Full Disclosure mailing list archives

Re: Calcuating Loss

From: Jay Beale <jay () bastille-linux org>
Date: Tue, 11 May 2004 13:32:49 -0700

In the wise words of Valdis.Kletnieks () vt edu:

On Tue, 11 May 2004 08:37:30 PDT, Harlan Carvey said:

Two words..."testing process".  What happened to that?
 Don't tell me you're installing patches directly to
production systems...


And three words in return: "time till worm".

We're fast approaching the point where a site can't do anything resembling a
reasonable testing process and complete it before the worm arrives.  You can
buy yourself *some* time if you start advertising that your jobs will require
second and third shift work the second week of every month.....


How about two words, "network architecture?"

Let me just paint a possible picture for a more worm-resistant 
enterprise:

Internal filters between departments/floors/divisions.  They only allow 
specific protocols through and are well-tuned to allow access to 
specific machines.  They've got sample rules ready to deploy during 
crisis, to cut off one infected network from the others around it.

Filters on workstations deployed to only do port 135,137-139,445 with
your internal servers/management systems.  Those few internal servers
get patched first and fast, as they serve as the only way for worms to
propagate from one of the many workstations to another.  Workstations 
don't really need to communicate directly in most environments, right?

We've got some of this latter suggestion on Linux desktops through the
default-active host firewalls.  The network component is up to the 
administrators, but DMZ's have been standard practice for years and 
internal DMZ's have been gaining popularity in the last few years.

I don't think this is horribly unrealistic in most environments.  It 
just takes planning and enough time between worms for the operations 
and security people to catch their breath and sell it to management.

 - Jay

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Learn from history?, (continued)
- - - RE: Learn from history? Michal Zalewski (May 10)
    - Re: Learn from history? James Riden (May 10)
    - RE: Learn from history? Steffen Kluge (May 11)
- RE: Learn from history? Jos Osborne (May 11)
  - Calcuating Loss Michael Schaefer (May 11)
    - Re: Calcuating Loss Harlan Carvey (May 11)
    - Re: Calcuating Loss Clint Bodungen (May 11)
    - Re: Calcuating Loss Harlan Carvey (May 11)
    - Re: Calcuating Loss Clint Bodungen (May 11)
    - Re: Calcuating Loss Valdis . Kletnieks (May 11)
    - Re: Calcuating Loss Jay Beale (May 11)
    - Re: Calcuating Loss Frank Knobbe (May 11)
    - Re: Calcuating Loss Seth Alan Woolley (May 11)
    - RE: Calcuating Loss Kurt (May 11)
    - RE: Calcuating Loss Harlan Carvey (May 11)
    - RE: Calcuating Loss Kurt (May 11)
    - Re: Calcuating Loss Anders B Jansson (May 11)
    - Re: Calcuating Loss madsaxon (May 11)
    - Re: Calcuating Loss Gregory A. Gilliss (May 11)
    - Re: Calcuating Loss Harlan Carvey (May 11)