Educause Security Discussion mailing list archives
Re: Checking for AV software on students' machines
From: Nathan Hall <hallnk () ONEONTA EDU>
Date: Thu, 10 Jun 2004 08:57:21 -0400
Stephen Bernard wrote:
It sounds like what is being said is, "as long as the external symptoms of a problem are hidden it isn't a problem". This is exactly why some network security practitioners take the tact that firewalls are a bad thing because they make system administrators complacent and leave end users naively vulnerable.
I think that before we can judge how successful a solution is we must define the problem we are attempting to solve. Here at Oneonta our initial intent was to prevent rapidly spreading network worms (think Blaster, Nachi, Sasser). These worms generally spread by remote buffer overflows. If a host has a firewall configured in a way that prevents Nessus from detecting the vulnerability, the host will also be invulnerable to a worm exploiting that vulnerability. As our goal was to prevent the spread of worms, machines with an appropriately configured firewall do meet this goal. The potential for changes in firewall rules is one of the reasons we continue to scan the network for newly vulnerable hosts. We are now working on expanding our system to deal with other infection vectors, such as those you mention. There are a number of ways we are looking to deal with this: IDS/Honeypot - We have currently integrated Snort into our system. Machines with traffic matching a small set of signatures are automatically removed from the network. In the future we may also add one or more honeypots to detect hosts attempting to attack our network. Banner Scanning - We have created a small utility to scan for known banners on specific ports. Many recent viruses open listening ports and will respond with a known response upon connection or execution of a specific command. Integration of this tool with our system will allow us to identify some infected hosts and remove them from the network. Anti-Virus - This is why I originally posted to the list. We would like to be able to verify that all students are running an updated anti-virus solution. If everyone was running updated AV many potential infections would be prevented. This is the most appealing as it actually prevents the infection, as opposed to the two above, which are both reactive. While none of these solutions are perfect, they are all better than nothing. We expect that when combined they will provide us with a powerful tool to improve the security of our network. Nathan -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen Bernard Sent: Wednesday, June 09, 2004 4:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines Brian Eckman wrote: <snip>
Yes, the Windows firewall (ICF) will block these types of scans. But that is a good thing. We are implementing a NetReg-based solution, and would be ecstatic if all of the dorm computers would pass the scan because they have their firewall on. I would call that "mission accomplished". Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
It sounds like what is being said is, "as long as the external symptoms of a problem are hidden it isn't a problem". This is exactly why some network security practitioners take the tact that firewalls are a bad thing because they make system administrators complacent and leave end users naively vulnerable. The MS firewall surely won't prevent an end user from downloading a trojaned music file which then posts their keystrokes, personal information, or business files to an IRC channel. It doesn't provide application protections. There isn't any mechanism for disallowing the disabling of the firewall, especially when the average user logs in with Administrator privileges. It's very probable that malware exists or will come out that actually utilizes the personal firewall. The malware could re-configure the firewall so that it continues to block internal addresses from scanning it but allowing specific, encrypted (IPSEC) connections. Steve ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Checking for AV software on students' machines, (continued)
- Re: Checking for AV software on students' machines Jeff Bollinger (Jun 09)
- Re: Checking for AV software on students' machines Helms, Sandra (Jun 09)
- Re: Checking for AV software on students' machines Bill Frazier (Jun 09)
- Re: Checking for AV software on students' machines Gibbs, Aaron M. (Jun 09)
- Re: Checking for AV software on students' machines jack suess (Jun 09)
- Re: Checking for AV software on students' machines Ariel Silverstone (Jun 09)
- Re: Checking for AV software on students' machines Gary Flynn (Jun 09)
- Re: Checking for AV software on students' machines Robert Ono (Jun 09)
- Re: Checking for AV software on students' machines Stephen Bernard (Jun 09)
- Re: Checking for AV software on students' machines Bill Frazier (Jun 10)
- Re: Checking for AV software on students' machines Nathan Hall (Jun 10)
- Re: Checking for AV software on students' machines Dunker, Mary (Jun 10)
- Re: Checking for AV software on students' machines Gibbs, Aaron M. (Jun 10)
- Re: Checking for AV software on students' machines Shawn Kohrman (Jun 10)
- Re: Checking for AV software on students' machines Ariel Silverstone (Jun 10)
- Re: Checking for AV software on students' machines Brian Eckman (Jun 10)
- Re: Checking for AV software on students' machines Jason S. Cash (Jun 10)
- Re: Checking for AV software on students' machines Steve Schuster (Jun 10)
- Re: Checking for AV software on students' machines Cal Frye (Jun 10)
- Re: Checking for AV software on students' machines Jason S. Cash (Jun 10)
- Re: Checking for AV software on students' machines Brian Kaye (Jun 10)