Re: Proxy server hit... Any ideas?
From: Valdis.Kletnieks@vt.edu
Date: 11/22/02
- Previous message: Åke Nordin: "RE: Proxy server hit... Any ideas?"
- Maybe in reply to: Mike Cain: "Proxy server hit... Any ideas?"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: Proxy server hit... Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Emeric Miszti <emeric@uksecurityonline.com> From: Valdis.Kletnieks@vt.edu Date: Fri, 22 Nov 2002 09:22:45 -0500
On Fri, 22 Nov 2002 10:10:51 GMT, Emeric Miszti said:
> I was talking in respect of a new box in response to the comment by a
> previous poster that you responded to:
When you're talking 30,000 machines, even "new" machines is a challenge.
Even assuming a 5-year replacement plan, that's 6K machines/year, which
averages out to 20 a day. And it's worse at the start of the school year.
And do you *really* think students are going to ask for us to reset the
firewall for them while they upgrade/replace machines? ;)
> Of course, I accept that for existing machines it is more of a problem
> and this is not really possible. That is one of the reasons why I have
> never been really comfortable with the "Maginot Line" model of security
> as some have referred to traditional firewalling i.e. building a big
> strong front door in the hope this will keep out intruders.
Amen to that. Schneier equates it to building a fence using one *really*
big fencepost and hoping the intruders run into it, and a co-worker uses
as his usual "Firewalls don't work" example "Do you have *ANY* Outlook users
inside the firewall, and do you allow e-mail to go through? If so, you're
toast..."
> You need to have multiple layers of defence and each box should have
Depressingly enough, this idea was understood as far back as Multics, over
30 years ago. We've been moving backwards ever since...
> some kind of anti-execution/program spawning (sandboxing type)
> protection for all network workstations and servers. There's plenty of
Hmm... sandboxing? Java does that. Javascript doesn't. Guess where we
see more failures? ;)
> products around that will do this, unfortunately most of them are still
> very expensive. This does go some way to mitigating, though again
> unfortunately not totally negating, the risk posed by vulnerable
> software. It should allow you, however, to feel safer in those periods
> between patching a box.
We're extremely lucky that we've not encountered somebody who can program
well, reads the literature, *and* has both a day-zero exploit and a malicious
streak. "Curious Yellow" *will* happen eventually.
http://blanu.net/curious_yellow.html
Recent research has looked into exactly how fast people upgrade/patch, and
why. The results are *not* encouraging...
http://www.rtfm.com/upgrade.pdf
http://wirex.com/~crispin/time-to-patch-usenix-lisa02.ps.gz
> Furthermore, there are multiple ways that additional perimeter
> protection can be created to mitigate the dangers of mobile code,
> dangerous file downloads, dangerous emails, etc.
Yes, but life would have been *so* much simpler had a certain vendor taken
the commentary in RFC1341 regarding active content and security to heart,
rather than jump on it as a "feature". ;)
/Valdis
- application/pgp-signature attachment: stored
- Next message: H C: "Re: increased attacks on port 2599"
- Previous message: Åke Nordin: "RE: Proxy server hit... Any ideas?"
- Maybe in reply to: Mike Cain: "Proxy server hit... Any ideas?"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: Proxy server hit... Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
