Inside of large companies, is it standard practice to use SSL (e.g. https) for running corporate 开发者_C百科apps over the LAN. I am thinking of ERP systems, SFA systems, HR systems, etc. But I am also thinking of SOA...web service providers and consumers.
In other words, is there any concern that something on the LAN could be sniffing plaintext info going around? If not SSL, how is this security threat dealt with?
What's your experience?
Inside of large companies, is it standard practice to use SSL (e.g. https) for running corporate apps over the LAN.
Generally SSL for LAN only internal applications is not common practice. Historically the LAN has been viewed as a "trusted" network, and so SSL for LAN apps hasn't been a priority.
Also, connection to internal application servers is usually via an authenticated proxy, which in itself mitigates some of the risk.
This is, slowly, changing however as organisations (generally) increasingly treat the LAN with less trust.
If not SSL, how is this security threat dealt with?
Most enterprises do monitor what is attached to their LAN and record events when new devices are added.
If the device doesn't correspond to something planned (i.e a new desktop or printer) - then it is investigated.
Unauthorised devices are seen as a much greater risk (than not using SSL) because they pose additional threats, like introducing a virus, an external network connection, or some other kind of attack vector.
It really depends on what you consider a "large company". The company I work at has over 50,000 employees; thus our corporate network is really not a great deal more trustable than the Internet.
We do use SSL on corporate Intranet web applications. We have our own internal CA certificate installed on all corporate PCs, so we can issue our own internal SSL certificates in-house.
Unfortunately, no it's not standard practice.
What's done and what should be done are not necessarily the same here...
Without a doubt any system with confidential information should be secured, especially on a LAN, as that's where most attacks originate - disgruntles employees etc etc.
unfortunately, it's often not the case.
Yep, pretty standard practice in a lot of places I've seen.
I think the reasons why should be obvious:
- Extra security against common attacks
- Pretty much no reason not to
Inside of large companies, is it standard practice to use SSL (e.g. https) for running corporate apps over the LAN. I am thinking of ERP systems, SFA systems, HR systems, etc. But I am also thinking of SOA...web service providers and consumers.
I would feel very uncomfortable if such apps weren't secured. In many place I've worked, they were. In some other, they weren't and I consider this as unprofessional.
In other words, is there any concern that something on the LAN could be sniffing plaintext info going around?
For me, the answer is obviously YES.
If not SSL, how is this security threat dealt with?
One Time Password (with RSA SecureID).
I wonder if one of the problems is that going to SSL always seems just a bit more complicated than it should be. If one could enable SSL with a single switch without having to worry about certificates perhaps at least the encryption part could become default.
Obviously you wouldn't get endpoint authentication without taking the extra step of setting up certificates, but then at least there would be truly no reason to go without encryption.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论