Re: Thoughts on Jericho Forum

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

I can only second Steve's response, keep defense in depth (layered security)
in mind and don't look at either host OR network security consider host AND
perimeter security.  Dollars being as tight as they are we often have to
decide which to do first and then at a later date put the second layer in.

-Kevin


Kevin L. McLaughlin
CISM, CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)





CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.


-----Original Message-----
From: Lovaas,Steven [mailto:Steven.Lovaas () COLOSTATE EDU]
Sent: Thursday, June 14, 2007 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Thoughts on Jericho Forum

Endpoint security is a great idea. Deployed as part of a strategy of defense
in depth, client-based security measures strengthen the entire system.

But I would caution about going too far down this path too quickly. Relying
solely on one tactic opens you to vulnerability when that tactic proves
insufficient. I'd compare it to the realization that a safe in your bedroom
is a lot harder for a thief to defeat than the lock on your front door. Does
that mean that, once you purchase a safe, you no longer lock your front door
at night? I don't think so; perhaps it DOES mean you don't have to buy a
much more expensive alarm/deadbolt system for your front door.

Microsoft has been touting this approach of hardened endpoints, ubiquitous
authentication of traffic, encryption where required, and intelligence on
the client. But Microsoft sells computers, so it makes sense for them to
focus on that aspect of security. And that works great when all of your
clients are Microsoft machines and are under enough of your control to have
the relevant policies and agents installed.

Lacking that kind of standardization and control, it makes sense to also
have some sort of network-based protection. Whether that's NAC or
departmental and border firewalls or network IDS or a mix of all these,
depends on your environment.

I love that Jericho and other folks are talking about these concepts, and in
a small, controlled environment their suggestions would probably work great.
I'll keep watching them...

Steve




==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: Bruce Curtis [mailto:bruce.curtis () NDSU EDU]
Sent: Wednesday, June 13, 2007 4:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Thoughts on Jericho Forum

On Jun 13, 2007, at 5:15 PM, David Morton wrote:

> Lately we've been engaged in some conversation about the Jericho Forum
> and their thoughts on security.
>
>
>
> Key issues such as the ineffectiveness of traditional perimeter
> defenses and encryption have rang true for a long time.
>
> Have the principals of the Jericho Forum been discussed at your
> organizations and if so, what has come out of those thoughts and
> discussions?
>
> David


   Yes, we agree about a lot of things with the Jericho Forum.  We have no
perimeter firewall and our video sessions work great, and our multicast and
IPv6 connectivity works great also.

   We have a couple of departments that are using Native Transport IPsec and
it has been working well so far.  Which isn't a big surprise since Microsoft
has been using it for 200,000 plus computers for quite a while.

   http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49636


   http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593


   http://www.microsoft.com/technet/itshowcase/content/
ipsecdomisolwp.mspx


   We haven't done it here yet but a University 60 miles away has installed
a host IPS on all of their computers.  To me that is a much more efficient
use of security dollars than spending money on a device at the perimeter.
At least one of the Host IPS packages that I have kept an eye on has
protected from every Microsoft vulnerability due to buffer overflow since I
started looking at the issue.  And that is protection before the
vulnerability was found, reported, announced and finally patched.

   In our environment we have thousands of laptops that leave campus every
day, go who knows where, and then come back.  Even if we had a firewall
only one click on any single host on the network can lead to that host being
compromised and then it could scan the entire internal network.



  ---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University

Attachment: smime.p7s
Description: