Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: terminal services

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 28 Jan 2003 21:30:48 -0500
R. DuFresne wrote:

Which seems to make a strong casepoint for the hardening of exposed hosts
and the continued need for well defined security perimiters at this point
in time still <security basics 101?>. 


It's pretty much security 101 as you say. I think the most frequent
recommendation I've written in consulting reports reads something like
this:
"Establish a list of Internet-accessible perimeter systems. On those systems,
establish a list of Internet-accessible applications based on the boundary
firewall's 'permit' rules. For each of those applications, maintain a list of
the software packages that provide the service, and the revision level of
each package. Assign someone to perform a periodic check on each
package by revision level, to install security updates as necessary. Ideally,
this process should be as automated and proactive as possible."

"Geeze! That's a ton of work!" is the usual response. Yeah, well, it is.
But it's easy to fix: minimize services, minimize software release
dispersion (common release) and minimize administrators. Oddly
you'll find that security almost always improves as a result.

mjr.  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: