[unisog] MSN Messenger - two questions

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Tue Feb 20 21:00:39 GMT 2007


Hello-

I feel your pain.  Share it too...

What we've done is to assume that our best efforts may fail at some
point, and harden the rest of the network.  Then when some "person"
gets into trouble, all I have to do is read out the log entries of what
their box "tried to do."

What we have done:

1)	Curtailed the propagation of ICMP traffic, such that it only
passes to the server VLAN(s).  This stops most probing of viruses.

2)	All XP firewalls block incoming traffic from anything other than
our VPN server and a few management devices.  Yes the messenger app is
open, but not much else is.

3)	ACLs on the LAN to prohibit peer to peer connections on campus,
with separate VLANs for appliances that need to do so.

4)	AD policy to log aggressively all actions on all end stations,
and more carefully on servers.  

5)	Stop messenger file transfers on our traffic shaper. 


Not perfect, but it does seem to bottle up a lot of junk.

Dave


 

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Alan Rothenbush
Sent: Tuesday, February 20, 2007 3:46 PM
To: unisog at lists.dshield.org
Subject: [unisog] MSN Messenger - two questions

Background:

I'm now under some pressure to "release" MSN Messenger to a group of my
users, some of them senior administrators.

To date, the answer has been "no, insecure, next question", and as I
"own" the machines and the users are but users, it has not yet been
installed.

Sadly, these bosses (at least one of whom can fire me) now present a
legitimate business need for which I have no other solution, the problem
being that prospective students almost universally choose some sort of
IM as the preferred form of communication.  

(The Instant Gratification generation, I suppose, making me once again
feel my
age)

Since we (annoyingly) do need students around the place, I'm probably
going to have to come up with some solution.

My concerns (perhaps unfounded) are the need to open up the built-in XP
firewall to a server off in the big bad internet, allowing access to an
application that I think has historic security issues.

Question 1:

Are my concerns unfounded ?  

(My response "they're all wrong" to the statement "every other
university does it" doesn't seem to be enough of an explanation)

Question 2:

If it turns out I have to do this, any tips for keeping things safe ?




Thanks in advance.


Alan

--
Alan Rothenbush
Academic Computing Services
Simon Fraser University
Burnaby, B.C., Canada


  The Spartans do not ask the number of the enemy, only where they are.

                                    Agix of Sparta
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list