In the wise words of [EMAIL PROTECTED]: > On Tue, 11 May 2004 08:37:30 PDT, Harlan Carvey said: > > Two words..."testing process". What happened to that? > > Don't tell me you're installing patches directly to > > production systems... > > And three words in return: "time till worm". > > We're fast approaching the point where a site can't do anything resembling a > reasonable testing process and complete it before the worm arrives. You can > buy yourself *some* time if you start advertising that your jobs will require > second and third shift work the second week of every month.....
How about two words, "network architecture?" Let me just paint a possible picture for a more worm-resistant enterprise: Internal filters between departments/floors/divisions. They only allow specific protocols through and are well-tuned to allow access to specific machines. They've got sample rules ready to deploy during crisis, to cut off one infected network from the others around it. Filters on workstations deployed to only do port 135,137-139,445 with your internal servers/management systems. Those few internal servers get patched first and fast, as they serve as the only way for worms to propagate from one of the many workstations to another. Workstations don't really need to communicate directly in most environments, right? We've got some of this latter suggestion on Linux desktops through the default-active host firewalls. The network component is up to the administrators, but DMZ's have been standard practice for years and internal DMZ's have been gaining popularity in the last few years. I don't think this is horribly unrealistic in most environments. It just takes planning and enough time between worms for the operations and security people to catch their breath and sell it to management. - Jay _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
