Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls
From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 08/27/03
- Previous message: Barney Wolff: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- In reply to: Barney Wolff: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: Bartek Krajnik: "Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Barney Wolff <barney@databus.com> Date: Tue, 26 Aug 2003 21:21:23 -0400
Barney Wolff wrote:
>Alas, for the latest round merely being not Internet connected would
>not have been good enough. An infected immigrant laptop is enough to take
>down any isolated net.
Oh, yeah. It kind of goes without saying that a network with
roaming laptops is not "isolated" for any meangful use of
the expression. A network where the 100b-t adapters are
epoxied into the computers and the hubs are all in locked
closets - *that* is an "isolated" network. Wireless? Don't
even *TALK* to me about wireless!! :)
I saw a news item about a reactor monitoring system that
was supposedly taken offline by a recent worm. Now - what
kind of morons were running that network, I ask you? I've
swapped Emails with Navy sysadmins on Aegis boats and
they've got people just putting computers on and off the
network (including wireless) pretty much at will. What
the hell? For the cost of one of those boats you can run
dual-rail networks - one with open ports and one with
epoxied ports. This isn't hard. What's hard and what
people don't get is that they want to have their cake and
eat it too:
they want flexibility and no risk - BZZT
they want security and to surf the web - BZZT
they want to use Windows default installs securely - BZZT
>For a sufficiently rich and motivated org, I'd advocate changing the
>Ethertype of IP from 800, just to make it harder to connect conventional
>equipment by accident. Does even NSA do anything like that?
Nope. :(
Some of the old-school secure networks ran some of their cable in
pressurized conduit so you might be able to detect if someone
drilled in to install a tap; that's about it.
mjr.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Barney Wolff: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- In reply to: Barney Wolff: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: Bartek Krajnik: "Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
