[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Access to K12LTSP remotely

Steve Wright <paua quicksilver net nz> wrote:

This is foolish talk.  You MUST secure X over the internet - period

Oh, dear me. There is no law that says that you MUST secure X over the
Internet. To say there is, is foolish. Most people on this list are free to
make their own assessment of the risks, and the vast majority will take the
sensible and prudent course of encrypting traffic for X as well as
protocols which pass passwords or other sensitive data as plaintext.

And of course, people are free to secure X by other means. An administrator
is free to decide that using a dial-up line into a small country school is
an appropriate level of risk.

In some cases, readers may be subject to their organizations' security
policies; however, even there, the phraseology is usually "should", not
"MUST". You might like to consider the example of New Zealand Standard
17799:2001, "Code of Practice for Information Security Management" (you
have that on your bookshelf, right? It's the top-level commercial security
standards document in your country). The entire document uses the word
"must" just twice (in section, on Access Control Rules). It
certainly doesn't say "you MUST secure X, or die". . .

Enough already. I'm sure the readers of this list are all well aware of the
risks inherent in using X and similar UDP-based protocols over the public
Internet, and the controls and safeguards that are available to them.


--- Les Bell, RHCE, CISSP

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]