[Dshield] MS Patching side-effects

David Taylor ltr at isc.upenn.edu
Thu Aug 18 20:19:58 GMT 2005


>Just remember, kiddies - this only delays the devastation until the first
>infected laptop gets inside the perimeter.

Actually, that is not true! Using IPSEC you can prevent *any* incoming
communications to workstations to 'evil ports'.  Placing an infected laptop
in a network running IPSEC (properly configured) wouldn't infect the rest of
the hosts (even if they weren't patched).  I am not saying use IPSEC as a
replacement for patching just use it as an additional layer of security.  



==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Valdis.Kletnieks at vt.edu
Sent: Thursday, August 18, 2005 3:45 PM
To: General DShield Discussion List
Subject: Re: [Dshield] MS Patching side-effects


On Thu, 18 Aug 2005 14:40:20 EDT, David Taylor said:
> control based on IP/Subnet, hostname from port/to port, etc.  Using IPSEC
> you can place a virtual IP/Packet Filter around all of your workstations
> which would block most of these attacks from hosts outside the network as
> well as hosts from within the network.

Just remember, kiddies - this only delays the devastation until the first
infected laptop gets inside the perimeter.

Having said that, it's still a good idea to implement it anyhow, as long as
you remember what its limitations are....





More information about the list mailing list