Educause Security Discussion mailing list archives
Re: Outbound SMTP
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Fri, 25 Apr 2008 09:11:51 -0700
Brian mentioned: #Joe, you have a fair point, but you are making it a bit extreme. I #would agree, in some contexts, when it comes to NAC, for example. Actually, NAC is in many ways one of the LEAST intrusive security measures IMHO: -- it is only at connect time -- most NAC approaches include feedback to the user about identified problems (you're not patched up, you don't appear to be running antivirus, whatever), so that users can figure out what they need to do to get access -- most NAC approaches include options for dealing with "corner cases" such as non-Windows boxes Is that to say that NAC will never cause problems? No, that's not what I'm saying. But, on balance, I think NAC is one of the less problematic options. #Yet, the suggestion that blocking port 25 outbound is problematic for #usability isn't very sustainable. I guess I just don't get what you mean on that point. Are you saying that blocking port 25 is the only sustainable option? If so, I'd disagree. For example, I could see an alternative based around passive network monitoring and response to complaints received, just to mention one alternative. #> It is so tempting to say, when confronting any security risk, "block #it." # #The role of the ISO is a lot more nuanced than this. This is a good #example of the importance of an ISO in an institution, as opposed to a #network security administrator, for example. I may be missing the nuancing in the comments that I've pretty consistently seen this morning talking about blocking port 25 -- sure, some severely rate limit rather than block (but the spammers have adapted to that strategy with low-and-slow bots); others may allow authenticated submission on 587/tcp, and that's fine for remote submission, but that's different than the issue of outbound traffic control for internal users). That's about the extent of the finessing I've heard discussed, but I'm only halfway through my coffee this morning, so I appologize if I missed what you had in mind. #> 1) Even if you block port 25 traffic, the host is still infested # #You are missing the forest for the trees. If you render the intent of #an exploit useless, you've accomplished defense in-depth. I used to love watching the Bill Cosby Show. I can distinctly remember one episode where Bill's theme was, "The kids want the house." Well, just like the Cosby Show, "the miscreants want your users' systems." Sometimes they may want them to send spam, but they may also want them to do all the other nefarious activities I've previously mentioned, and the "cool" thing about bots is that most of them are either multifunction out of the box ("swiss army knife" style), or they're able to be remotely updated/tailored in a modular sort of way to suit particular requirements that may emerge over time (the miscreants wouldn't want to be embarrassed by having tens of thousands of spam bots (only) in inventory, when there's a need for DDoS capacity or whatever instead). #We can't maintain pristine networks. We *can* reduce risk and have #sufficient depth such that a compromise will be mitigated by various #layers. I guess that's where I disagree. I think we *can* achieve pristine (or virtually pristine) networks. I think that can be hard if you start out with a pretty weedy garden in the first place, but once you get the garden weeded, it isn't that hard to stay up with new weeds when they pop up here and there over time. In particular, if you do have a security architecture that relies strongly on a perimeter based architecture, then, *THEN,* more than ever, you need to play really agressive ball against compromised machines on the inside because the stronger the perceived perimeter firewall, the greater the temptation for users on the inside to "let it slide -- the firewall will protect us." Ironically, if you DON'T have a strong perimeter defense, and all your hosts are routinely hardened on a host-by-host basis, then you CAN potentially tolerate a bit more noise because there's minimal difference in how internal and external hosts are treated in terms of trust relationships. Regards, Joe St Sauver (joe () oregon uoregon edu) http://www.uoregon.edu/~joe/ Disclaimer: all opinions expressed are strictly my own.
Current thread:
- Re: Outbound SMTP, (continued)
- Re: Outbound SMTP Barros, Jacob (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Jeff Kell (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Tim Cantin (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Joey Rego (Apr 25)
- Re: Outbound SMTP Jeff Kell (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
- Re: Outbound SMTP Basgen, Brian (Apr 25)
- Re: Outbound SMTP Michael Van Norman (Apr 25)
- Re: Outbound SMTP Stephen John Smoogen (Apr 25)
- Re: Outbound SMTP Deke Kassabian (Apr 25)
- Re: Outbound SMTP David Lundy (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Roger Safian (Apr 25)
- Re: Outbound SMTP ken lindahl (Apr 25)
- Re: Outbound SMTP Don Nightingale (Apr 25)
- Re: Outbound SMTP Michael Van Norman (Apr 25)
(Thread continues...)