Networking

Political decision threatens the security of a departmental LAN

A company-wide policy banning private network addresses is issued, potentially threatening the security of the LAN for which you are responsible. What would you do to combat such a policy?

Our "What would you do?" column is a forum for sharing your knowledge and experience in dealing with the less tangible side of computer support: ethics. Every two weeks I’ll present a scenario that requires more than a technical solution. Each situation will be an accurate description of an actual event, with the names and other identifying factors changed to protect the innocent—and sometimes not so innocent. In four weeks, I’ll present feedback from the community members, along with the actual outcome if one is available.

In today’s installment of “What would you do?,” I’ll present the responses to our previous article. Then, at the end of this article, you can check out our latest ethical dilemma and offer your advice.

Presenting the bottom line to non-IT management
Our last column, “Help this manager justify the cost of a trial LAN setup,” detailed the plight of an IT manager who was having loads of trouble getting non-IT management to see the importance of implementing a test LAN. This IT manager was in serious need of help from TechRepublic members, and you didn’t disappoint.

Many members reinforced the idea of documenting, documenting, and documenting. One member suggested compiling horror stories involving companies who tested new applications on a production LAN with terrible results and sharing these real-life nightmares with management. Another member said the IT manager should document every suggestion he makes so that when the LAN does crash as the result of an untested application, the IT manager will have proof that he had tried to be proactive in preventing the meltdown.

Another member suggested the back-door approach of proposing a server upgrade instead. If the upgrade goes through, the old server could be used as the test platform.

MrWizard10 suggested delegating the issue to someone else: “Turn to a local business school and have the students use this as a project to do a cost benefit analysis.”

Some members focused strictly on the bottom line. Oldefar said, “Make the testing part of the project plan, include the cost of renting the test facilities, and justify the cost based on risk to business. The local lab becomes justifiable as a cost reduction.” Another member said that the IT manager should estimate cost of downtime per hour and include this number in the test-LAN proposal.

Hopefully our distressed IT manager can make use of some of these suggestions to get approval for his proposed expenditure. Whatever the actual outcome is, we hope to report it to you in a few weeks.

The next ethical dilemma: Technological turf wars
The new dilemma for this week is a complex one: What do you do when politics get in the way of proper security measures? Here is this IT manager’s story:

“I manage a departmental IT unit at a university that is separate from the campus-wide IT support group. This group, CWIT, had established numerous LANs on campus, and my IT unit sits on one that is shared among a number of departments. For management and security reasons, we 'hide' about 100 PCs and a dozen networked printers behind a NAT box, exposing only a few servers directly to the campus network and the Internet.

"Due to recent issues with non-CWIT folks incorrectly setting up networking equipment, a policy has been approved and published that effectively bans private network addresses on campus. I firmly believe that NAT is an extremely valuable security layer, but CWIT seems determined to expose our entire infrastructure to the world.

"This appears to be more of a political issue than a technical one, but due to the circumstances (we are dependent upon CWIT for network connectivity), I feel that my best option is to tackle the issue on technical grounds, with subtle political maneuvering whenever it is appropriate and possible. (This is a campus-only issue; we've got private verbal support from the university system's statewide security officer, but he doesn't want to get involved in our turf war. My department head understands and supports the need for security, even if he doesn't understand the technology itself; however, he also doesn't want to butt heads with CWIT.)

"As time permits, I am researching the use of NAT specifically as a security scheme, but I've had little luck so far. The no-NAT policy is in place, and enforcement isn't too far behind. CWIT concedes that it will be taking something away from us and that it needs to come to the table with a compromise. However, I don't believe there are any comparable alternatives. Hopefully, you can help turn my beliefs into facts.”

What would you do?
After reading this scenario, if you have resources or personal knowledge to share concerning the status of NAT in terms of network security, please send them to us. Or, if you have any suggestions concerning an alternative solution, we would like to hear from you—especially if you have ever successfully dealt with a similar situation.

You can submit your ideas either by e-mail or by posting a discussion item at the end of each column. A week after the publication of a scenario, we'll pull together the most interesting solutions and common themes from the discussion. We will later present them with the situation's actual outcome in a follow-up article. You may continue to add discussion items after the week has elapsed, but to be eligible for inclusion in the follow-up article; your suggestions must be received within a week of the scenario's publication.
0 comments

Editor's Picks