Im hard at rethinking how we build our corporate networks today.For some reason we can put endless ours into automating some tasks and in the process put much more man hours into it than it would take to manage things manually. This automation also brings some bad side-effects like the self serving struggle to make machines conform to corporate standards. Im not at all convinced the time i for eg. put into researching, impementing and deploying some policy settings save even an hours work over several years and a couple of hundred machines. Some time those policies even adds significantly to my support burdon. Mind you this is Windows boxes and thats why i have taken a step back and started thinking. One other very bad side effect is that this also makes it next to impossible to introduce anything other than the corporate approved desktop OS.
Our network is built upon the assumption that a workstation thats managed by us on our internal network is more or less secure. I wonder if thats really a secure way of handling things. Most users that can do anything bad with the information they can potentially steal are employees, not some random hacker trying to get my Wow account
The most common way is to treat anything inside the LAN as more or less trusted and anything from outside the firewall as untrusted. Im starting to believe that its time to move the trust even longer into the LAN and treat the internal network as untrusted.
Im currently pondering building a network where its up to the user what they do with their own machine as long as it has antivirus on it and is updated regularly. No managing of the computers whatsoever, no boundaries and no stupid it-policies thats there just for the sake of the it-crowd. By doing that and put every possible service on webservers and refuse to buy server software with clients this would become a totally free network that can be pretty much platform agnostic. The biggest hurdle, the machine management is in itself the biggest stumbling block for the users today. By making the internal LAN completely untrusted and demanding two factor auth regardless of location what computer people use and wheather its trusted or not becomes moot. Everything has to be secured just as if it was publicised on the internet.
eBox is one way of acheiving this which im currently investigating. Coupled with Google apps and two factor auth its pretty much ready.
I really call this going one step back and two large step forward.
