Reducing The Negative Impact of Laptops

Mark Brunelli wrote to mention a SearchEnterpriseLinux column about reducing the negative impact laptops can have on a network's security. From the article: "Portable computers often become an extension of the person using them. It is no surprise that laptop users are inclined to be rather autonomously minded. Many users don't realize that the power they have to install software and change settings is risk prone. Fortunately, larger corporations that install Microsoft Windows XP Professional usually don't grant the laptop user full administrative rights. The same cannot be said of smaller businesses, many of which simply purchase laptops from the local store -- laptops pre-installed with Windows XP Home Edition. "

Laptop Lockdown

[jcnnghm]

Laptops that are permitted out of the office have to be setup as untrusted devices. Run separate cables, or make the user login wirelessly allowing limited, if any, local network access, but allowing full Internet access.

Basically, you have your primary LAN of machines that never leave the office, and your wireless lan of laptops that are blocked from the primary lan. Both networks should be able to connect to the Internet, and laptop users would be required to connect to network services just as if they were out of the office.

Good wireless AP's should be able to block laptop to laptop communications, so that all the wireless network provides is internet access. Your network services should be hardened from Internet attacks already, and if they are not that should be addressed before any laptop related issue. /*
  This has worked relatively well for me, might have a huge whole I don't see
*/

It happened where I used to work

[R3d+M3rcury]

Actually, the last large corporation I worked for caught Code Red from a salesman's laptop. This salesman was in Australia, far away from the IT Department.

Even better: It was a security company.

Best of all: It was the Mac team that brought it to the IT Department's attention.