On Sat, 13 Feb 2010 21:48:31 PST, "Tomas L. Byrnes" said: > The corollary of the "test baseline" in my prior post is that EVERY > piece of hardware that comes into my networks gets reflashed and > reloaded with MY gold master disks/config.
That just pushes the problem around. How do you know that basically unaudited IOS you just flashed into that Cisco doesn't have a very subtle back door in it, left by some Chinese-agent coder (who could possibly be a disgruntled white dude) back in IOS 11? And yes, there are organizations where that level of tinfoil-hat paranoia is called for... > Not only does this eliminate preinstalled malware, but I also get zero > crapware going into production. It's hard enough to find a version of IOS that actually *works* - most sites end up settling on one that only has non-debilitating issues in their environment. But the fact that Cisco box is probably not loaded with the one IOS version that actually works in your network is reason enough to reflash it. > Security is a degenerate case of traffic and configuration management. I'd hassle you about that one, except that Verizon study that showed config issues contributed to 90% of the breaches. Damn pesky facts. ;)
pgpzsRwQOrXsV.pgp
Description: PGP signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
