Re: Outbound SMTP

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Brian mentioned:

#Joe, you have a fair point, but you are making it a bit extreme. I
#would agree, in some contexts, when it comes to NAC, for example.

Actually, NAC is in many ways one of the LEAST intrusive security
measures IMHO:

-- it is only at connect time

-- most NAC approaches include feedback to the user about identified
   problems (you're not patched up, you don't appear to be running
   antivirus, whatever), so that users can figure out what they need
   to do to get access

-- most NAC approaches include options for dealing with "corner cases"
   such as non-Windows boxes

Is that to say that NAC will never cause problems? No, that's not what
I'm saying. But, on balance, I think NAC is one of the less problematic
options.

#Yet, the suggestion that blocking port 25 outbound is problematic for
#usability isn't very sustainable.

I guess I just don't get what you mean on that point. Are you saying
that blocking port 25 is the only sustainable option? If so, I'd
disagree. For example, I could see an alternative based around passive
network monitoring and response to complaints received, just to mention
one alternative.

#> It is so tempting to say, when confronting any security risk, "block
#it."
#
#The role of the ISO is a lot more nuanced than this. This is a good
#example of the importance of an ISO in an institution, as opposed to a
#network security administrator, for example.

I may be missing the nuancing in the comments that I've pretty consistently
seen this morning talking about blocking port 25 -- sure, some severely
rate limit rather than block (but the spammers have adapted to that strategy
with low-and-slow bots); others may allow authenticated submission on
587/tcp, and that's fine for remote submission, but that's different than
the issue of outbound traffic control for internal users). That's about the
extent of the finessing I've heard discussed, but I'm only halfway through
my coffee this morning, so I appologize if I missed what you had in mind.

#> 1) Even if you block port 25 traffic, the host is still infested
#
#You are missing the forest for the trees. If you render the intent of
#an exploit useless, you've accomplished defense in-depth.

I used to love watching the Bill Cosby Show. I can distinctly remember
one episode where Bill's theme was, "The kids want the house."

Well, just like the Cosby Show, "the miscreants want your users' systems."

Sometimes they may want them to send spam, but they may also want them to
do all the other nefarious activities I've previously mentioned, and the
"cool" thing about bots is that most of them are either multifunction
out of the box ("swiss army knife" style), or they're able to be remotely
updated/tailored in a modular sort of way to suit particular requirements
that may emerge over time (the miscreants wouldn't want to be embarrassed
by having tens of thousands of spam bots (only) in inventory, when there's
a need for DDoS capacity or whatever instead).

#We can't maintain pristine networks. We *can* reduce risk and have
#sufficient depth such that a compromise will be mitigated by various
#layers.

I guess that's where I disagree. I think we *can* achieve pristine (or
virtually pristine) networks. I think that can be hard if you start
out with a pretty weedy garden in the first place, but once you get
the garden weeded, it isn't that hard to stay up with new weeds when
they pop up here and there over time.

In particular, if you do have a security architecture that relies
strongly on a perimeter based architecture, then, *THEN,* more than ever,
you need to play really agressive ball against compromised machines on
the inside because the stronger the perceived perimeter firewall, the
greater the temptation for users on the inside to "let it slide -- the
firewall will protect us."

Ironically, if you DON'T have a strong perimeter defense, and all your
hosts are routinely hardened on a host-by-host basis, then you CAN
potentially tolerate a bit more noise because there's minimal difference
in how internal and external hosts are treated in terms of trust
relationships.

Regards,

Joe St Sauver (joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/

Disclaimer: all opinions expressed are strictly my own.