Tuesday, December 04, 2007
Conveniance Laptops/Operating Systems in the Enterprise
In most of the [security] teams I've been a part of in large companies, the first step an engineer would do upon receipt of new hardware (whether lease or purchase) was to immediately purge the box of the official corporate (always Windows) install and install your own OS (typically some Linux flavor, but perhaps BSD). More recently, you might purchase you own hardware (often a Mac) possibly in clear violation of the corporate security policy.
If you needed a rationale, it was because the standard IT image didn't allow you to do your job. Yeah you might be able to build and run libdnet/libpcap based apps on Windows, but why would you want to. You needed the right network, development, and security tools -- which in an of themselves are most definitely a violation (that is if the policy applied to you, since you were special, you were a security genius!). A fringe benefit was that you were free of the nasty IT-installed agents that suck the life out of laptops and the corporate spyware monitoring your every move. Oh yeah, and you also were more up to date on security packages than the IT build.
So with NAC and other endpoint control regimes designed to stamp out these rogue systems, there is the real possibility of controlling access to campus or remote access networks to "supported systems." What is a passive aggressive security guy to do? Sure, there are ways to subvert these controls, but you want to do the right thing, sort of. It is one thing to simply ignore policies that really weren't designed for you in the first place. It is another to actively thwart countermeasures. And then there is stuff in between like reverse engineering the "software token" so that a Linux user can enjoy the benefits of hardware token free authentication that the Windows users enjoyed.
And no this last example wasn't me (I'm not smart or motivated enough) but you know who you are!