RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 05/06/04

  • Next message: Paul D. Robertson: "RE: [fw-wiz] NAT Pseudo Security" 
    To: Carson Gaspar <carson@taltos.org>
Date: Wed, 5 May 2004 19:32:56 -0400 (EDT)

    On Wed, 5 May 2004, Carson Gaspar wrote:

    > I can answer for the financials - the user desktops _are_ production. If
    > the homedir fileserver is compromised, you're in trouble, but you can't
    > isolate it from the desktops...

    For some sets of companies, that's true, but that's certainly not true for
    others- and even when it is, it isn't true of every desktop in the
    organization.

    For companies who run non-Internet, non-information services, such as
    power, water, hospitals, product manufacturers, shippers, etc. There's a
    "this is our core business and it needs automation" sort of functionality,
    and there's "We need to run the business" sort of functionality, and they
    rarely _need_ a common network infrastructure.

    With all the money spent on "security" solutions that aren't as effective
    as "don't connect"- how many companies even look at their user population
    risk profiles and architect for it? Not connecting is *really* cheap and
    *really* effective.

    > VPN is a fact of life given 24/7 trading, and the client desktops need to
    > access file servers. The best you can do is lock down the VPN clients, and
    > manage the hell out of them.
    >
    > In many cases you can firewall your core back office data from everything
    > else. Some companies try to firewall by business unit, but the inter-BU
    > requirements quickly make those such swiss cheese that they're mostly
    > useful as emergency fire doors when an outbreak happens.
    >

    People keep telling me this, but at my last employer, I had a "firewall at
    each end and fixed security policy" implementation for WAN connectivity
    that worked just fine. Granted getting the capital for each node wasn't a
    fun thing and took most of a year- but I think one worm in the last 5
    years would have needed action with the policy as it was when I left.

    > Doing firewall-on-a-nic for all desktops and servers is possible, but is
    > extremely expensive with current technology (mostly due to deployment and
    > support costs). Even firewalling each subnet is a support nightmare in the
    > dynamic environment that exists in most modern financials.

    How much PC<->PC communication is there in a company that has supported
    servers? How difficult is a static ARP table with just the gateway entry?
    "This set of things should never talk" isn't a difficult security policy
    and it's not all that difficult to maintain. If 90% of the laptops are
    sales, putting them in a cage helps with worms like this.

    Rate of change on production networks should be slow, measured and under
    change control- I think it's more a lack of ability to enforce good
    network discipline and fear of "complaints" more than actual "We tried it
    for a while and it wouldn't work."

    > As for patching your servers, MS _still_ doesn't have a non-broken patch
    > for win2k. Most companies haven't upgraded to 2003 server yet, so a lot of
    > companies had patched XP desktops, but unpatched servers.

    You can drop a read-only file in a directory and stop at least up to the C
    variant.

    I guess I'm just thinking that we should all take half a step back and
    start asking the basic "should this be connected to that?" question again.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "RE: [fw-wiz] NAT Pseudo Security"

    Relevant Pages

    • Re: [fw-wiz] httport 3snf
      ... > Having worked in the Firewall support role at several companies, ... I had my CIO approve my security policy. ... time educating him about Internet risk. ... There's also a very good "at what point is the firewall now useless" ...
      (Firewall-Wizards)
    • Re: Messenger Audio/Video with ISA 2004
      ... Technically speaking, if this needs to be supported through the firewall, ... Therefore, the external client can ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: [fw-wiz] stopping bots from phoning home
      ... well it works fine on my dsl connection! ... the majority of support calls that we receive are from the very ... > with the newer IM clients that do IRC. ... that having a firewall on the box that can see which program is trying to ...
      (Firewall-Wizards)
    • Re: Problem with EZ Antivirus
      ... >> internet access through your firewall. ... >> If you continue to receive the 'fatal error 3' message when trying to run ... >> Windows Firewall - Please be sure that the Windows XP firewall on your ... >> Please send the ezreport to support now. ...
      (alt.comp.anti-virus)
    • Re: Problem with EZ Antivirus
      ... >>>Take a look at the following support article. ... >> This error is likely to be a temporary problem with the AutoDownload ... >> internet access through your firewall. ... EZ Report will send an automatically generated ...
      (alt.comp.anti-virus)