[unisog] Automated vulnerability tests upon host to network attachment

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu May 15 13:29:29 GMT 2003

On Wed, 14 May 2003 17:43:57 CDT, John Kristoff <jtk at depaul.edu>  said:

> that pop up on your network this could help reduce those new hosts'
> first MTTC (mean time to compromise :-) who very often have bad
> defaults.
> Thoughts, pointers, experience to share?

It's a good idea, with one problem - it doesn't work unless you also have a
process to patch/harden the machine *before* it connects to the wire (which
basically means sneaker-netting the patch set in via cdrom or similar).
Otherwise, every single host is going to flag up 3 zillion vulnerabilities
because the admin hasn't patched it yet.

Of particular interest are Windows boxes, where "mean time to compromise"
is (last I looked) often less than "mean time to download service pack" - which
means if you connect to the net, you'll get 0wned before you finish sucking
down the patches.  I've been in the office 20 minutes, and I've already
seen 5 probes on port 445 and one on port 139.

Now if you have the technical clue and hardware to back it up, *this* would
be an interesting scenario:

1) When a new MAC/IP address is seen, you by default block it at the router
level, so it can't be seen or talk to hosts off the subnet - with punchouts
for the local DNS server and a local server that mirrors MS, RedHat, etc

2) Once patched off your local server, the admin visits a local webpage that
kicks off a vulnerability scan.

3) Once it passes the scan, the passing report causes more router magic that
then lets the box talk to the rest of the net.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030515/3c3068d7/attachment-0006.bin

More information about the unisog mailing list