Steve Lamb's Blog

Security Matters

How to manage machines that live on the internet as advocated by the Jericho Forum

How to manage machines that live on the internet as advocated by the Jericho Forum

  • Comments 3
  • Likes

System Center Configuration Manager (SCCM) includes an important new feature termed "Internet-Based Client Management". There is a growing trend for large organisations to have remote workers who hardly ever connect to the corporate network.

The Jericho Forum (named after the first walled city) are an industry body representing a diverse range of companies who advocate internet based corporate connectivity and who challenge software vendors to deliver products that no longer require the old fortress concept of "all's safe within my internal network and I'll extend full connectivity via VPN to my people outside".

Thankfully (from a security perspective at least) the demise of the Virtual Private Network (VPN) is underway. No longer are people establishing full network connectivity to their corporate network simply to pick up email. The idea of extending the corporate network to mobile devices unless absolutely necessary is finally being questioned. I know that SSL-VPNs remain trendy (even though they are an oxymorn - as you don't actually get an address on the internal network) and that some organisations will take a long time to change their ways...

SCCM's Internet Based Client Management allows central management to take place via an SSL (Secure Socket Layer) connection (it's actually HTTP over SSL - hence HTTPS). For users it's really straight forward. If they have internet connectivity then they are within reach of System Center. We continue to use Background Intelligent Transfer System (BITS) so SCCM won't take over the bandwidth and will seamlessly suspend and resume data transmission according to bandwidth availability.

Comments
  • One of the Microsoft internal discussion lists has had an interesting thread over the last couple of

  • "Thankfully (from a security perspective at least) the demise of the Virtual Private Network (VPN) is underway. No longer are people establishing full network connectivity to their corporate network simply to pick up email."

    Full network connectivity never was required with an IPSec VPN. There is no such requirement in the applicable RFCs.

    It was only required with a VPN system that lacked adequate management capabilities, principally the "free" VPN solution bundled with Microsoft products. "Free" in this case carried a heavy cost in security. Many third-party IPSec products had the granularity and controls to limit the client to just what was needed to do their job, not "full network connectivity." You get what you pay for.

    And please don't get me started on "clientless" SSL VPN systems that have to download ActiveX controls, Java clients and other rubbish to work properly. If it downloads and executes applications on my computer, it is not "clientless".

    Bob

  • Bob> I'm glad that I'm not alone in the "what do you mean your SSL-VPN product doesn't touch the client..."!!!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment