a few of our customers have enquired about the best way to handle this as with all new geek toys once the directors get them suddenly they become a "business need".
as a security company we have a tough job balancing adequate security against the whims of the businesses we advise...
a work around i have advised a few of our customers to run maintains a degree of security.. its not ideal but it allows the use of iphones without opening ports to the general staff population and its fairly simple to implement for the average network tech.
if you access the settings app on your iphone and go into the networks and wireless settings you can get the MAC address for your wireless card..
then on your DHCP server you can add some reservations.. i reccomend picking a different range to your regular DHCP scope as then there is less risk of confusion on the firewall or another tech applying a static IP out of the restricted range to a workstation.
in each of the IP's you have reserved you can enter the advanced settings and enter one of the MAC addresses of one of the iphones you wish to grant access.
then on your firewall you can create a specific rule allowing access from the new range you have reserved one whatever ports you want them to be able to use.. a generic catchall (any) rule (or default route) will probably be fine as the iphone is limited in what damage it can bring to the network and the IP's covered by this rule will only be handed out if the MAC address is matched..
if you want the iphones to access internal LAN resources you will need another rule on the firewall granting access to your LAN and maybe a static route on the firewall depending how you have subnetted everything...
like i said not perfect but it allows iphone users onto the app store and facetime without opening ports to your workstations or other people on the wireless..
Discussion on:
View:
Show:
How does that relieve the security risk associated with the point of attack. Allowing something that can be docked locally in the enterprise to be compromised seems like bad mojo.
If you used this in the enterprise, you may have a level of security, however, the phone remains a viable and rich target (especially if they are CIO/CTO etc) and they will be using this technology in airports and coffee shops.
While I agree you can tighten the noose, the risk reward still seems fairly high.
But I don't have a CIO telling me it is a business need, that didn't exist before he got his new toy!
If you used this in the enterprise, you may have a level of security, however, the phone remains a viable and rich target (especially if they are CIO/CTO etc) and they will be using this technology in airports and coffee shops.
While I agree you can tighten the noose, the risk reward still seems fairly high.
But I don't have a CIO telling me it is a business need, that didn't exist before he got his new toy!
.... if only because it has a sadly unimaginative, copied name.
I disagree with your opinion, Erik. "Large distributed organizations with remote offices likely already have a dedicated video conferencing solution in place, anyway." Quite often these are dedicated conference rooms that pretty much have to be scheduled for use. Even if not, any other video conferencing solution requires either sitting at your desktop with a web cam mounted (unless it's an iMac or exactly equivalent type) or a laptop with built-in webcam--which we already know is not all that common outside of Apple's products. This also doesn't take into consideration that one or more of the attendees may not have their laptops with them as they may be mobile for whatever reason. I will grant that a laptop could conceivably be used anywhere Face Time can be used, but it's bulk may make it impractical in some places.
"There?s no need to reinvent the wheel," Even so, the wheel has been reinvented many times, from stone, to wood, to steel, to rubber. Each advancement has made that wheel more practical and reliable over the millennia, and the same can be said for communications. The wheel needs to be continuously reinvented, or our technology and society will stagnate. In today's world especially, stagnation means extinction.
"There?s no need to reinvent the wheel," Even so, the wheel has been reinvented many times, from stone, to wood, to steel, to rubber. Each advancement has made that wheel more practical and reliable over the millennia, and the same can be said for communications. The wheel needs to be continuously reinvented, or our technology and society will stagnate. In today's world especially, stagnation means extinction.
"... a laptop with built-in webcam--which we already know is not all that common outside of Apple's products."
Huh? Every Windows laptop I've bought in the last several years has had a built-in webcam and microphone; it's difficult to find one without those features.
Huh? Every Windows laptop I've bought in the last several years has had a built-in webcam and microphone; it's difficult to find one without those features.
Probably the official "Facetime" yes -- but I'm sure that our field techs will have much better capabilities to share live repair info with inside engineering and tech support groups. We already have a web-cam in tech support to help explain how things look and going forward the options using live video sharing feed will be under even more demand... No matter what method we choose, I have video sharing needs now and it's for business needs, not for executives on conference calls. A picture can be worth a thousand words...
While I agree that this does pose a security risk and I would like to see Apple decrease the attack surface, I disagree that there is no legitimate business use for the technology. I had a perfect opportunity to use it just yesterday. I had a pbx engineer on the phone while trying to trace down a fax line on a gigantic wall of punch-down blocks. I took pics with my iPhone and emailed them to him (it was nice that I didn't have to hang up while I did this) but it would have been great to be able to talk to him while I showed him video of exactly what I was looking at. I can imagine numerous remote scenarios like this.
So right now, it should be pretty easy to say no. Not worth the risk for such limited use.
7 ports to use one app?
ain't no excuse for that.
that just screams of incompetence.
I could see it needing 2, one for outgoing video stream, one for inbound video stream, but most definitely no more than 2. there is no need to open ports for audio, the device is a phone, you have audio connection capabilities already.
and there is no way any port below 1,000 will EVER be a viable port for an iphone app, not if they are well designed and written.
ain't no excuse for that.
that just screams of incompetence.
I could see it needing 2, one for outgoing video stream, one for inbound video stream, but most definitely no more than 2. there is no need to open ports for audio, the device is a phone, you have audio connection capabilities already.
and there is no way any port below 1,000 will EVER be a viable port for an iphone app, not if they are well designed and written.
One major security hole after another. Protect your company's data and leave these things at home.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
