RE: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 5 May 2004, Carson Gaspar wrote:

> I can answer for the financials - the user desktops _are_ production. If
> the homedir fileserver is compromised, you're in trouble, but you can't
> isolate it from the desktops...

For some sets of companies, that's true, but that's certainly not true for
others- and even when it is, it isn't true of every desktop in the
organization.

For companies who run non-Internet, non-information services, such as
power, water, hospitals, product manufacturers, shippers, etc.  There's a
"this is our core business and it needs automation" sort of functionality,
and there's "We need to run the business" sort of functionality, and they
rarely _need_ a common network infrastructure.

With all the money spent on "security" solutions that aren't as effective
as "don't connect"- how many companies even look at their user population
risk profiles and architect for it?  Not connecting is *really* cheap and
*really* effective.

> VPN is a fact of life given 24/7 trading, and the client desktops need to
> access file servers. The best you can do is lock down the VPN clients, and
> manage the hell out of them.
>
> In many cases you can firewall your core back office data from everything
> else. Some companies try to firewall by business unit, but the inter-BU
> requirements quickly make those such swiss cheese that they're mostly
> useful as emergency fire doors when an outbreak happens.

People keep telling me this, but at my last employer, I had a "firewall at
each end and fixed security policy" implementation for WAN connectivity
that worked just fine.  Granted getting the capital for each node wasn't a
fun thing and took most of a year- but I think one worm in the last 5
years would have needed action with the policy as it was when I left.

> Doing firewall-on-a-nic for all desktops and servers is possible, but is
> extremely expensive with current technology (mostly due to deployment and
> support costs). Even firewalling each subnet is a support nightmare in the
> dynamic environment that exists in most modern financials.

How much PC<->PC communication is there in a company that has supported
servers?  How difficult is a static ARP table with just the gateway entry?
"This set of things should never talk" isn't a difficult security policy
and it's not all that difficult to maintain.  If 90% of the laptops are
sales, putting them in a cage helps with worms like this.

Rate of change on production networks should be slow, measured and under
change control- I think it's more a lack of ability to enforce good
network discipline and fear of "complaints" more than actual "We tried it
for a while and it wouldn't work."

> As for patching your servers, MS _still_ doesn't have a non-broken patch
> for win2k. Most companies haven't upgraded to 2003 server yet, so a lot of
> companies had patched XP desktops, but unpatched servers.

You can drop a read-only file in a directory and stop at least up to the C
variant.

I guess I'm just thinking that we should all take half a step back and
start asking the basic "should this be connected to that?" question again.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards