Re: [fw-wiz] Defense in Depth to the Desktop
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 12/14/04
- Previous message: J. Oquendo: "[fw-wiz] Weakest Links Best Practices"
- In reply to: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Reply: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Reply: Frederick M Avolio: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Devdas Bhagat <devdas@dvb.homelinux.org> Date: Tue, 14 Dec 2004 11:39:56 -0500 (EST)
On Tue, 14 Dec 2004, Devdas Bhagat wrote:
> > I think so...
>
> What we need is a PFW that can be controlled by the central IT
> department and global policies applied to similar sets of desktops.
I thought that was the "Enterprise" feature set in at least one product?
> But it *is* the most common way for malicious code to replicate.
> Windows file and print sharing is one huge hole.
Yes, but that works just as well in client-server mode.
> > > security is physical security and you can never claim that you have physical
> > > control over a machine at your user's fingertips.
> >
> > Perfect is the enemy of good enough.
I think Marcus and I have settled on "Pretty is the enemy of functional."
> > You're only as strong as the weakest link. That's the user desktop.
>
> Why not just remove the desktop from the trusted security perimeter?
> How many corporate desktops really need Windows? How many people can
> work with just dumb terminals (for the moment, I am ignoring the
> politics involved)?
It's just as bad if you need the same apps- the last Windows site I was at
had mostly Terminal Server users, and it still had all the associated
malware issues.
> > > that we remove them from being available to be the weakest link in the security
> > > of the organization. I'm suggesting that we acknowledge that desktops are
> > > going to get hacked and infected (especially laptops) and make a concerned
> > > effort to protect the rest of the organization from that inevitable compromise.
> >
> > Ah, but if we can reduce the compromise rate significantly, then why not?
> > Especially if it's at a cost that's less than the current level of
> > compromise events? I really think we're at that point, essentially it's
> > that or ripping out IE- something that's only now becoming an option, and
> > even then you still have the e-mail vector.
> >
> > Strengthen the weakest link, and you strengthen the overall posture.
> >
> Agreed. I wouldn't start with ripping out IE. I would start with ripping
> out MS Windows itself. If a single large organisation decides to ban MS
> Office (Munich seems to be leading the way for that), the ripple effect
> will be enormous. And once you have removed MS Office, then you can
> push to remove the Windows dependency and clean out the mess with a
> scorched earth policy.
While I've heard of large organizations going that route, as MJR pointed
out, Linux is soon to have all the same cruft. I'm holding out hope for
the TrustedBSD stuff going into OSX, but I doubt it's going to be all that
popular an option. I run Office all the time on my Powerbook- that
doesn't seem to have changed my risk one bit.
> A heterogenous desktop policy is probably another good idea. While any
> given department needs similar desktops, different departments with
> different requirements do not. What larger organisations can do is
> segregate departmental desktops by requirements and then build images
> for those.
[shatner] Must. Not. Get into. Argument. About this. Again! [/shatner]
[snip]
> > A clued outsider doing a target of choice attack should reach the same
> > conclusion... Hence my assertion that hardening the desktop is important.
> >
> And I assert that there should be no data left on the desktop. Ever.
> Save all your data on the server, reimage the desktops regularly.
> Easy, and useable by IT staff.
Ever had to support traveling salespeople or executives?
> $HOME for the data and /usr/local for applications should be NFS
> mounted. Email should be over IMAP(s).
> Reduce the desktop to something as close to a dumb terminal as possible.
NFS? Ick! Next you'll be saying NIS+ needs to come back... ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: J. Oquendo: "[fw-wiz] Weakest Links Best Practices"
- In reply to: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Reply: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Reply: Frederick M Avolio: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
