Re: [fw-wiz] httport 3snf

From: R. DuFresne (dufresne@sysinfo.com)
Date: 10/22/02 

From: "R. DuFresne" <dufresne@sysinfo.com>
To: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
Date: Tue Oct 22 05:51:02 2002

On Mon, 21 Oct 2002, Ryan M. Ferris wrote:

> Paul:
>
> Great Comments! But is this really realistic?:
>
> > If tunneling is (a) against policy, and (b) requires active and considered
> > engineering to achieve, then the technology has done its part. After
> > that, it's a monitoring and enforcement issue, not a firewall issue. If
> > you can show active anti-policy malice in achieving the connection- then
> > it's time to move into the penalty phase.
>
> [Bigger question coming...]
>
> At what point does monitoring and enforcement become unrealistic? In
> Robert's case, he could be the network administrator of thousands of
> individually configured Windows laptops running some kind of tunneling. It
> could end up as pervasive as napster. Isn't the penalty phase really just
> reserved for very criminal cases?! I have worked at some pretty big places.
> My experience was always that you would have to do something really bad to
> reach "penalty phase" - a hand slap usually at most. If you had ten users
> doing something against policy, you didn't get ten "penalty phases", you got
> a meeting with your boss to help provide alternate functionality so there
> were no deskptops users "against policy".
>
> For example, if AIM and ICQ were bad, I can imagine a mandate to provide
> secure messaging or else the masses might riot. It is true the security
> groups had more power to slap hands than us network/desktop administrators
> types - but we usually took more "user heat" for reduced functionality.

Don't limit your thinking and discussion of "against policy" to merely AIM
and the various IM toys. There was a recent thread on a few other related
lists, vuln-dev being one, about the DCMA(BAD TM), but there to deal
with>, and the P2P toys that allow trading in copywrited material. Some
of those P2P networks are actively monitored to an extent, and violators
as well as their hosting sites <ISP's and even universities> are sent
nasty grams from the copywrite holders warning them of committing offenses
and fiscal liability. The AUP here is the universities friend here, as
well as the network admins best buddy in dealing with these infrations
that might well dig into campus pockets for negligence. Additionally,
75+% of the DDOS attacks we've looked into have been launched via
compromised uni systems, oftem sitting in the student dorm residences and
lounges, but, still on the university backbone. Paul's mention of
specialised firewalls/IDS' to enforce policies, contain, and monitor these
subnetworks is great advice. You need this to keep the students out of
areas of the campus networkk they should not be playing in anyways, a
seperation of zones of authority if you will, afterall there has been
alot of mention of students altering thier academic status in various
institutions of learning, so some seperation is madatory anyways, just
take it a step further and deem the renets as internal DMZ's. I'd
additionally advise that the AUP be backed up by a minimal use policy,
requiring proper anti-virus and perhaps personal firewall software as an
additional et of protections. Of course, your other wories are going to
be in the wireless realm these days and folks providing access freely to
those not intended for the campus networks.

SECURITY WIRE DIGEST, VOL. 4, NO. 76, OCTOBER 10, 2002
*UNIVERSITY BANS WINDOWS NT/2000
Citing security reasons, the University of California at Santa Barbara
(UCSB) has banned the use of Microsoft Windows NT/2000 on its residential
network, ResNet. In a posting on the ResNet site, UCSB officials blame the
OSes for "hundreds of major problems on UCSB's residential network during
the 2001-2 academic year," including exploited vulnerabilities,
denial-of-service attacks, port scanning, and infections by Code Red and
Nimda. UCSB recommends that ResNet users switch to Windows XP Home.
http://www.resnet.ucsb.edu/information/win2k.html

Thanks,

Ron DuFresne 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!

Relevant Pages

  • Re: PID 1212 slowly maxing out?
    ... Windows 2003 servers, but could it affect Windows XP as well? ... I'm on a home network running on wireless. ... Logical Disk Manager service ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Printing from Win9x clients stops
    ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant print to my Windows 98 shared printer from my XP compute
    ... >>>I can't print from the printer attached to my Windows 98 machine using my XP ... >>>Add Printer wizard and has a pipe attached, indicating a network printer. ... >>>98 machine and I can successfully ping the 98 machine from my XP laptop. ... >>>driver name showed up as UNIDRV.DLL on my XP test page when it last worked. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Printing from Win9x clients stops
    ... The printers with 9x drivers on the server appeared automatically in the ... > then right-click the name of the computer running Windows Small Business ... > From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • Re: PID 1212 slowly maxing out?
    ... Windows 2003 servers, but could it affect Windows XP as well? ... and RpcSs (Remote Procedure Call ... I'm on a home network running on wireless. ... Logical Disk Manager service ...
    (microsoft.public.windowsxp.help_and_support)