Re: Worms, Air Gaps and Responsibility

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

At 11:02 AM 5/18/2004 -0400, Adam Shostack wrote:
> On Tue, May 18, 2004 at 09:29:01AM -0400, Dana Nowell wrote:
> | >Perhaps for viruses, but not for worms as these devices tend not to be
> | >permanently wired or reachable.
> | >
> | 
> | Yup.  So imagine a case where you have an internal worm/virus outbreak and
> | you clean up.  Next day it is back, you scour your network and clean up
> | everything.  Next day it's back, eventually you find some guy syncing his
> | Palm to his desktop or an intermittently connected  wireless iPaq is the
> | root cause, chase that one down.  
> | 
> | As a general case, I'm whining about intermittently connected devices
> | having direct access to the internal network.  We talk about all sorts of
> | restrictions on home PC connections, what about the 'next generation'
> | (based on roll-out not technology) wireless devices (bluetooth, WiFi,
> | 802.11)?  Assume you have a PDA like device in your pocket and are walking
> | down the street.  Guy with an infected phone walks past and BAM, welcome to
> | the nightmare.  Is that today, no.  Is that within say 5 years, possibly.
> | Show me YOUR plans for firewall protection of bluetooth, wireless USB, and
> | similar connections (yes some stuff is/can be built in by design but buffer
> | overflows and other exploits can be built in by accident;).
>
> I think the issue is insecure systems that remain insecure.  You get
> the same behavior from backups restoring viruses.  So the issue is not
> a firewall issue, but a network design & upgrade issue--how do you
> flow changes in such a way that you're not breaking things?

OK, I'll grant you, I was not clear.  To some extent all reinfections fall
in that bucket but the reinfection is not the point, it's simply part of
the example.  The point is that devices drift in and out of networks and
can become infected.  The 'current' obvious/popular network design answer
(AFAIK) for intermittent connectivity devices (laptops) is "oh, those
devices are on a different segment and that segment is compartmentalized to
limit exposure".  My example was chosen to illustrate the point that it
really doesn't work with PDAs and phones that get synced to the desktop or
have 'other' wireless access to the internal network (bluetooth to a
printer/scanner/other).  Currently most people ignore them as no easy
answer exists and the short term pain is below the threshold of action.
Since they are ignored, it is unlikely that they would be examined as the
the potential source of the infection and reinfection would/could result.
Given potential wireless connectivity the current 'but I only connect my
PDA to this desktop so it's clean' excuse/exemption will not be valid
forever.  So I guess my example was OK but my explanation was poor.




-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards