Re: Anit-Virus help for all of us??????

[Gerardo Gregory <ggregory () affinitas net>]

Suresh Ramasubramanian wrote:

> Valdis.Kletnieks () vt edu  writes on 11/24/2003 3:43 PM:
>
> > Question: What speed access is needed to guarantee "mean time to download
> > patches" is significantly less than "mean time to probed by 
> > packet-to-0wn"
> > (significantly == 20x lower still gives a 5% chance of getting 0wned 
> > while
> > patching)?
>
>
> That'd have to be very fast indeed, given that only one windows update 
> mirror is used at a time, and patches are downloaded and applied in 
> sequence.
>
> Two ways to get at least some safety -
>
> # Machine behind NAT while it is being updated

NAT is not a security feature, neither does it provide any real 
security, just one to one translations.  PAT fall into the same 
category.  Just cause your broadband router (ahem, switch) vendor states 
that NAT (in reality PAT) as one of their security 'knobs' does not make 
it in any way a security feature when implemented.  Only thing that 
might benefit is IPv4 address space.

Make a NAT Translation to a workstation (nothing else) and see if you 
can still carryout some of the exploits making the rounds.

NAT and PAT do not prohibit any TCP/UDP connections to egress.

Most broadband providers still perform a NAT translation downstream, is 
it helping alleviate any of the attacks/compromises?  NOT!!!!!

> # Patches preferably downloaded onto a CD and applied offline

I know Microsoft has a product that allows you to donwload patches to a 
centralized server (within your infrastructure) and let's you patch your 
internal systems from it.  Heard our MS admins talking about it a while 
back....



--
Gerardo A. Gregory