Honeypots mailing list archives
RE: Inoculation Scripts
From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 21 Jul 2004 13:57:36 -0500
The biggest problem that I have had is really hard to solve (if not impossible) at the perimeter because of home users, remote sites, and vendors connecting over client-based VPN's or Point-to-Point VPN's. The same problems come with home users and vendors plugging laptops into the network (this can and eventually will be solved with 802.1x). In a big enough environment, the perimeter has a tendency to disappear or at least blur. These VPN connections, laptops, and Point-to-Point connections are often where the infection originates from and then spreads to internal pc's. -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Wednesday, July 21, 2004 1:52 PM To: Joshua Berry Cc: honeypots () securityfocus com Subject: Re: Inoculation Scripts On Wed, 21 Jul 2004 13:31:15 CDT, Joshua Berry said:
I use Snort with Flexresp and Snort Inline, I am just playing around with this for now. While Snort-Inline or Flexresp can keep resetting
or
blocking connections, this solution actually removes the worm and
cleans
up the system. The reality is that large networks have an incredibly difficult time patching systems effectively and I am just playing
around
with this in a test network to see how well it works.
Been there, done that. The *real* reality is you need to make *really* sure you have your posterior covered in case some Very Self-Important User's machine doesn't patch correctly... (And in fact, it's usually a technically reasonable thing to do, the hang-up is *always* avoiding the liability issues if a machine that isn't your responsibility to fix *anyhow* gets broken by the patching..)
Current thread:
- Inoculation Scripts Joshua Berry (Jul 21)
- Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)
- <Possible follow-ups>
- RE: Inoculation Scripts Joshua Berry (Jul 21)
- RE: Inoculation Scripts Joshua Berry (Jul 21)
- Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)