Thanks, Bill.
We all have had to live with management-driven decisions at one time or the
other, no? We change what we can, and accept what we can't and try to make
the best of it. This is one of those situations.
But sometimes you have to have the fortitude to stand up to management and tell them they're asking for something that's not possible. You can't have 100% security and 100% access at the same time.
The line of thought is "we don't care what's running around in the Labs as
long as they remain in the Labs, but, by the way, we need to be able to pull
files from our Labs machines to our production desktops so we can work on
them. So, you see, you can't block off the Labs"
Anyway, the cost is really not a factor. Finding what to invest the money in
is the issue. The PRIMARY (and, maybe, ONLY) concern is keeping viruses that
propagate through network shares from coming to the production network. The
device I was testing does SMTP, POP and Web filtering, but 90% of the Virus
problems is NetBIOS borne. And, no, I can't filter out NetBIOS ports between
the Labs and the production sides. That is my dilemma. IF there is a device
on the market that does NetBIOS virus scanning and prevention, a big part of
my problem will disappear overnight. And, if wishes were horses ........ :-p
Well, I still think you could work it out with an intermediate machine. Just put a Server in between the two networks with two interfaces on it. Load it up with all the virus protection you can find (most server-based virus protection will check incomming and outgoing files as they are up/downloaded) and keep the machine updated with all patches/etc.
Then set it up so the only way to get files from production to lab is to copy them on to this server first. It's a little annoying for the people copying the files ("Damn ... I forgot to copy this to the transfer server from the lab") but I would say that this is where you've got to draw the line if you want have any level of safety/protection whatsoever.
From the look of things, though, it seems that this is on of the situationswhere we say "There are seldom good technological solutions to behavioral problems." Apologies to Ed Crowley :)
I agree. I think the only way you're going to get any sane level of protection is to come to a compromise. Sometimes you have to be willing to push back.
Good luck in whatever approach you take.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Bill Moran Sent: Fri 10/17/2003 10:08 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network
[EMAIL PROTECTED] wrote:
I forgot to mention that. Yeah, there is a requirement for connectivity between the 2 sides. That's why firewalling them is not an option.
I've been following this because I think it's outrageous. I don't envy your problem.
I think you're in a situation where you'll have to say "if that's what you want, then it's going to cost you" to whoever put the connectivity requirement in place.
First off, you are going to want a firewall between production and lab. Set it to deny by default, then allow ONLY the EXACT traffic that you want to allow. Then configure logging and make it a point to review the logs regularly.
I would also suggest a dedicated SMTP relay for the lab, with virus scanning and extensive access restrictions: again, allow only what you KNOW is safe, log everything, and review the logs regularly. Configure your firewall so that ONLY mail that's gone through the SMTP relay is allowed anywhere. This will stop a lot of SMTP-based worms from getting anywhere, as well as alerting you to their existance.
Even this will not protect you from every type of attack, but it should reduce the rate of occurance significantly.
-- Bill Moran Potential Technologies http://www.potentialtech.com
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/