On Sat, Aug 30, 2003 at 02:53:46PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Sat, 30 Aug 2003 14:09:40 EDT, Joe Abley said:
That won't save them when the time required to download the patch set is an order of magnitude greater than the mean time to infection.
This, in fact, is the single biggest thorn in our side at the moment. It's hard to adopt a pious "patch your broken box" attitude when the user can't get it patched without getting 0wned first...
how about ACLing them? upstream from customer: permit udp <customer> <ISP's nameservers> port 53 permit tcp <customer> <windowsupdaterange> port 80(?) for as much of the windows update range as can be found. Since they've recently akamai'zed, this is somewhat predictable. Downstream, you can either setup stateful, or just be lazy and hope that allowing estab flag is enough... ACL can be either templated or genericized for the OS. (replacing <customer> with any means the customer pvc (assuming DSL) can only hit microsoft regardless of spoofing. Similar ACLs can be setup for Solaris, OSX, even various flavors of linux. being able to at least semi-automate router config changes is a requisite, but not insurmountable. This will, no doubt, increase support calls. How much compared to a pervasive work is left as an exercise to the reader. -- Ray Wong rayw@rayw.net