nanog mailing list archives
Re: Level3 routing issues?
From: alex () yuriev com
Date: Mon, 27 Jan 2003 16:00:51 -0500 (EST)
Given that the head of one of our three-letter-agencies managed to get this sort of thing wrong, what makes you think that Joe Middle-Manager who's more concerned about fixing a spreadsheet will get it correct?Because it is not that difficult. A security policy of a little office is very different from a security policy of a three letter agency. In fact, fixing a spreadsheet could be mode difficult than implementing a security policy for an office with 5 computers that are connected to the Internet.Ahh... but in the case of SQLSlapper, you have a packet coming in to the PC.. That traffic doesn't get restricted by your hypothetical security policy, since it's not entering the VPN, and the outbound traffic isn't either, because it's locally generated.
Umm... Why is outside world talking to your database server without supervision?
This also means that your security policy needs to be fixed so Outlook is not permitted to connect to any other mail servers - because otherwise the user can check their AOL account, pick up a Nimda, and whomp it into the VPN.
Umm.. Why is your security policy allowing outlook to connect to somewhere other than your company mail server?
In fact, if you're talking to the VPN and allow any non-VPN connections *at any time* (even when the VPN isn't active), you have a vulnerability - think about downloading a file that has a virus that doesn't have a signature from the vendors yet (like the first 75,000 copies of Nimda that his our mail server). Wanna bet that when that VPN connects, there's some shares available for the virus to attack? ;)
Nope, in fact, the idea "allow everything from inside to out" is the reason the vast majority of the problems in the policy.
It's not as easy as it looks.
It is very easy. Deny everything. Allow outbound port 80 Allow mail server to 25 Allow ident If you need netmeeting, allow netmeeting server to other servers. If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine. I am failing to see a problem.
--
Current thread:
- Re: Level3 routing issues?, (continued)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Scott Granados (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Simon Lockhart (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Barney Wolff (Jan 27)
- Re: Level3 routing issues? Christopher L. Morrow (Jan 27)
- Re: Level3 routing issues? Valdis . Kletnieks (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Valdis . Kletnieks (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Simon Lockhart (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Simon Lockhart (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Valdis . Kletnieks (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? David Howe (Jan 28)
- VPN clients and security models alex (Jan 28)
- Re: VPN clients and security models Valdis . Kletnieks (Jan 28)
- Re: VPN clients and security models David Howe (Jan 28)