[Dshield] MS Patching side-effects
ltr at isc.upenn.edu
Thu Aug 18 21:03:53 GMT 2005
I think we may be misunderstanding each other. There is no 'inside the
perimeter' in this scenario.
There is more explanation of what I am talking about in this document we
prepared for our IT community. Forgive me for being lame and not disabling
the wizard when I was creating the screenshots for this. Also, if anyone
uses this document please note it needs to be updated to include *do not
mirror ports that are blocked*.
Valdis, I will be more than happy to debate IPSEC and the 'inside the
perimeter' part off the list if you like. =)
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
LTR at ISC.UPENN.EDU (215) 898-1236
SANS - The Twenty Most Critical Internet Security Vulnerabilities
SANS - Internet Storm Center
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Valdis.Kletnieks at vt.edu
Sent: Thursday, August 18, 2005 4:56 PM
To: General DShield Discussion List
Subject: Re: [Dshield] MS Patching side-effects
On Thu, 18 Aug 2005 16:19:58 EDT, David Taylor said:
> >Just remember, kiddies - this only delays the devastation until the first
> >infected laptop gets inside the perimeter.
> Actually, that is not true! Using IPSEC you can prevent *any* incoming
> communications to workstations to 'evil ports'. Placing an infected
> in a network running IPSEC (properly configured) wouldn't infect the rest
> the hosts (even if they weren't patched). I am not saying use IPSEC as a
> replacement for patching just use it as an additional layer of security.
"inside the perimeter". I was pretty clear on that. :)
Yes, if you've configured it to disallow all traffic from off-host, getting
a laptop inside *that* perimeter is quite the challenge.
The fun starts when "properly configured" has to include a concept like
"trust other machines on the subnet". And yes, that sort of situation comes
up more often than not....
More information about the list