RE: Inoculation Scripts

["Joshua Berry" <jberry () PENSON COM>]

The biggest problem that I have had is really hard to solve (if not
impossible) at the perimeter because of home users, remote sites, and
vendors connecting over client-based VPN's or Point-to-Point VPN's.  The
same problems come with home users and vendors plugging laptops into the
network (this can and eventually will be solved with 802.1x).

In a big enough environment, the perimeter has a tendency to disappear
or at least blur.  These VPN connections, laptops, and Point-to-Point
connections are often where the infection originates from and then
spreads to internal pc's.

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Wednesday, July 21, 2004 1:52 PM
To: Joshua Berry
Cc: honeypots () securityfocus com
Subject: Re: Inoculation Scripts 

On Wed, 21 Jul 2004 13:31:15 CDT, Joshua Berry said:
> I use Snort with Flexresp and Snort Inline, I am just playing around
> with this for now.  While Snort-Inline or Flexresp can keep resetting
or
> blocking connections, this solution actually removes the worm and
cleans
> up the system.  The reality is that large networks have an incredibly
> difficult time patching systems effectively and I am just playing
around
> with this in a test network to see how well it works.

Been there, done that.  The *real* reality is you need to make *really*
sure
you have your posterior covered in case some Very Self-Important User's
machine
doesn't patch correctly...

(And in fact, it's usually a technically reasonable thing to do, the
hang-up is *always*
avoiding the liability issues if a machine that isn't your
responsibility to fix *anyhow*
gets broken by the patching..)