Suresh Ramasubramanian wrote:
Valdis.Kletnieks@vt.edu writes on 11/24/2003 3:43 PM:
Question: What speed access is needed to guarantee "mean time to download patches" is significantly less than "mean time to probed by packet-to-0wn" (significantly == 20x lower still gives a 5% chance of getting 0wned while patching)?
That'd have to be very fast indeed, given that only one windows update mirror is used at a time, and patches are downloaded and applied in sequence.
Two ways to get at least some safety -
# Machine behind NAT while it is being updated
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same category. Just cause your broadband router (ahem, switch) vendor states that NAT (in reality PAT) as one of their security 'knobs' does not make it in any way a security feature when implemented. Only thing that might benefit is IPv4 address space. Make a NAT Translation to a workstation (nothing else) and see if you can still carryout some of the exploits making the rounds. NAT and PAT do not prohibit any TCP/UDP connections to egress. Most broadband providers still perform a NAT translation downstream, is it helping alleviate any of the attacks/compromises? NOT!!!!!
# Patches preferably downloaded onto a CD and applied offline
I know Microsoft has a product that allows you to donwload patches to a centralized server (within your infrastructure) and let's you patch your internal systems from it. Heard our MS admins talking about it a while back.... -- Gerardo A. Gregory