[Dshield] Secure computing (was: Port 135)

David Kennedy CISSP david.kennedy at acm.org
Mon Oct 28 04:30:59 GMT 2002


At 11:51 PM 10/26/02 +0200, Jan Johansson wrote:
>I will try to respond on all the comments that have been made.
>

<lots of stuff about AFS (good), Kerberos (good), and SSH (good)
snipped>

You didn't really respond to comments regarding this from your
earlier post:

At 05:58 PM 10/25/02 +0200, Jan Johansson wrote:
>On Wed, Oct 16, 2002 at 10:17:05AM -0700, John Hardin wrote:
>>If they're accessing this through your firewall, your firewall is
>>misconfigured. I think that could be an effective argument against
>>liability.
>
>What firewall? And where should I point it with 10 000 students.
>Protect the Internet from me or me from the Internet. It is as
>much harm on either side anyway which makes it useless.

I for one would not object to your using a firewall to protect the
rest of us on the Internet from your university and it's students,
faculty and staff.  

>>135:139 SHOULD NOT be permitted in from or out to the Internet.
>
>How should my students then be able to access their files from
>home? Mapping shares over the Internet works and is easy to
>use for the computer illiterate.
>

This part really got my attention and you have not addressed it. 
Using all those technologies I've snipped from your message are good.
 If you now want to dig yourself out of the hole you're in by saying
you do it by AFS, SSH or a Kerberized solution, simply explain why
did you respond in that way to John's "135:139" line?  

If:
>Last
>month we had zero(0) logins to our samba server from outside
>campus network[3]. The goal is to turn of all SMB services within
>six(6) months.

is your only windows-ish file sharing, that's not 10 000 students
accessing their files from home; so why did you respond to John as
you did?

You make no mention of how you enforce any policies about Windows
drive sharing.  And with no firewall, no mention by you of
default-deny router ACLing, the mention by you of 75 Unix boxes
without mentioning the gratuitous services many default installations
represent, the inference left is the weak security many of us have
come to accept and expect from the EDU community (granted an
over-simplification, but there you are).  

Were it not for the dramatic increase of malicious traffic from worms
and East Asia, the EDU's would still be at or near the top of TLD's
originating attack traffic.  The US President's Advisor for cyber
security has warned the EDU community here to act to secure their
systems and networks.  Network managers (outside the EDU's) have
learned how to deny AS or IP blocks belonging to China and Korea to
cut the attack traffic from those countries.  It won't be a stretch
to create an analogous list of AS's representing EDU's placing
priorities on academic freedom and money too far above
responsibilities to be good netizens.  

>My solution to the Windows Messenger problem is to turn of the
>service. 

You're doing this on your 300 Windows workstations, without blocking
135:139, how?  And the clients your 10 000 students use, how?  If
there's a way to do this that scales, I'd be interested to hear about
it.  


-- 
Regards,

David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 373 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021027/24e056f4/attachment.bin


More information about the list mailing list