Educause Security Discussion mailing list archives
Re: Deepfreeze - Why not?
From: Michael Sana <msana () HPU EDU>
Date: Thu, 17 Nov 2011 23:30:38 +0000
Kevin, I think from a security perspective that deep freeze is just another potential layer of the defense in depth model. Deep freeze is not a panacea to resolve all security woes and still should be used in conjunction with good desktop based group policy. I cant perceive (although I could be wrong) an organization would just install deep freeze with a "set it and forget mentality" without using it conjunction with the obvious security practices of anti-virus/malware applications, host based firewall etc. Yes it does create a vector for malfeasance but again, assuming some degree of additional layers of security are in place (logging perhaps), the notion of the end user disappearing like a thief in the night may be mitigated to some degree. At the end of the day, deep freeze is just like any other tool/device we place on the network. It has positive and potential negative benefits and these tradeoffs need to be evaluated to determine if it is best suited for deployment. With that said, we have used deepfreeze for a good decade now, but as others have mentioned have moved forward with a VDI implementation which creates its own sets of benefits and challenges. Just my two cents... mike.sana. Michael C. Sana MSIA, CISSP, CISM, CISA Information Security Officer Information Technology Services Division Hawai`i Pacific University 1164 Bishop St. Suite 900 Honolulu, Hawai`i 96813 Telephone: (808) 687-7034 Fax: (808) 544-1404 Email: msana () hpu edu<mailto:msana () hpu edu> "Quis custodiet ipsos custodes?" From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin (mclaugkl) Sent: Thursday, November 17, 2011 1:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Deepfreeze - Why not? Hi Again Everyone: Not trying to be a pain here, really I'm not, I do understand all the benefits that can be obtained through this type of technology but this is a security forum so I'm just going to have to say this. Apologies up-front to anyone I may offend or upset - that is not my intent..... IMO - Products like DeepFreeze, from a Security point of view, basically allow a smart attacker an anonymous attack vector into your organization that bypasses most of your perimeter defenses. I'm not saying that is a show stopper but for our world it should definitely be something that is considered and discussed in detail. I can do what I want, launch my attack, pull the plug on the machine, plug it back in and restart it, exit stage left.... Or am I missing something obvious that prevents this from happening? - Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177 The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000. [cid:image002.gif@01C879E9.E20A0EF0] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Whalen Sent: Thursday, November 17, 2011 6:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Deepfreeze - Why not? Putting Deep freeze on our mac labs reduced support by 80% Rob Whalen Network Analyst, St. Mary's College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Thursday, November 17, 2011 1:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Deepfreeze - Why not? Hi All, We have some folks who'd like to see Deepfreeze installed on all lab PCs, but the IT department is balking. What do people think is the best reason to not install deepfreeze? Is there one? Thanks, Dan
Current thread:
- Re: Deepfreeze - Why not?, (continued)
- Re: Deepfreeze - Why not? Crary, Gregory (Nov 17)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
- Re: Deepfreeze - Why not? Allen Wood (Nov 17)
- Re: Deepfreeze - Why not? Sam Stelfox (Nov 17)
- Re: Deepfreeze - Why not? Chuck Keeler (Nov 17)
- Re: Deepfreeze - Why not? Mark Monroe (Nov 17)
- Re: Deepfreeze - Why not? Heath Barnhart (Nov 17)
- Re: Deepfreeze - Why not? Gibson, Nathan J. (HSC) (Nov 17)
- Re: Deepfreeze - Why not? Rob Whalen (Nov 17)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
- Re: Deepfreeze - Why not? Michael Sana (Nov 17)
- Re: Deepfreeze - Why not? Schoenefeld, Keith P. (Nov 17)
- Re: Deepfreeze - Why not? Ryan Hiebert (Nov 17)
- Re: Deepfreeze - Why not? Dave Koontz (Nov 17)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
- Re: Deepfreeze - Why not? Crary, Gregory (Nov 17)
- Re: Deepfreeze - Why not? SCHALIP, MICHAEL (Nov 17)
- Re: Deepfreeze - Why not? Rich Graves (Nov 17)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
- Re: Deepfreeze - Why not? Tim Doty (Nov 18)
- Re: Deepfreeze - Why not? Rich Graves (Nov 17)
- Re: Deepfreeze - Why not? Heath Barnhart (Nov 18)
- Malware forensics Nevin, David (Nov 18)
- Re: Malware forensics Mclaughlin, Kevin (mclaugkl) (Nov 18)