sasser virus (was Re: [unisog] student fees for cleaning.)

John Kristoff jtk at northwestern.edu
Sun May 9 04:17:39 GMT 2004


On Sat, 08 May 2004 13:23:22 -0400
Gary Flynn <flynngn at jmu.edu> wrote:

> This is true but an agent based system on the client, whether a domain
> login or something else, can still detect problems. NIDS in general will

The vendors who sell security agents and their central controllers would
agree with you.  To some extent they probably can, but I find it unlikely
that a large portion of the systems will be running any agent or be
centrally managed any time in the near future.  They will work for only a
small subset of the population of hosts that can be 'managed'.

Another point I wanted to make was that the underlying code that is used
in systems and application software has to improve as we lose visibility.
If for example the XP SP2 does what it is supposed to and is good at
thwarting remote initiated attacks, then a large portion of the security
problems are likely going to be come as a result of user computing
practices and app software that does the wrong thing when it interacts
with other app software or some set of received bits.  I'm fairly certain
there is still a lot of buggy code in Windows.  In other words, the
attacks may become more prevalent on the upper layers of the so-called
stack until everything becomes a security problem.  If only we could
get there faster.

> go the way of the dodo as more and more things get encrypted and use
> HTTP. Everything will be host based or need a common SSL termination
> point. We'll be back to securing the hosts instead of trying to secure the
> perimeter. :)

I've always argued for better host security as many people who know me will
attest.  Securing the perimeter is a bit of a misnomer.  I might say what
is being done is shielding the hosts at a perimeter and in my view at a
great expense on the utility of the network.

> Some will say that agents are intrusive but we're finally going to have
> to start thinking about the desktop as part of the IT infrastructure
> instead of separately maintained appendages. Student machines aren't
> as cut and dried but if they're on an institution's network, I think the
> institution has some right to decide what configuration and software
> needs to be running to protect the institution's network.

That's a somewhat subjective stance.  Nevertheless, since the security of
one relies on the security of all, where all is a far larger population
outside the control of the one, the problem is staggering in scope.  I'm
not a systems or application deverloper sort, but it seems to me that the
OpenBSD folks are doing a lot of the right things and setting a lot of good
examples.  Less code, better code.

John



More information about the unisog mailing list