Re: Defense in Depth to the Desktop

[Devdas Bhagat <devdas () dvb homelinux org>]

On 14/12/04 11:39 -0500, Paul D. Robertson wrote:
> On Tue, 14 Dec 2004, Devdas Bhagat wrote:
>
> > > I think so...
> >
> > What we need is a PFW that can be controlled by the central IT
> > department and global policies applied to similar sets of desktops.
>
> I thought that was the "Enterprise" feature set in at least one product?

Interesting. Shows how far away from Windows I have been staying.
 
> > But it *is* the most common way for malicious code to replicate.
> > Windows file and print sharing is one huge hole.
>
> Yes, but that works just as well in client-server mode.

Doesn't change much in the hole part though :).
<snip> 
> > > Perfect is the enemy of good enough.
>
> I think Marcus and I have settled on "Pretty is the enemy of functional."

Both quotes are yours :)

> > > You're only as strong as the weakest link.  That's the user desktop.
> >
> > Why not just remove the desktop from the trusted security perimeter?
> > How many corporate desktops really need Windows? How many people can
> > work with just dumb terminals (for the moment, I am ignoring the
> > politics involved)?
>
> It's just as bad if you need the same apps- the last Windows site I was at
> had mostly Terminal Server users, and it still had all the associated
> malware issues.

True, but then I am saying that the apps and OS need to be replaced.
This won't be easy or quick, but it /will/ help far more than just going
on trying to patch a broken OS (Ben, your cue to interject on patch and
control management on Windows here).
 
> > > > that we remove them from being available to be the weakest link in the security
> > > > of the organization.  I'm suggesting that we acknowledge that desktops are
> > > > going to get hacked and infected (especially laptops) and make a concerned
> > > > effort to protect the rest of the organization from that inevitable compromise.
> > >
> > > Ah, but if we can reduce the compromise rate significantly, then why not?
> > > Especially if it's at a cost that's less than the current level of
> > > compromise events?  I really think we're at that point, essentially it's
> > > that or ripping out IE- something that's only now becoming an option, and
> > > even then you still have the e-mail vector.
> > >
> > > Strengthen the weakest link, and you strengthen the overall posture.
> > Agreed. I wouldn't start with ripping out IE. I would start with ripping
> > out MS Windows itself. If a single large organisation decides to ban MS
> > Office (Munich seems to be leading the way for that), the ripple effect
> > will be enormous. And once you have removed MS Office, then you can
> > push to remove the Windows dependency and clean out the mess with a
> > scorched earth policy.
>
> While I've heard of large organizations going that route, as MJR pointed
> out, Linux is soon to have all the same cruft.  I'm holding out hope for

The advantage of Linux is that the cruft /can/ be removed. The same
holds out for a *BSD system. Note that my post does not mention any
operating system. I would not insist on everyone using KDE, or GNOME, or
$DE of choice.

I would recommend that organisations use the desktop and applications
which best suit their needs, and customise their systems to those
requirements. Organisations which are not large enough to invest the
required effort into this can go with one of the standard distros/OSes
and stay patched.

> the TrustedBSD stuff going into OSX, but I doubt it's going to be all that
> popular an option.  I run Office all the time on my Powerbook- that
> doesn't seem to have changed my risk one bit.
>
> > A heterogenous desktop policy is probably another good idea. While any
> > given department needs similar desktops, different departments with
> > different requirements do not. What larger organisations can do is
> > segregate departmental desktops by requirements and then build images
> > for those.
>
> [shatner] Must.  Not.  Get into. Argument. About this.  Again! [/shatner]

Heh, you should. /me looks for more contributions to the rants of
firewall-wizards. 
Do the web archives have the mail headers (which I can pull down into my
mailbox)? Working on anything from web archives is painful.

> [snip]
>
> > > A clued outsider doing a target of choice attack should reach the same
> > > conclusion...  Hence my assertion that hardening the desktop is important.
> > And I assert that there should be no data left on the desktop. Ever.
> > Save all your data on the server, reimage the desktops regularly.
> > Easy, and useable by IT staff.
>
> Ever had to support traveling salespeople or executives?

One organisation I know simply buys Macs for travelling sales people and
executives. They use OpenOffice as well (yay!).

> > $HOME for the data and /usr/local for applications should be NFS
> > mounted. Email should be over IMAP(s).
> > Reduce the desktop to something as close to a dumb terminal as possible.
>
> NFS?  Ick!  Next you'll be saying NIS+ needs to come back... ;)

Know of better replacements (Samba is not)?
NIS+? No, LDAP seems to work well for the space that NIS+ used to fill.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards