Firewall Wizards mailing list archives

Re[2]: Worms, Air Gaps and Responsibility

From: Paul Van Noord <paulvn () for-him net>
Date: Fri, 7 May 2004 06:16:45 -0400

5/7/04  6:12 AM

Hi Jim,

Is it not possible to run a script when a notebook connects to the LAN
to check for the necessary security elements. If they are not there,
either deny use of the LAN or lock the machine and add them before the
user is allowed to use the LAN?

Paul Van Noord
Common Sen$e Consulting
paulvn () for-him net

=========== Original Message Below ===========<

Received From: Jim Seymour  jseymour () LinxNet com

Devdas Bhagat <devdas () dvb homelinux org> wrote:


On 06/05/04 10:34 -0400, Paul D. Robertson wrote:

[snip]


I understand where you're coming from, I'd just like to see us all make
more coordinated and extensive efforts to revisit the "connectivity trumps
all" mantra.

Let me ask a harder question: How do you get the horse to drink?
Connectivity shows profits in the balance sheet. Security shows up as
expenses. Lack of downtime does not show up.


I don't give management options.  Or, more accurately, the only options
I give them are ones with a level of security with which I'm
comfortable.  "Comfortable" == I take *personal* ownership of its
functionality and its security, 24x7x365.  If they should happen to
discover, through no fault of my own, there's a "cheaper," less-secure
way, and they want to force me to implement it: Fine.  I'll do it.  But
when the wheels fall off (not "if," but "when"): Don't be callin' *me*
in the middle of the night, over the weekend, or while I'm on vacation,
cryin' about it.

 

[snip]


Note that having one cheap administrator dedicated to cleaning up viruses
often works out cheaper than having an antivirus everywhere and kept up
to date.

[snip]

My work domain isn't all that big, but even *I* can't agree with that.
I've seen cases, on MS desktops/laptops, of viruses/worms/trojans or
spyware that took literally *hours* and *hours* to eradicate.  Just on
one machine.  Theoretically, one could image the "official desktop"
and, when something really ugly like that reared its head, simply wipe
the install and drop the new image on the box.  Of course, when you've
a typical environment, with everything from Win95 to WinXP Pro, and a
mix of hardware that's even more varied, that's not practical.

Strong perimeter defense.  Reasonable internal defenses where you can.
(E.g.: At internal "border" points.)  Strong user education.  Shun
typically exploit-prone client apps.  Keep the A/V and spyware stuff
up-to-date.  Keep the patches up-to-date.  That is the order in which I
rate the importance of my defenses.  We're had one (1) get past us in
the last five years.  No, make that two.  The first was imported the
good old way: On a floppy or a CD-ROM, from a trusted partner firm.
The person who let it into  his computer didn't like to run A/V
software.  (That problem has been solved.)  It didn't get far at all.
The second, more recent, was MyDoom.  That was *pure* happenstance.  It
came in .zip file form, it came from somebody somebody knew, *and* the
target at work was expecting an emailed attachment from that specific
person.  It didn't get far, either.  (Luckily, it arrived late.  Most
of its internal targets had shut-down/logged-off for the afternoon.  I
was able to stop it in its tracks by the simple expedient of killing
smtpd and pop*d, sanitizing the mail spool and then putting up the
appropriate internal filters before firing-up the daemons again.
Lucked-out on that one, I did ;).)
 
-- 
Jim Seymour                | Spammers sue anti-spammers:
jseymour () LinxNet com       |     http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com  | Please donate to the SpamCon Legal Fund:
                           |     http://www.spamcon.org/legalfund/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Worms, Air Gaps and Responsibility, (continued)
- - - Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 11)
    - widnows vs unix and security Re: Worms, Air Gaps and Responsibility ArkanoiD (May 12)
    - RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 11)
    - Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
    - Re: Worms, Air Gaps and Responsibility R. DuFresne (May 10)
    - RE: Worms, Air Gaps and Responsibility Mark Gumennik (May 10)
    - RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
    - Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 10)
    - Re: Worms, Air Gaps and Responsibility Adam Shostack (May 10)
    - RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
    - Re[2]: Worms, Air Gaps and Responsibility Paul Van Noord (May 07)
    - Re[2]: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 07)
    - Re[2]: Worms, Air Gaps and Responsibility Eric Maiwald (May 07)
    - Re: Worms, Air Gaps and Responsibility Vinicius Moreira Mello (May 10)
    - Re: Worms, Air Gaps and Responsibility Bret Watson (May 10)
    - Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
    - Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
    - Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
    - Re: Worms, Air Gaps and Responsibility Mason Schmitt (May 10)
    - Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
    - Re: Worms, Air Gaps and Responsibility Mason Schmitt (May 10)

(Thread continues...)