We've all heard it before from our parents, teachers, colleagues, friends, et al. There are certain things we shouldn't do (e.g. run with scissors, run by the pool, etc.) because it's just not safe, yet many of us still do these things knowing full well that there could be dire consequences.
It should come as no surprise that digital safety awareness has improved thanks to that double-edged sword of malicious outbreaks and greater diligence on the part of the media, vendors (like Microsoft) and network operators (including IT departments and ISPs). Yet, many computer users still find themselves doing the digital equivalent of running with scissors.
The catalyst for this posting was the recently released "Understanding Remote Worker Security: A Survey of User Awareness vs. Behavior" released by the newly re-logoed Cisco. The net/net of the survey: people know that they need to exercise greater caution when traversing the digital domains, yet they still have the habit (that's right it's often more of a habit than malicious intentions) to do some things that are not necessarily in the best interest of the net community.
Don't get me wrong; this isn't a cry of "the sky is falling". Reading the Cisco survey showed it was fairly basic things people are doing, like on-line shopping with their work computer or "borrowing" wireless bandwidth. Now either of these examples could result in increased risk to the corporate network, but it's not about these activities I want to point out. It's really about revisiting the importance of what I like to call the three part network security ying-yang: policy, technology and education. It's a cyclic thing since each of these stages should be constantly revisited, updated and evangelized.
Microsoft has and will be releasing a bunch of network security solutions to help fill in that middle bit (technology). These include my personal fav's of Server and Domain Isolation, Secure Wireless and Network Access Protection. Each of these solutions, both by themselves and working in concert, are great tools to help drive the reality of "policy-driven network access". They can help you dynamically segment your network, reduced attack surface and greatly increase the security posture of the hosts connecting to your network. Yet, without the right (paper) policies to dictate what is good and what's not, these tools may not be as effective as they can be.
So, why all this dribble? Well, there are just some things you just need to let slide, like users shopping for birthday presents while in between meetings or (as in the case of this survey) working remotely. Implementing too restrictive policies will end-up backfiring. Instead, you need to focus on what the risk is and utilize solutions (like the ones mentioned above) to help mitigate the things that can go boo at night on the Internet. For example, if a VPN user has clicked on something bad, like a piece of malware that attempts to kill the antivirus process, NAP can help mitigate the risk of this introducing unnecessary network threats.
In closing, we live in a paradoxical network universe. We want to provide the access and mobility our users want to have, yet we often fear the worse when this access gets abused or compromised. That's why you need to limit risk beyond just setting up topological network boundaries (e.g. the edge firewall) through these policy-driven network access mechanisms.
As we inch closer to the release of Windows Vista and then Windows Server "Longhorn", I plan to wrote more on what this subject of policy-driven network access. Now, it's time to finish up my presentation for tomorrow's engagements with the Windows Vista TAP program members.