New Computer? Six Steps to Safer Surfing
Adrian Chadd
adrian at creative.net.au
Tue Dec 21 07:54:45 UTC 2004
On Tue, Dec 21, 2004, Christopher L. Morrow wrote:
> > > problematic in one/all OS's, but by and large extended lifetimes on a
> > > live/hostile network means patches must be applied. Seems like that
> > > doesn't happen by and large.
> >
> > [waiting for an OpenVMS user to speak up]
You won't need to. ;-)
> > Frankly, from an operational perspective, I guess the only way to go
> > is to trust the inside of your network even less than you trust the
> > outside ... and have processes that quickly isolate and block access
>
> This is quite correct... The blocking/isolation is helped if the network
> is segmented early on, permit that traffic which is 'normal' place some
> ids-like devices around and correlate logs/reports/incidents to properly
> react when something goes awry.
There's no reason programs running on a host should have full access to your
filesystem, network stack (for binding or outgoing connections) without
explicitly being granted permission by your users.
The trouble is that a lot of the random crap people "install" just say
"click yes and yes when asked about installing this software!" which said
user will blithely run off and do.
Personally, I think trying to stop the software being installed is a lost
cause. Its going to get installed no matter how hard you try. What I think
vendors should be looking at are solutions to mitigate the effect said
software can have /when/ its running.
There are personal firewalls available which limit the network access
the applications are granted, but they're quite spammy for the average user
("Internet Explorer is trying to connect to www.google.com. is this acceptable?").
Cisco sells a corporate solution similar to this - something profiles your
running applications to see which api calls it makes and their parameters,
then you lock the machine to only be able to run within this profile.
Adrian
--
Adrian Chadd "You don't have a TV? Then what's
<adrian at creative.net.au> all your furniture pointing at?"
More information about the NANOG
mailing list