From: jay at bastille-linux.org (Jay Beale)
Subject: Calcuating Loss

In the wise words of Valdis.Kletnieks@...edu:

> On Tue, 11 May 2004 08:37:30 PDT, Harlan Carvey said:
> > Two words..."testing process".  What happened to that?
> >  Don't tell me you're installing patches directly to
> > production systems...
> 
> And three words in return: "time till worm".
> 
> We're fast approaching the point where a site can't do anything resembling a
> reasonable testing process and complete it before the worm arrives.  You can
> buy yourself *some* time if you start advertising that your jobs will require
> second and third shift work the second week of every month.....

How about two words, "network architecture?"

Let me just paint a possible picture for a more worm-resistant 
enterprise:

Internal filters between departments/floors/divisions.  They only allow 
specific protocols through and are well-tuned to allow access to 
specific machines.  They've got sample rules ready to deploy during 
crisis, to cut off one infected network from the others around it.

Filters on workstations deployed to only do port 135,137-139,445 with
your internal servers/management systems.  Those few internal servers
get patched first and fast, as they serve as the only way for worms to
propagate from one of the many workstations to another.  Workstations 
don't really need to communicate directly in most environments, right?

We've got some of this latter suggestion on Linux desktops through the
default-active host firewalls.  The network component is up to the 
administrators, but DMZ's have been standard practice for years and 
internal DMZ's have been gaining popularity in the last few years.

I don't think this is horribly unrealistic in most environments.  It 
just takes planning and enough time between worms for the operations 
and security people to catch their breath and sell it to management.

 - Jay

Powered by blists - more mailing lists