Anit-Virus help for all of us??????
Gerardo Gregory
ggregory at affinitas.net
Mon Nov 24 21:20:59 UTC 2003
Suresh Ramasubramanian wrote:
>
> Valdis.Kletnieks at vt.edu writes on 11/24/2003 3:43 PM:
>
>> Question: What speed access is needed to guarantee "mean time to download
>> patches" is significantly less than "mean time to probed by
>> packet-to-0wn"
>> (significantly == 20x lower still gives a 5% chance of getting 0wned
>> while
>> patching)?
>
>
> That'd have to be very fast indeed, given that only one windows update
> mirror is used at a time, and patches are downloaded and applied in
> sequence.
>
> Two ways to get at least some safety -
>
> # Machine behind NAT while it is being updated
NAT is not a security feature, neither does it provide any real
security, just one to one translations. PAT fall into the same
category. Just cause your broadband router (ahem, switch) vendor states
that NAT (in reality PAT) as one of their security 'knobs' does not make
it in any way a security feature when implemented. Only thing that
might benefit is IPv4 address space.
Make a NAT Translation to a workstation (nothing else) and see if you
can still carryout some of the exploits making the rounds.
NAT and PAT do not prohibit any TCP/UDP connections to egress.
Most broadband providers still perform a NAT translation downstream, is
it helping alleviate any of the attacks/compromises? NOT!!!!!
> # Patches preferably downloaded onto a CD and applied offline
I know Microsoft has a product that allows you to donwload patches to a
centralized server (within your infrastructure) and let's you patch your
internal systems from it. Heard our MS admins talking about it a while
back....
--
Gerardo A. Gregory
More information about the NANOG
mailing list