Re: Proxy server hit... Any ideas?

On Fri, 22 Nov 2002 10:10:51 GMT, Emeric Miszti said:

> I was talking in respect of a new box in response to the comment by a
> previous poster that you responded to:

When you're talking 30,000 machines, even "new" machines is a challenge. Even assuming a 5-year replacement plan, that's 6K machines/year, which averages out to 20 a day. And it's worse at the start of the school year.

And do you *really* think students are going to ask for us to reset the firewall for them while they upgrade/replace machines? ;)

> Of course, I accept that for existing machines it is more of a problem
> and this is not really possible. That is one of the reasons why I have
> never been really comfortable with the "Maginot Line" model of security
> as some have referred to traditional firewalling i.e. building a big
> strong front door in the hope this will keep out intruders.

Amen to that. Schneier equates it to building a fence using one *really* big fencepost and hoping the intruders run into it, and a co-worker uses as his usual "Firewalls don't work" example "Do you have *ANY* Outlook users inside the firewall, and do you allow e-mail to go through? If so, you're toast..."

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> You need to have multiple layers of defence and each box should have

Depressingly enough, this idea was understood as far back as Multics, over 30 years ago. We've been moving backwards ever since...

> some kind of anti-execution/program spawning (sandboxing type)
> protection for all network workstations and servers. There's plenty of

Hmm... sandboxing? Java does that. Javascript doesn't. Guess where we see more failures? ;)

> products around that will do this, unfortunately most of them are still
> very expensive. This does go some way to mitigating, though again
> unfortunately not totally negating, the risk posed by vulnerable
> software. It should allow you, however, to feel safer in those periods
> between patching a box.

We're extremely lucky that we've not encountered somebody who can program well, reads the literature, *and* has both a day-zero exploit and a malicious streak. "Curious Yellow" *will* happen eventually.

http://blanu.net/curious_yellow.html

Recent research has looked into exactly how fast people upgrade/patch, and why. The results are *not* encouraging...

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.rtfm.com/upgrade.pdf
http://wirex.com/~crispin/time-to-patch-usenix-lisa02.ps.gz

> Furthermore, there are multiple ways that additional perimeter
> protection can be created to mitigate the dangers of mobile code,
> dangerous file downloads, dangerous emails, etc.

Yes, but life would have been *so* much simpler had a certain vendor taken the commentary in RFC1341 regarding active content and security to heart, rather than jump on it as a "feature". ;)

/Valdis