On Tue, Dec 21, 2004, Christopher L. Morrow wrote:
problematic in one/all OS's, but by and large extended lifetimes on a live/hostile network means patches must be applied. Seems like that doesn't happen by and large.
[waiting for an OpenVMS user to speak up]
You won't need to. ;-)
Frankly, from an operational perspective, I guess the only way to go is to trust the inside of your network even less than you trust the outside ... and have processes that quickly isolate and block access
This is quite correct... The blocking/isolation is helped if the network is segmented early on, permit that traffic which is 'normal' place some ids-like devices around and correlate logs/reports/incidents to properly react when something goes awry.
There's no reason programs running on a host should have full access to your filesystem, network stack (for binding or outgoing connections) without explicitly being granted permission by your users. The trouble is that a lot of the random crap people "install" just say "click yes and yes when asked about installing this software!" which said user will blithely run off and do. Personally, I think trying to stop the software being installed is a lost cause. Its going to get installed no matter how hard you try. What I think vendors should be looking at are solutions to mitigate the effect said software can have /when/ its running. There are personal firewalls available which limit the network access the applications are granted, but they're quite spammy for the average user ("Internet Explorer is trying to connect to www.google.com. is this acceptable?"). Cisco sells a corporate solution similar to this - something profiles your running applications to see which api calls it makes and their parameters, then you lock the machine to only be able to run within this profile. Adrian -- Adrian Chadd "You don't have a TV? Then what's <adrian@creative.net.au> all your furniture pointing at?"