[Dshield] MS Patching side-effects

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Thu Aug 18 20:55:41 GMT 2005


On Thu, 18 Aug 2005 16:19:58 EDT, David Taylor said:
> >Just remember, kiddies - this only delays the devastation until the first
> >infected laptop gets inside the perimeter.
> 
> Actually, that is not true! Using IPSEC you can prevent *any* incoming
> communications to workstations to 'evil ports'.  Placing an infected laptop
> in a network running IPSEC (properly configured) wouldn't infect the rest of
> the hosts (even if they weren't patched).  I am not saying use IPSEC as a
> replacement for patching just use it as an additional layer of security.  

"inside the perimeter".  I was pretty clear on that. :)

Yes, if you've configured it to disallow all traffic from off-host, getting
a laptop inside *that* perimeter is quite the challenge.

The fun starts when "properly configured" has to include a concept like
"trust other machines on the subnet".  And yes, that sort of situation comes
up more often than not....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050818/39e5719d/attachment.bin


More information about the list mailing list