Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 5 May 2004 19:32:56 -0400 (EDT)
On Wed, 5 May 2004, Carson Gaspar wrote:
I can answer for the financials - the user desktops _are_ production. If the homedir fileserver is compromised, you're in trouble, but you can't isolate it from the desktops...
For some sets of companies, that's true, but that's certainly not true for others- and even when it is, it isn't true of every desktop in the organization. For companies who run non-Internet, non-information services, such as power, water, hospitals, product manufacturers, shippers, etc. There's a "this is our core business and it needs automation" sort of functionality, and there's "We need to run the business" sort of functionality, and they rarely _need_ a common network infrastructure. With all the money spent on "security" solutions that aren't as effective as "don't connect"- how many companies even look at their user population risk profiles and architect for it? Not connecting is *really* cheap and *really* effective.
VPN is a fact of life given 24/7 trading, and the client desktops need to access file servers. The best you can do is lock down the VPN clients, and manage the hell out of them. In many cases you can firewall your core back office data from everything else. Some companies try to firewall by business unit, but the inter-BU requirements quickly make those such swiss cheese that they're mostly useful as emergency fire doors when an outbreak happens.
People keep telling me this, but at my last employer, I had a "firewall at each end and fixed security policy" implementation for WAN connectivity that worked just fine. Granted getting the capital for each node wasn't a fun thing and took most of a year- but I think one worm in the last 5 years would have needed action with the policy as it was when I left.
Doing firewall-on-a-nic for all desktops and servers is possible, but is extremely expensive with current technology (mostly due to deployment and support costs). Even firewalling each subnet is a support nightmare in the dynamic environment that exists in most modern financials.
How much PC<->PC communication is there in a company that has supported servers? How difficult is a static ARP table with just the gateway entry? "This set of things should never talk" isn't a difficult security policy and it's not all that difficult to maintain. If 90% of the laptops are sales, putting them in a cage helps with worms like this. Rate of change on production networks should be slow, measured and under change control- I think it's more a lack of ability to enforce good network discipline and fear of "complaints" more than actual "We tried it for a while and it wouldn't work."
As for patching your servers, MS _still_ doesn't have a non-broken patch for win2k. Most companies haven't upgraded to 2003 server yet, so a lot of companies had patched XP desktops, but unpatched servers.
You can drop a read-only file in a directory and stop at least up to the C variant. I guess I'm just thinking that we should all take half a step back and start asking the basic "should this be connected to that?" question again. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 05)
- Re: Worms, Air Gaps and Responsibility Mason (May 06)
- Re: Worms, Air Gaps and Responsibility Chris Pugrud (May 07)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 07)
- Re: Worms, Air Gaps and Responsibility Mordechai T. Abzug (May 06)
- Re: Worms, Air Gaps and Responsibility Jim Seymour (May 06)
- Re: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 06)
- Re: Worms, Air Gaps and Responsibility Carson Gaspar (May 07)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 05)
- RE: Worms, Air Gaps and Responsibility Carson Gaspar (May 05)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 05)
- RE: Worms, Air Gaps and Responsibility Carson Gaspar (May 06)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 06)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 06)
- Re: Worms, Air Gaps and Responsibility Jim Seymour (May 06)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Mark Gumennik (May 08)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 08)
- RE: Worms, Air Gaps and Responsibility Carson Gaspar (May 05)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 05)