On Thu, 2 Sep 1999 09:13:13 +0800, [EMAIL PROTECTED] said:
tanhcr> what do you think about this: caller identification (the
tanhcr> calling number is matched against the pre-defined number on
tanhcr> the radius) and password authentication without restriction on
tanhcr> the destination
I think the more "security in depth" you can provide, the better. We
couldn't use caller-ID because many of our users travelled and this
would prevent them from calling form remote sites, hotel rooms, etc.
Caller ID doesn't protect you from friends and family how might use
the login from home (e.g. kids while the parents are at work). We had
one egregious case for an employee's former boyfriend broke into the
employee's house and ransacked her files, attacked campus machines,
etc. Took us a long time to believe she wasn't just deleting her own
stuff. The hardware token authentication stopped that, of course, but
couldn't help with her love-life :-)
The "restriction on the destination" is a different matter, and
probably something you should consider. But what restrictions you
apply, if any, should depend on what your site's security policy
dictates. As other follow-ups have said, might be a good idea to
restrict where then can go on the internal *and* external net. It's
all up to your policy.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
