On Fri, 22 Nov 2002 10:10:51 GMT, Emeric Miszti said: > I was talking in respect of a new box in response to the comment by a > previous poster that you responded to: When you're talking 30,000 machines, even "new" machines is a challenge. Even assuming a 5-year replacement plan, that's 6K machines/year, which averages out to 20 a day. And it's worse at the start of the school year. And do you *really* think students are going to ask for us to reset the firewall for them while they upgrade/replace machines? ;) > Of course, I accept that for existing machines it is more of a problem > and this is not really possible. That is one of the reasons why I have > never been really comfortable with the "Maginot Line" model of security > as some have referred to traditional firewalling i.e. building a big > strong front door in the hope this will keep out intruders. Amen to that. Schneier equates it to building a fence using one *really* big fencepost and hoping the intruders run into it, and a co-worker uses as his usual "Firewalls don't work" example "Do you have *ANY* Outlook users inside the firewall, and do you allow e-mail to go through? If so, you're toast..." > You need to have multiple layers of defence and each box should have Depressingly enough, this idea was understood as far back as Multics, over 30 years ago. We've been moving backwards ever since... > some kind of anti-execution/program spawning (sandboxing type) > protection for all network workstations and servers. There's plenty of Hmm... sandboxing? Java does that. Javascript doesn't. Guess where we see more failures? ;) > products around that will do this, unfortunately most of them are still > very expensive. This does go some way to mitigating, though again > unfortunately not totally negating, the risk posed by vulnerable > software. It should allow you, however, to feel safer in those periods > between patching a box. We're extremely lucky that we've not encountered somebody who can program well, reads the literature, *and* has both a day-zero exploit and a malicious streak. "Curious Yellow" *will* happen eventually. http://blanu.net/curious_yellow.html Recent research has looked into exactly how fast people upgrade/patch, and why. The results are *not* encouraging... http://www.rtfm.com/upgrade.pdf http://wirex.com/~crispin/time-to-patch-usenix-lisa02.ps.gz > Furthermore, there are multiple ways that additional perimeter > protection can be created to mitigate the dangers of mobile code, > dangerous file downloads, dangerous emails, etc. Yes, but life would have been *so* much simpler had a certain vendor taken the commentary in RFC1341 regarding active content and security to heart, rather than jump on it as a "feature". ;) /Valdis
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 09:04:07 PST