Re: CyberInsecurity: The cost of Monopoly

[Florian Weimer <fw () deneb enyo de>]

On Sun, Sep 28, 2003 at 12:20:28PM -0500, Paul Schmehl wrote:

> I don't think "we" as a "security community" have even begun to tackle this 
> problem.  We talk about it, but who is *really* doing it?  For example, if 
> you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS 
> for Unix, CIFS, or something similar.  Who is really looking at how to be 
> secure while still allowing internal machines to talk to each other? 
> Certainly none of the above protocols qualify as secure.

For NFS, some pretty robust server and client implementations exist.
Much better than SMB/CIFS.  However, authentication sucks, of course.
(NFSv4 will hopefully change that.)

> When a machine is problematic, for whatever reason, the usual reaction is 
> "block it at the firewall".  But that doesn't protect that machine from 
> *other* internal machines.

At work, we have almost all of our machines in separate VLANs, and
filter the traffic between them.  (There are just tens of machines under
our direct administrative control, so it's doable.  The rest of the
network is a huge mess, as usual.  The sad thing is that most likely,
we'll  never need this separation because we are careful enough anyway,
but better safe than sorry.)

> It only protects it from the outside.

And the outside from you, and your organization from embarrassment. 8-)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html