Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Barney Wolff wrote:
> Alas, for the latest round merely being not Internet connected would
> not have been good enough.  An infected immigrant laptop is enough to take
> down any isolated net.

Oh, yeah. It kind of goes without saying that a network with
roaming laptops is not "isolated" for any meangful use of
the expression. A network where the 100b-t adapters are
epoxied into the computers and the hubs are all in locked
closets - *that* is an "isolated" network. Wireless? Don't
even *TALK* to me about wireless!! :)

I saw a news item about a reactor monitoring system that
was supposedly taken offline by a recent worm. Now - what
kind of morons were running that network, I ask you? I've
swapped Emails with Navy sysadmins on Aegis boats and
they've got people just putting computers on and off the
network (including wireless) pretty much at will. What
the hell? For the cost of one of those boats you can run
dual-rail networks - one with open ports and one with
epoxied ports. This isn't hard. What's hard and what
people don't get is that they want to have their cake and
eat it too: 
        they want flexibility and no risk - BZZT
        they want security and to surf the web - BZZT
        they want to use Windows default installs securely - BZZT

> For a sufficiently rich and motivated org, I'd advocate changing the
> Ethertype of IP from 800, just to make it harder to connect conventional
> equipment by accident.  Does even NSA do anything like that?

Nope. :(

Some of the old-school secure networks ran some of their cable in
pressurized conduit so you might be able to detect if someone
drilled in to install a tap; that's about it.

mjr.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards