Re: Defense in Depth to the Desktop

[Devdas Bhagat <devdas () dvb homelinux org>]

On 14/12/04 09:05 -0500, Paul D. Robertson wrote:
> On Mon, 13 Dec 2004, Chris Pugrud wrote:
>
> > > PFWs seem to me to be a pretty good stop-gap.  The ability to get back
> > > some control over the desktop is worth its weight in gold- losing that
> > > ground is what made the war swing against us!
> > Is this really an improvement?  This is where I can't help but play devil's
>
> I think so...

What we need is a PFW that can be controlled by the central IT
department and global policies applied to similar sets of desktops.
 
> > advocate.  Are we really better off when our security is dependent on hundreds
> > or thousands of desktops (the weakest link) that we fight desperately to
> > control in a never ending futile battle?  One of the first tenets of systems
>
> It is no matter what- one Trojan on the internal network can remove the
> power of all of the other security controls if the environment is such
> that that desktop has access to critical resources, vulnerable systems, or
> whatever.  Let's not forget that peer-to-peer isn't the only way to spread
> malice in an organization.

But it *is* the most common way for malicious code to replicate.
Windows file and print sharing is one huge hole.

> > security is physical security and you can never claim that you have physical
> > control over a machine at your user's fingertips.
>
> Perfect is the enemy of good enough.
>
> > What's wrong with a model that acknowledges that while we will do our best to
> > protect the security of user machines, they are a resource we can not
> > ultimately control, so rather than making the security of the entire
> > organization dependent on them, we are going to reduce our effective security
> > perimeter to a known subset of systems that we do maintain absolute physical
> > control over?  I'm not suggesting that we abandon user machines, I'm suggesting
>
> You're only as strong as the weakest link.  That's the user desktop.

Why not just remove the desktop from the trusted security perimeter?
How many corporate desktops really need Windows? How many people can
work with just dumb terminals (for the moment, I am ignoring the
politics involved)?
 
> > that we remove them from being available to be the weakest link in the security
> > of the organization.  I'm suggesting that we acknowledge that desktops are
> > going to get hacked and infected (especially laptops) and make a concerned
> > effort to protect the rest of the organization from that inevitable compromise.
>
> Ah, but if we can reduce the compromise rate significantly, then why not?
> Especially if it's at a cost that's less than the current level of
> compromise events?  I really think we're at that point, essentially it's
> that or ripping out IE- something that's only now becoming an option, and
> even then you still have the e-mail vector.
>
> Strengthen the weakest link, and you strengthen the overall posture.
Agreed. I wouldn't start with ripping out IE. I would start with ripping
out MS Windows itself. If a single large organisation decides to ban MS
Office (Munich seems to be leading the way for that), the ripple effect
will be enormous. And once you have removed MS Office, then you can
push to remove the Windows dependency and clean out the mess with a
scorched earth policy.

A heterogenous desktop policy is probably another good idea. While any
given department needs similar desktops, different departments with
different requirements do not. What larger organisations can do is
segregate departmental desktops by requirements and then build images
for those.

However, this requires longer term thinking than most US executives
appear to be capable of doing (sadly).

> > > You're still going to have to deal with the desktops, because the users
> > > are going to have to work and have critical files there.  I think that I'm
> > > probably more worried about spyware Trojans than worms right now- worm
> > > events get lots of press, but the infestations are really ugly.
> > I'm not abandoning the desktops, I'm trying to minimize the potential of one
> > infected desktop infecting all of the desktops.  One machine is easier to clean
> > than hundreds, or thousands.  I'm also addressing the critical files issue.  If
>
> I'm not sure the degree of difficulty is all that much higher, the real
> argument here is for degree of completeness.
>
> > I was an insider trying the steal juicy data I'm going to attack the desktops
> > and laptops of the people that have that data directly.  It will be a lot
> > easier and more discreet than attacking the fortified, guarded, and watched
> > servers.
>
> A clued outsider doing a target of choice attack should reach the same
> conclusion...  Hence my assertion that hardening the desktop is important.
And I assert that there should be no data left on the desktop. Ever.
Save all your data on the server, reimage the desktops regularly.
Easy, and useable by IT staff.
$HOME for the data and /usr/local for applications should be NFS
mounted. Email should be over IMAP(s).
Reduce the desktop to something as close to a dumb terminal as possible.

<plugging again> http;//www.infrastructures.org/ </plugging again>

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards