Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Level3 routing issues?

  • From: alex
  • Date: Mon Jan 27 16:05:26 2003

> > > Given that the head of one of our three-letter-agencies managed to get
> > > this sort of thing wrong,  what makes you think that Joe Middle-Manager
> > > who's more concerned about fixing a spreadsheet will get it correct?
> > 
> > Because it is not that difficult. A security policy of a little office is
> > very different from a security policy of a three letter agency. In fact,
> > fixing a spreadsheet could be mode difficult than implementing a security
> > policy for an office with 5 computers that are connected to the Internet.
> 
> Ahh... but in the case of SQLSlapper, you have a packet coming in to the
> PC.. That traffic doesn't get restricted by your hypothetical security
> policy, since it's not entering the VPN, and the outbound traffic isn't
> either, because it's locally generated.

Umm... Why is outside world talking to your database server without
supervision?

> This also means that your security policy needs to be fixed so Outlook is
> not permitted to connect to any other mail servers - because otherwise the
> user can check their AOL account, pick up a Nimda, and whomp it into the
> VPN.

Umm.. Why is your security policy allowing outlook to connect to somewhere
other than your company mail server?

> In fact, if you're talking to the VPN and allow any non-VPN connections
> *at any time* (even when the VPN isn't active), you have a vulnerability - think
> about downloading a file that has a virus that doesn't have a signature from
> the vendors yet (like the first 75,000 copies of Nimda that his our mail
> server).  Wanna bet that when that VPN connects, there's some shares available
> for the virus to attack? ;)

Nope, in fact, the idea "allow everything from inside to out" is the reason
the vast majority of the problems in the policy.

> It's not as easy as it looks.

It is very easy. 

Deny everything.
Allow outbound port 80
Allow mail server to 25
Allow ident
If you need netmeeting, allow netmeeting server to other servers.
If you need AIM, allow AIM from workstations to oscar.aol.com and whatever
the name of the other mahine.

I am failing to see a problem.
> 
> 

-- 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.