Re: Checking for AV software on students' machines

[Nathan Hall <hallnk () ONEONTA EDU>]

Stephen Bernard wrote: 

> It sounds like what is being said is, "as long as the external symptoms
> of a problem are hidden it isn't a problem". This is exactly why some
> network security practitioners take the tact that firewalls are a bad
> thing because they make system administrators complacent and leave end
> users naively vulnerable.

I think that before we can judge how successful a solution is we must
define the problem we are attempting to solve. Here at Oneonta our
initial intent was to prevent rapidly spreading network worms (think
Blaster, Nachi, Sasser). These worms generally spread by remote buffer
overflows. If a host has a firewall configured in a way that prevents
Nessus from detecting the vulnerability, the host will also be
invulnerable to a worm exploiting that vulnerability. As our goal was to
prevent the spread of worms, machines with an appropriately configured
firewall do meet this goal. The potential for changes in firewall rules
is one of the reasons we continue to scan the network for newly
vulnerable hosts.

We are now working on expanding our system to deal with other infection
vectors, such as those you mention. There are a number of ways we are
looking to deal with this:

IDS/Honeypot - We have currently integrated Snort into our system.
Machines with traffic matching a small set of signatures are
automatically removed from the network. In the future we may also add
one or more honeypots to detect hosts attempting to attack our network.

Banner Scanning - We have created a small utility to scan for known
banners on specific ports. Many recent viruses open listening ports and
will respond with a known response upon connection or execution of a
specific command. Integration of this tool with our system will allow us
to identify some infected hosts and remove them from the network.

Anti-Virus - This is why I originally posted to the list. We would like
to be able to verify that all students are running an updated anti-virus
solution. If everyone was running updated AV many potential infections
would be prevented. This is the most appealing as it actually prevents
the infection, as opposed to the two above, which are both reactive.

While none of these solutions are perfect, they are all better than
nothing. We expect that when combined they will provide us with a
powerful tool to improve the security of our network. 

Nathan

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen Bernard
Sent: Wednesday, June 09, 2004 4:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Checking for AV software on students' machines

Brian Eckman wrote:

<snip>

> Yes, the Windows firewall (ICF) will block these types of scans. But
> that is a good thing. We are implementing a NetReg-based solution, and
> would be ecstatic if all of the dorm computers would pass the scan
> because they have their firewall on. I would call that "mission
> accomplished".
>
> Brian
> --
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.


It sounds like what is being said is, "as long as the external symptoms
of a problem are hidden it isn't a problem". This is exactly why some
network security practitioners take the tact that firewalls are a bad
thing because they make system administrators complacent and leave end
users naively vulnerable.

The MS firewall surely won't prevent an end user from downloading a
trojaned music file which then posts their keystrokes, personal
information, or business files to an IRC channel. It doesn't provide
application protections. There isn't any mechanism for disallowing the
disabling of the firewall, especially when the average user logs in with
Administrator privileges. It's very probable that malware exists or will
come out that actually utilizes the personal firewall. The malware could
re-configure the firewall so that it continues to block internal
addresses from scanning it but allowing specific, encrypted (IPSEC)
connections.


Steve

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.