Full Disclosure mailing list archives
Re: Calcuating Loss
From: Jay Beale <jay () bastille-linux org>
Date: Tue, 11 May 2004 13:32:49 -0700
In the wise words of Valdis.Kletnieks () vt edu:
On Tue, 11 May 2004 08:37:30 PDT, Harlan Carvey said:Two words..."testing process". What happened to that? Don't tell me you're installing patches directly to production systems...And three words in return: "time till worm". We're fast approaching the point where a site can't do anything resembling a reasonable testing process and complete it before the worm arrives. You can buy yourself *some* time if you start advertising that your jobs will require second and third shift work the second week of every month.....
How about two words, "network architecture?" Let me just paint a possible picture for a more worm-resistant enterprise: Internal filters between departments/floors/divisions. They only allow specific protocols through and are well-tuned to allow access to specific machines. They've got sample rules ready to deploy during crisis, to cut off one infected network from the others around it. Filters on workstations deployed to only do port 135,137-139,445 with your internal servers/management systems. Those few internal servers get patched first and fast, as they serve as the only way for worms to propagate from one of the many workstations to another. Workstations don't really need to communicate directly in most environments, right? We've got some of this latter suggestion on Linux desktops through the default-active host firewalls. The network component is up to the administrators, but DMZ's have been standard practice for years and internal DMZ's have been gaining popularity in the last few years. I don't think this is horribly unrealistic in most environments. It just takes planning and enough time between worms for the operations and security people to catch their breath and sell it to management. - Jay _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Learn from history?, (continued)
- RE: Learn from history? Michal Zalewski (May 10)
- Re: Learn from history? James Riden (May 10)
- RE: Learn from history? Steffen Kluge (May 11)
- RE: Learn from history? Jos Osborne (May 11)
- Calcuating Loss Michael Schaefer (May 11)
- Re: Calcuating Loss Harlan Carvey (May 11)
- Re: Calcuating Loss Clint Bodungen (May 11)
- Re: Calcuating Loss Harlan Carvey (May 11)
- Re: Calcuating Loss Clint Bodungen (May 11)
- Re: Calcuating Loss Valdis . Kletnieks (May 11)
- Re: Calcuating Loss Jay Beale (May 11)
- Re: Calcuating Loss Frank Knobbe (May 11)
- Re: Calcuating Loss Seth Alan Woolley (May 11)
- Calcuating Loss Michael Schaefer (May 11)
- RE: Calcuating Loss Kurt (May 11)
- RE: Calcuating Loss Harlan Carvey (May 11)
- RE: Calcuating Loss Kurt (May 11)
- Re: Calcuating Loss Anders B Jansson (May 11)
- Re: Calcuating Loss madsaxon (May 11)
- Re: Calcuating Loss Gregory A. Gilliss (May 11)
- Re: Calcuating Loss Harlan Carvey (May 11)