Firewall Wizards mailing list archives
Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 26 Aug 2003 21:21:23 -0400
Barney Wolff wrote:
Alas, for the latest round merely being not Internet connected would not have been good enough. An infected immigrant laptop is enough to take down any isolated net.
Oh, yeah. It kind of goes without saying that a network with roaming laptops is not "isolated" for any meangful use of the expression. A network where the 100b-t adapters are epoxied into the computers and the hubs are all in locked closets - *that* is an "isolated" network. Wireless? Don't even *TALK* to me about wireless!! :) I saw a news item about a reactor monitoring system that was supposedly taken offline by a recent worm. Now - what kind of morons were running that network, I ask you? I've swapped Emails with Navy sysadmins on Aegis boats and they've got people just putting computers on and off the network (including wireless) pretty much at will. What the hell? For the cost of one of those boats you can run dual-rail networks - one with open ports and one with epoxied ports. This isn't hard. What's hard and what people don't get is that they want to have their cake and eat it too: they want flexibility and no risk - BZZT they want security and to surf the web - BZZT they want to use Windows default installs securely - BZZT
For a sufficiently rich and motivated org, I'd advocate changing the Ethertype of IP from 800, just to make it harder to connect conventional equipment by accident. Does even NSA do anything like that?
Nope. :( Some of the old-school secure networks ran some of their cable in pressurized conduit so you might be able to detect if someone drilled in to install a tap; that's about it. mjr. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Apple's iSight and Firewalls Jim Seymour (Aug 20)
- Re: Apple's iSight and Firewalls Bartek Krajnik (Aug 25)
- Setting up H323 IP telephony etc - was Re: Apple's iSight and Firewalls Bret Watson (Aug 26)
- Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 26)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Paul Robertson (Aug 26)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Frederick M Avolio (Aug 26)
- Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Bret Watson (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Frederick M Avolio (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 28)
- Setting up H323 IP telephony etc - was Re: Apple's iSight and Firewalls Bret Watson (Aug 26)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Barney Wolff (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 27)
- Re: Apple's iSight and Firewalls Bartek Krajnik (Aug 25)
- Re: Setting up H323 IP telephony etc - was Re: Apple's iSight and Firewalls Bartek Krajnik (Aug 28)
- <Possible follow-ups>
- RE: Apple's iSight and Firewalls Dave Killion (Aug 20)
- RE: Apple's iSight and Firewalls black (Aug 21)
- RE: Apple's iSight and Firewalls Dave Killion (Aug 21)