (or whatever the current equivalent box might be). I bought my
Konnector a few years back, cost like $60 or some such, plugs in place of a
handset --- where even digital instruments are running analog signals --- and
lets you run 28.8 modems.
This won't let people easily run dial-in, but given dial-out a determined user
can construct the same security problem as dial-in; just keep the thing dialed
out, or dial out on a periodic schedule, to a rendesvous point --- which can
be an ISP.
This is definitely a place where I think it's a bad idea trying to search for
a strictly technical fix to a people problem. Instead of trying to make it
impossible to violate the security policy, and failing, it's better to make
sure the security policy is really a good match for the organization's needs,
and is properly endorsed and supported by all levels of management; make sure
you have supported and approved resources available to let people accomplish
anything they need to do for their job; and then use scanning techniques
(which might be just walking around and looking, or demon-dialing your PBX, or
looking for nasty surprise routes getting advertised on your LAN, or oddball
traffic patterns in your PBX's call logs, or whatever) to locate remaining
policy violaters and have a talk with 'em. If they don't promise to never do
it again, get 'em fired. If you can't do that, your policy is too weak, and
there's no point pursuing anything else until you get that fixed.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
