Fog Creek Software
Discussion Board




Blaster & Problem with Sysadmin policies

Reading about GOT's woes, the "laptop is the chink in the armor" and other comments, I realize the smartest policy in a large group network is "close everything and open only when necessary."

IOW, set your router policies so that employees only get what they need to work. Normal folks get web ports to the outside world (or the proxy server) and email ports to the mail server. Devs get that + the ports necessary to access source control.

Devs run and develop on local web and database servers. A sandbox is set up for the dev group if a more complex setup is necessary (multiple boxes for replication, n-tier testing, etc).

Big brick wall between dev & test - code is moved from dev to test by QA via scripts pulled from source control.

Big brick wall between test & production - code is moved from test to production by production admins with scripts pulled from source control.

To be honest, with some intelligent forethought and design, this wouldn't be that expensive to set up, and with properly documented procedures and policies, not that hard to maintain. So long as your employees are kept open-minded about rapid reaction, you could even rush a patch through from dev to production in a few hours.

Wouldn't this hurt virus propogation more than anything Microsoft could ever do?

Philo

Philo
Friday, August 15, 2003

That's all great, but I wanted to note that even with the laptop being a "chink in the armor," if the patch has been applied, even an infected laptop inside the firewall would have done nothing more than scan.

dsf
Friday, August 15, 2003

I'd like to add one item to the list.  Have a DMZ set up internally and allow employees to VPN over the DMZ to the main network.  That allows visitors/external vendors/clients to connect to the net with no effort while protecting your network.  It also allows employees to hook up their laptops and get on the network (for a small speed penalty) and be secure.

You are right about these not costing much to install and maintain, its rather sad that its not a standard thing for network/IT infrastructure designers.  We don't have a DMZ here, but for one ongoing project we need to allow a vendor to have reps on site.  They don't need to interact with our systems at all, just get online and VPN back home. Well, that requires buying them their own DSL line, wiring like crazy and 4 months of setup.  Yikes.  How about a firewall/router/switch instead and use existing wires.  Darn.

Lou
Friday, August 15, 2003

This is the classic Principle of Least Privilege.  Give the user only the rights needed to get the job done. 

It works great until someone is inconvenienced a little by it and whines enough until a hole is punched for them.  It's easier to just share a directory with full permission for everyone than to take the time to set up a limited user account. 

I think this principle combined with a little user accountability would go a long way.  There doesn't seem to be any penalty for employees who open infected attachments or fail to take advantage of common sense security precautions. 

SomeBody
Friday, August 15, 2003

Lou's idea is what I set up for wireless. For customer offices I have an external DMZ that's only got access to the Internet, protected by a relatively "thin" firewall that lets them use their VPN software to get to home base. The desktop LAN is behind a bastard heavyweight proxy firewall that blocks everything incoming and outgoing and only permits proxy access.

I also banned Outlook and IE when Microsoft merged them with the desktop, though I've had to back down on IE because the parent company (dtbs) has important internal web pages that require it.

Development systems are all UNIX, the Windows boxes are just smart X terminals that happen to run the office automation stuffs locally. Remote access is VNC or X over SSH.

It's becoming increasingly hard to keep the nice solid paranoid firewall, as more and more IPSEC VPNs get in use, and the IETF (dtbs) have political problems with making IPSEC firewall friendly. They want ALL network connections to be via IPSEC, so you don't need a firewall. Dream on, kids, dream on...

Peter da Silva
Friday, August 15, 2003

In theory the penalty for employees who open infected documents is their PC gets taken away for "refurbishing" and a new one is dropped in front of them... without any of their personalisations or any files they kept locally (against company policy, if they did).

In practice "we can't have this guy down, can you see if you can disinfect his computer" happens more often than not.

Peter da Silva
Friday, August 15, 2003

Philo, in your scenario how would this stop an infected laptop that connects via vpn from infecting the rest of the network.  Once vpn authenticates them they are in.

X
Saturday, August 16, 2003

Is windows update dark yet?

It is nice to see that they are being attacked by an attack they made possible.  Pretty damn funny.

x
Saturday, August 16, 2003

X,

You can set up VPN rules to allow/disallow ports...

GiorgioG
Saturday, August 16, 2003

In the words of Ed McMahon:  "I did not know that"

THanks

X
Saturday, August 16, 2003

*  Recent Topics

*  Fog Creek Home