[Dshield] MS Patching side-effects
Valdis.Kletnieks at vt.edu
Thu Aug 18 20:55:41 GMT 2005
On Thu, 18 Aug 2005 16:19:58 EDT, David Taylor said:
> >Just remember, kiddies - this only delays the devastation until the first
> >infected laptop gets inside the perimeter.
> Actually, that is not true! Using IPSEC you can prevent *any* incoming
> communications to workstations to 'evil ports'. Placing an infected laptop
> in a network running IPSEC (properly configured) wouldn't infect the rest of
> the hosts (even if they weren't patched). I am not saying use IPSEC as a
> replacement for patching just use it as an additional layer of security.
"inside the perimeter". I was pretty clear on that. :)
Yes, if you've configured it to disallow all traffic from off-host, getting
a laptop inside *that* perimeter is quite the challenge.
The fun starts when "properly configured" has to include a concept like
"trust other machines on the subnet". And yes, that sort of situation comes
up more often than not....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050818/39e5719d/attachment.bin
More information about the list