On Wed, 2005-11-16 at 11:56 -0600, Thomas W Shinder wrote:
Hi Susan,
I think you misunderstood what they were trying to communicate during
that Webcast, and the presenters didn't do a really good job at
explicating their positions.
Many people think that there is no more perimeter (or edge), or that the
perimeter (or edge) somehow magically changed to the end point on the
corporate network. Neither assertion is true or believable. Sure, there
is a more heterogenous set of security zones that need to be segmented
from one another, but to say that there is no more "perimeter" or no
more "edge" is ridiculous at best, delusional at worst (sort of like
saying that SBS doesn't represent a security compromise).
Depends on what you consider a security compromise. Is it really a
compromise if looking after a single server is only a small part of your
overall duties (which is the case in most SBS deployments).
Most will agree that it's not best practise to have everything on one
box, but for it's purpose as the single server for a small company with
often no IT staff, only having one box to look after means it gets more
attention. You can argue against that with all the usual arguments about
putting all these services on a single box, however as soon as you start
adding boxes you decrease the attention span dedicated to each box and
that is also a security compromise. Overall you make a choice between
one server or many - both having merits and failings, which one is the
compromise is specific to you. If however you choose based purely on
cost THAT is quite likely to be a security compromise.
Don't get me wrong I do NOT advocate having SBS with one interface on
the net and one on the LAN, but if you have a cheap router with
firewalling capabilities and a single SBS server, you are no more
compromising than someone with a similar setup and a few more servers -
this is how I see most SBS servers deployed. The important thing there
would be your single server would get more attention than the other guys
set of servers. In my opinion it doesn't matter how secure you are, if
the administrator isn't paying attention then there is no point.
I wouldn't write off the SBS choice as a compromise on Security all of
the time, until you have weighed in all the factors, it's certainly not
a delusional state to have an SBS box set up and be confident that you
are on top of it from a security perspective.
It is entirely situation dependant and the compromise may or may not
exist depending on the other contributing factors.
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
blog: http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca: https://www.cacert.org/index.php?id=3
smime.p7s
Description: S/MIME cryptographic signature
