Educause Security Discussion mailing list archives
Re: Thoughts on Jericho Forum
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Thu, 14 Jun 2007 08:33:44 -0600
Endpoint security is a great idea. Deployed as part of a strategy of defense in depth, client-based security measures strengthen the entire system. But I would caution about going too far down this path too quickly. Relying solely on one tactic opens you to vulnerability when that tactic proves insufficient. I'd compare it to the realization that a safe in your bedroom is a lot harder for a thief to defeat than the lock on your front door. Does that mean that, once you purchase a safe, you no longer lock your front door at night? I don't think so; perhaps it DOES mean you don't have to buy a much more expensive alarm/deadbolt system for your front door. Microsoft has been touting this approach of hardened endpoints, ubiquitous authentication of traffic, encryption where required, and intelligence on the client. But Microsoft sells computers, so it makes sense for them to focus on that aspect of security. And that works great when all of your clients are Microsoft machines and are under enough of your control to have the relevant policies and agents installed. Lacking that kind of standardization and control, it makes sense to also have some sort of network-based protection. Whether that's NAC or departmental and border firewalls or network IDS or a mix of all these, depends on your environment. I love that Jericho and other folks are talking about these concepts, and in a small, controlled environment their suggestions would probably work great. I'll keep watching them... Steve ============================================== Steven Lovaas, MSIA, CISSP Network Security Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================ -----Original Message----- From: Bruce Curtis [mailto:bruce.curtis () NDSU EDU] Sent: Wednesday, June 13, 2007 4:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Thoughts on Jericho Forum On Jun 13, 2007, at 5:15 PM, David Morton wrote:
Lately we've been engaged in some conversation about the Jericho Forum and their thoughts on security. Key issues such as the ineffectiveness of traditional perimeter defenses and encryption have rang true for a long time. Have the principals of the Jericho Forum been discussed at your organizations and if so, what has come out of those thoughts and discussions? David
Yes, we agree about a lot of things with the Jericho Forum. We have no perimeter firewall and our video sessions work great, and our multicast and IPv6 connectivity works great also. We have a couple of departments that are using Native Transport IPsec and it has been working well so far. Which isn't a big surprise since Microsoft has been using it for 200,000 plus computers for quite a while. http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49636 http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593 http://www.microsoft.com/technet/itshowcase/content/ ipsecdomisolwp.mspx We haven't done it here yet but a University 60 miles away has installed a host IPS on all of their computers. To me that is a much more efficient use of security dollars than spending money on a device at the perimeter. At least one of the Host IPS packages that I have kept an eye on has protected from every Microsoft vulnerability due to buffer overflow since I started looking at the issue. And that is protection before the vulnerability was found, reported, announced and finally patched. In our environment we have thousands of laptops that leave campus every day, go who knows where, and then come back. Even if we had a firewall only one click on any single host on the network can lead to that host being compromised and then it could scan the entire internal network. --- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- Thoughts on Jericho Forum David Morton (Jun 13)
- <Possible follow-ups>
- Re: Thoughts on Jericho Forum Bruce Curtis (Jun 13)
- Re: Thoughts on Jericho Forum Lovaas,Steven (Jun 14)
- Re: Thoughts on Jericho Forum Mclaughlin, Kevin (mclaugkl) (Jun 14)
- Re: Thoughts on Jericho Forum Deke Kassabian (Jun 14)
- Re: Thoughts on Jericho Forum Lovaas,Steven (Jun 14)
- Re: Thoughts on Jericho Forum Karen Duncanson (Jun 14)
- Re: Thoughts on Jericho Forum Bruce Curtis (Jun 14)
- Re: Thoughts on Jericho Forum Bruce Curtis (Jun 14)
- Re: Thoughts on Jericho Forum Bruce Curtis (Jun 14)
- Re: Thoughts on Jericho Forum Cal Frye (Jun 14)
- Re: Thoughts on Jericho Forum Jordan Wiens (Jun 17)
- Re: Thoughts on Jericho Forum Bruce Curtis (Jun 18)
(Thread continues...)