RE: Cisco CTR

From: Michael Marziani (marziani_at_oasis.com)
Date: 11/07/03

  • Next message: Chad R. Skipper: "RE: Cisco CTR"
    To: <focus-ids@securityfocus.com>
    Date: Fri, 7 Nov 2003 12:50:29 -0600
    
    

    This solution is definitely suboptimal which I noted in the need for
    increased administrative workload. It could probably be semi-automated in a
    number of ways yet still require a sysadmin to verify the updates to keep it
    secure.

    -Michael

    > -----Original Message-----
    > From: Gary Halleen [mailto:ghalleen@cisco.com]
    > Sent: Friday, November 07, 2003 12:44 PM
    > To: 'Michael Marziani'; Rob Shein; 'Gary Flynn'
    > Cc: 'Liran Chen'; focus-ids@securityfocus.com
    > Subject: RE: Cisco CTR
    >
    >
    > In that case, though, you're using stagnant information. How
    > would this be
    > kept accurate in an environment when users patch their computers,
    > or when IP
    > addresses change due to DHCP?
    >
    > Gary
    >
    >
    > > -----Original Message-----
    > > If this type of attack can succeed as I think it could, I
    > > think a solution
    > > would be for the IDS to keep a record of the patch levels of
    > > every system in
    > > the network and allow those patch levels to be updated only through an
    > > administrative interface (requiring additional authentication
    > > and of course
    > > increasing the administrative workload). Then the system
    > > wouldn't be fooled
    > > by this technique.
    > >
    > > -Michael
    > >
    > >
    >
    >

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: Chad R. Skipper: "RE: Cisco CTR"