Re: SECURITY Digest - 23 Sep 2005 to 26 Sep 2005 (#2005-176)

["Scholz, Greg" <gscholz () KEENE EDU>]

Unless I am missing the point somewhere, wouldn't a "default deny"
inbound help to alleviate this?  It is not a silver bullet because
obviously an uneducated user can still choose to download something
unknowingly that will allow a compromise, but with a default deny, the
exploits can not be actively trolled by Internet abusers. And even if we
cut down, not eliminate, the active compromise of poor programs (and
OS's) it is progress.  We can't fix the programs that we do not write,
but we can help to keep them from getting exploited.

Not to push us to a political discussion but someone else mentioned ...
"until we get to the point of only allowing ports 80 and 443"...that is
pretty much default deny in my book.

I am spending much of my time on campus discussing what default inbound
deny really means to gain support and as I gain that support, protecting
the areas that I can.  So far I find that most faculty and staff are
shocked when I explain to them in non-technical terms what a default
permit allows (the bad stuff) and what a default deny could protect them
from.  So far I have had solid support on a dept by dept basis.

_________________________
Thank you,
Gregory R. Scholz
Lead Network Engineer
Information Technology Group
Keene State College
(603)358-2070


-----Original Message-----
From: Jeff Kell [mailto:jeff-kell () UTC EDU] 
Sent: Tuesday, September 27, 2005 11:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SECURITY Digest - 23 Sep 2005 to 26 Sep 2005
(#2005-176)

Valdis Kletnieks wrote:

> The answers to this, of course, all are very dependent on *why* you're
trying
> to get rid of Yahoo messenger - most often, it's a case of shooting
the messenger.
> The *REAL* concern probably isn't "We don't like Yahoo Messenger",
it's more likely
> some variant on "holes in Yahoo Messenger can compromise systems and
expose data".

Since I brought this up, let me clarify:

Valdis wrote:

> Jeff - you've been in this business about as long as I have.  :) 

Well, yes, and dinosaurs should stick together, especially in light of
the oil crisis.  But...

I wasn't the least bit interested in blocking Yahoo Messenger.

By "Gee, this blows my security model astray" I was referring to:

* non-SMTP servers opening outside to connnections to 25 (SMTP) are
taboo,
* enough connections to [different hosts] port 25 (SMTP) fast enough are
really taboo,
* enough connections to [different hosts] port 23 (telnet) fast enough
are also taboo,

The new Yahoo messenger keeps retrying when connections are blocked
(discarded), further aggravating the connection counts and rates.

These conditions, in my current model, raise flags, make noises, and
generally draw attention.  It appears we have a misbehaving internal
host, and we try to insure we're good netizens and investigate.

The first case looks like misconfigured SMTP (not such a big deal).
The second case looks like a spambot/proxy.
The third case looks like a DoS/scan/brute-force telnet attack.

All three look suspicious.  But now it appears I'll have to make
exceptions for the relevant Yahoo subnets.

Jeff