| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: The worm author finally revealed! On 31 Jan 2003, Paul Schmehl wrote: > On Fri, 2003-01-31 at 14:07, Ron DuFresne wrote: > > > > if deployed on all commisioned servers, then yer protected at host > > level... > > > Ever priced a firewall for Windows? Oh, I set up ipchains, iptables, > ipfw or whatever on the *nix boxes I maintain, but what do you do for > Windows? AFAIK there are no free firewalls for Windows servers, and the > ones that I've looked at ain't cheap. Windows can be protected by any firewall, pix, ipf, ip, iptables, fw-1, and running on fairly cheap hardware. And there are a number of free and cheap personal firewall products out there, of varying degrees of ease of use and effectiveness. W2k boasts firewalling with the OS > > > > again, in most cases, depending upon the HW/SW choices made, two boxes and > > the proper number of interfaces. > > > Depending upon the volume of traffic too. Yes, the heavier the load<s> the costlier the HW at least to privide the perimiter defenses, but, there are pretty high bandwidth capable firewall choices available. > > > > > It gets expensive in a hurry. Now do you still need to wonder why some > > > networks have no firewall and no DMZ? > > > > The real expense is in maint of the equipment, and testing/auditing > > periodically... > > > ...but who's picking nits? I was just trying to add some reality to the > utopia that some people seem to live in. > > > > But, what does interest me here, is that if utdallas has no real security > > policy, and no perimiter defences, what does the Adjunct Information > > Security Officer really do? Tis a real question and not meant as a slam. > > > I guess you haven't caught on yet. I'm not telling you what UTD is > doing. I'm telling you what is the "norm" or "average" for edu. Trust > me, we have a security policy in place and published (but I want more - > more policies and more specifics), and we have permimeter defenses in > place, and we have monitoring in place, and we force good passwords, > etc., etc. > > What do I do? Well I'm responsible for many things, but in the > categories you seem interested in; I handle all antivirus protection for > the campus (have for years) and I'm responsible for IDS on campus. > Others handle the switching, routing and firewalls, but I have > (respected) input on what gets blocked. I do the investigations when > there's a breakin, and I get to generate all the reams of paper for the > reports we have to file. At least, that's the part I think *you* wanted > to hear. > I'm not trying to insult you here, I'm merely trying to understand why utdallas would pay for security folks if they don't have a decent policy and the power to enforce it, especially in light of the fact that IT and security always have been and most likely will continue to be underfunded, perhaps especially in the .edu environments. I work in an environment that deals with a large number of .edu systems, in the k-12 realm as well as the university level, and I've yet to run into the smallest rural grade school that is not at least running a pix doing NAT or PAT. How effectively is another question all together. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists