Why have two networks ?

[nephilim]

I was managed by deputy heads who were curriculum leaders and they had it the other way.. shift teachers to diff machines and fix admin ASAP. Suppose its different in different schools.

[CyberNerd]

I was managed by deputy heads who were curriculum leaders and they had it the other way.. shift teachers to diff machines and fix admin ASAP. Suppose its different in different schools.

sounds like it, not just a Dorset thing then, lol. In the end I guess it comes down to the SLA and the amount that ICT is embedded into T+L at the particular school.

[PiqueABoo]

::can't resist::

There is a technical reason (or was) to have two Microsoft networks - password policy.

That problem was solved a long time ago: You either made the code (wasn't difficult) or bought a password change notification DLL to worry about password policy for different user groups. Add-ons to improve security are acceptable in so many other ways e.g. AV, so it's curious that there has apparently been resistance/indifference to improving this notoriously vulnerable area.

the dreadful security in NT4

Way I remember it "dreadful security" was the milieu, not a notably unique attribute of NT. Like most of the alternatives NT4 was OK if you knew what you were doing and that was part of my job on the private side of fence, where I heard quite a bit of poorly understood received opinion (typically picked up from the MS vs. Netware vs. commercial Unix PR battle raging in the tech press) from county public sector folk whose existing network security was a naively box-ticked joke they simply couldn't or wouldn't see.

More techs obviously know more about security now and MS have obviously made it easier for those who don't to survive (system integrity protection, UAC, more secure out-of-box etc.). But a lot of networks still have notable flaws, so I think some of the change in attitude is about risk perception i.e. networks were scarier in their infancy, but by and large folk running networks behind LA/RBC firewalls have gotten away with the flaws, nothing bad has happened or at least if it did, they didn't notice.

--

Separate obviously can be better, but I don't think there is a rule. In practice, subject to techs and users, 'separate' networks can be roughly as secure or insecure as combined ones. Perhaps the more useful question is:

"If I combine the networks, what are some pragmatic approaches to achieving enhanced security for especially sensitive network resources?"

[saintoctopus]

Sorry to jump on this thread, but I have a security question related to this...

We have 2 VLans currently, as described, which has worked well with regards to security of the MIS etc. However, this is about to change and I am wondering whether anyone knows how I can protect our Bromcom MIS (Web based) from would be student hackers? I know I can enforce password policies, but I was hoping not to even give them the chance to see the log in page...

Any thoughts anyone - your help is appreciated!

[nephilim]

if it is internal, then you can set a policy on ISA Server (if you use it) or your filtering of choice (smoothwall/bloxx/websense/whatever) whereby the students try to access the page and it redirects to a page like google or something.

You can also set up on your hosting (if its a good one) to have a white list of IP addresses that can access the page from outside of the school, and everything else gets redirected.