Firewall Wizards mailing list archives

Re: httport 3snf

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 22 Oct 2002 00:20:10 -0400 (EDT)

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

Paul:

Great Comments! But is this really realistic?:

If tunneling is (a) against policy, and (b) requires active and considered
engineering to achieve, then the technology has done its part.  After
that, it's a monitoring and enforcement issue, not a firewall issue.  If
you can show active anti-policy malice in achieving the connection- then
it's time to move into the penalty phase.


[Bigger question coming...]

At what point does monitoring and enforcement become unrealistic? In
Robert's case, he could be the network administrator of thousands of
individually configured Windows laptops running some kind of tunneling. It
could end up as pervasive as napster. Isn't the penalty phase really just
reserved for very criminal cases?! I have worked at some pretty big places.
My experience was always that you would have to do something really bad to
reach "penalty phase" - a hand slap usually at most. If you had ten users
doing something against policy, you didn't get ten "penalty phases", you got
a meeting with your boss to help provide alternate functionality so there
were no deskptops users  "against policy".

For example, if AIM and ICQ were bad, I can imagine a mandate to provide
secure messaging or else the masses might riot.  It is true the security
groups had more power to slap hands than us network/desktop administrators
types - but we usually took more "user heat" for reduced functionality.



Don't limit your thinking and discussion of "against policy" to merely AIM
and the various IM toys.  There was a recent thread on a few other related
lists, vuln-dev being one, about the DCMA(BAD TM), but there to deal
with>, and the P2P toys that allow trading in copywrited material.  Some
of those P2P networks are actively monitored to an extent, and violators
as well as their hosting sites <ISP's and even universities> are sent
nasty grams from the copywrite holders warning them of committing offenses
and fiscal liability.  The AUP here is the universities friend here, as
well as the network admins best buddy in dealing with these infrations
that might well dig into campus  pockets for negligence.  Additionally,
75+% of the DDOS attacks we've looked into have been launched via
compromised uni systems, oftem sitting in the student dorm residences and
lounges, but, still on the university backbone.  Paul's mention of
specialised firewalls/IDS' to enforce policies, contain, and monitor these
subnetworks is great advice.  You need this to keep the students out of 
areas of the campus networkk they should not be playing in anyways, a
seperation of zones of authority if you will, afterall there has been
alot of mention of students altering thier academic status in various
institutions of learning, so some seperation is madatory anyways, just
take it a step further and deem the renets  as internal DMZ's.  I'd
additionally advise that the AUP be backed up by a minimal use policy,
requiring proper anti-virus and perhaps personal firewall software as an
additional et of protections.  Of course, your other wories are going to
be in the wireless realm these days and folks providing access freely to
those not intended for the campus networks.

SECURITY WIRE DIGEST, VOL. 4, NO. 76, OCTOBER 10, 2002
*UNIVERSITY BANS WINDOWS NT/2000
Citing security reasons, the University of California at Santa Barbara
(UCSB) has banned the use of Microsoft Windows NT/2000 on its residential
network, ResNet. In a posting on the ResNet site, UCSB officials blame the
OSes for "hundreds of major problems on UCSB's residential network during
the 2001-2 academic year," including exploited vulnerabilities,
denial-of-service attacks, port scanning, and infections by Code Red and
Nimda. UCSB recommends that ResNet users switch to Windows XP Home.
http://www.resnet.ucsb.edu/information/win2k.html


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: httport 3snf, (continued)
- - - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Christopher Hicks (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Paul D. Robertson (Oct 21)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul D. Robertson (Oct 22)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)
    - Re: httport 3snf R. DuFresne (Oct 22)
    - Re: httport 3snf Robert E. Martin (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)
    - Re: httport 3snf m p (Oct 22)
    - Re: httport 3snf Al Potter (Oct 22)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)
    - Re: httport 3snf Kyle R. Hofmann (Oct 23)
- RE: httport 3snf Dawes, Rogan (ZA - Johannesburg) (Oct 21)