[conspire] Re: OT (somewhat) Linux perspective on "Zotob's" target

Don Marti dmarti at zgp.org
Thu Aug 18 13:06:23 PDT 2005 

begin  Eric De Mund quotation of Thu, Aug 18, 2005 at 11:43:15AM -0700:

> The thing I keep in mind is that MS *just doesn't care*. Meaning,
> they're a business that just happens to be a software business. They're
> in the game for the revenue stream, and that's it. Any relationship to
> software engineering--in any way, shape or form--ends there. Period. At
> least this is how I personally keep my consumption of Tums slightly
> reduced.

To be fair, most of this stuff was designed when you
could assume...

BIG BAD INTERNET--(firewall)--Super Safe Corporate 
                       |      Happy Network
                       |      (users' systems)
                    DMZ Network
                    (web, DNS, SMTP gateway)

Now, a user's system is likely to be a laptop that
gets moved from the corporate network to random places
on the big bad Internet, including the user's house
and various cafés and hotels.

Those of us with Linux laptops can easily strip
off unneeded software and set up paranoid
local iptables policies.  All laptops are
bastion hosts (bastion host checklist here:
http://zgp.org/~dmarti/blosxom/tips/new-server.html )

If you have users with wandering MSFT Windows laptops,
you will need to install a third-party security
solution for them.  I don't have direct experience
with the administrator end of any of these products,
since I don't do any non-Linux system administration,
but this one has been recommended to me and I've seen
the client side in use frequently with no problems.

  Check Point VPN-1 SecureClient
  http://www.checkpoint.com/products/vpn-1_clients/index.html

It combines a centrally administered VPN with
centrally administered software firewalls for each
laptop user.  (You'll need the server and admin
consule parts too.)  You should definitely include
this or something providing this functionality in the
"Windows" column when you're adding up desktop TCO
-- unless you want to ban laptops, which you can't
because Management will make you support theirs
anyway.

(You can tell a bogus desktop TCO study because they
either leave off managed firewall/VPN or add it to
both the Windows and Linux columns.)

Stripping "essential" services looks like a neat
trick, but even if you configure all those Windows
boxes not to have any services running by default,
all it takes is one software install to add a
vulnerable service.  Remember Slammer and MSDE 2000?

http://www.sophos.com/virusinfo/articles/slammerq.html

-- 
Don Marti
http://zgp.org/~dmarti/
dmarti at zgp.org

More information about the conspire mailing list