Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 14 Dec 2004 11:39:56 -0500 (EST)
On Tue, 14 Dec 2004, Devdas Bhagat wrote:
I think so...What we need is a PFW that can be controlled by the central IT department and global policies applied to similar sets of desktops.
I thought that was the "Enterprise" feature set in at least one product?
But it *is* the most common way for malicious code to replicate. Windows file and print sharing is one huge hole.
Yes, but that works just as well in client-server mode.
security is physical security and you can never claim that you have physical control over a machine at your user's fingertips.Perfect is the enemy of good enough.
I think Marcus and I have settled on "Pretty is the enemy of functional."
You're only as strong as the weakest link. That's the user desktop.Why not just remove the desktop from the trusted security perimeter? How many corporate desktops really need Windows? How many people can work with just dumb terminals (for the moment, I am ignoring the politics involved)?
It's just as bad if you need the same apps- the last Windows site I was at had mostly Terminal Server users, and it still had all the associated malware issues.
that we remove them from being available to be the weakest link in the security of the organization. I'm suggesting that we acknowledge that desktops are going to get hacked and infected (especially laptops) and make a concerned effort to protect the rest of the organization from that inevitable compromise.Ah, but if we can reduce the compromise rate significantly, then why not? Especially if it's at a cost that's less than the current level of compromise events? I really think we're at that point, essentially it's that or ripping out IE- something that's only now becoming an option, and even then you still have the e-mail vector. Strengthen the weakest link, and you strengthen the overall posture.Agreed. I wouldn't start with ripping out IE. I would start with ripping out MS Windows itself. If a single large organisation decides to ban MS Office (Munich seems to be leading the way for that), the ripple effect will be enormous. And once you have removed MS Office, then you can push to remove the Windows dependency and clean out the mess with a scorched earth policy.
While I've heard of large organizations going that route, as MJR pointed out, Linux is soon to have all the same cruft. I'm holding out hope for the TrustedBSD stuff going into OSX, but I doubt it's going to be all that popular an option. I run Office all the time on my Powerbook- that doesn't seem to have changed my risk one bit.
A heterogenous desktop policy is probably another good idea. While any given department needs similar desktops, different departments with different requirements do not. What larger organisations can do is segregate departmental desktops by requirements and then build images for those.
[shatner] Must. Not. Get into. Argument. About this. Again! [/shatner] [snip]
A clued outsider doing a target of choice attack should reach the same conclusion... Hence my assertion that hardening the desktop is important.And I assert that there should be no data left on the desktop. Ever. Save all your data on the server, reimage the desktops regularly. Easy, and useable by IT staff.
Ever had to support traveling salespeople or executives?
$HOME for the data and /usr/local for applications should be NFS mounted. Email should be over IMAP(s). Reduce the desktop to something as close to a dumb terminal as possible.
NFS? Ick! Next you'll be saying NIS+ needs to come back... ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Defense in Depth to the Desktop, (continued)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- Re: Defense in Depth to the Desktop Kevin Sheldrake (Dec 11)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 12)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Marcus J. Ranum (Dec 14)