[Dshield] MS Patching side-effects

David Taylor ltr at isc.upenn.edu
Thu Aug 18 21:03:53 GMT 2005

I think we may be misunderstanding each other.  There is no 'inside the
perimeter' in this scenario.

There is more explanation of what I am talking about in this document we
prepared for our IT community.  Forgive me for being lame and not disabling
the wizard when I was creating the screenshots for this. Also, if anyone
uses this document please note it needs to be updated to include *do not
mirror ports that are blocked*.


Valdis, I will be more than happy to debate IPSEC and the 'inside the
perimeter' part off the list if you like.  =)

David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236

SANS - The Twenty Most Critical Internet Security Vulnerabilities 

SANS - Internet Storm Center

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Valdis.Kletnieks at vt.edu
Sent: Thursday, August 18, 2005 4:56 PM
To: General DShield Discussion List
Subject: Re: [Dshield] MS Patching side-effects

On Thu, 18 Aug 2005 16:19:58 EDT, David Taylor said:
> >Just remember, kiddies - this only delays the devastation until the first
> >infected laptop gets inside the perimeter.
> Actually, that is not true! Using IPSEC you can prevent *any* incoming
> communications to workstations to 'evil ports'.  Placing an infected
> in a network running IPSEC (properly configured) wouldn't infect the rest
> the hosts (even if they weren't patched).  I am not saying use IPSEC as a
> replacement for patching just use it as an additional layer of security.  

"inside the perimeter".  I was pretty clear on that. :)

Yes, if you've configured it to disallow all traffic from off-host, getting
a laptop inside *that* perimeter is quite the challenge.

The fun starts when "properly configured" has to include a concept like
"trust other machines on the subnet".  And yes, that sort of situation comes
up more often than not....

More information about the list mailing list