Re: [fw-wiz] Re: Setting up H323 IP telephony etc
From: Mike Hoskins (mike_at_adept.org)
To: firstname.lastname@example.org Date: Thu, 28 Aug 2003 17:20:35 -0700 (PDT)
Date: Tue, 26 Aug 2003 20:58:46 -0400
From: Barney Wolff <email@example.com>
To: "Marcus J. Ranum" <firstname.lastname@example.org>
Subject: Re: [fw-wiz] Re: Setting up H323 IP telephony etc
On Tue, Aug 26, 2003 at 05:07:46PM -0400, Marcus J. Ranum wrote:
> Sorry - I'm feeling extremely curmudgeonly today.
story of my life.
> various worms in the last week. Why's that? On the surface, the
> answer is "RPC bug" but the REAL answer is "people should not
> be connecting mission-critical networks to the Internet - even with
> firewalls." A small handful of us have been singing this song quietly
> in the corner for about 12 years, now. Is anyone going to ever "get
probably not. i've come to realize part of our job as 'security people'
is to keep singing the same things over and over. oh, i don't _like_
that fact, but it does seem to be true. now more than ever (due to the
market or whatever you blame), business people just have to cite 'business
drivers' and the technies shutup out of fear of loosing their jobs.
unfortuneately things are so out-of-wack that no one stops to realize
that allowing a 'mission-critical' network to be taken offline (werd to
the Navy on that one) due to a worm circulating on a public network IS a
much better reason for loosing your job.
> Alas, for the latest round merely being not Internet connected would
> not have been good enough. An infected immigrant laptop is enough to
> take down any isolated net.
> For a sufficiently rich and motivated org, I'd advocate changing the
> Ethertype of IP from 800, just to make it harder to connect conventional
> equipment by accident. Does even NSA do anything like that?
you let random people plug-in, get an address, and snoop around? that's
OK, but you shouldn't do that on a 'mission-critical' network. if
you do, the org should re-define 'mission critical'. VLANs, ACLs, MAC
tables... there are lots of ways to ensure only acceptable hosts connect
to the network that are cheaper/easier than low-level network bits. of
course, that works too. ;) but i think the real issue is that people go
around touting 'mission critical' WAY too friggen much. if it is really
'mission critical', then people need to remember that convenience comes
with a cost -- reduced security. furthermore, if the business people
review the org's security policy and accept that before the incident --
then they have no one to blame but themselves when their 'mission
critical' network goes offline. that's why policy has to be top-down.
-- From: "Spam Catcher" <email@example.com> To: firstname.lastname@example.org Do NOT send email to the address listed above or you will be added to a blacklist! _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards