RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network

Fri, 17 Oct 2003 12:19:35 -0700

Title: Message
Deji,
 
Technically - aside from the purely political, you have a problem.  I'm not aware of anything that is going to filter the incoming/outgoing traffic in the manner that you're looking to do.  In essence, you're looking for an application level firewall with the ability to do protocol scrubbing from layer 1 to layer 7.
 
What might be possible is to treat the lab as a 'quarrantine area'.  Anything that gets brought up in the lab, through private VLAN and switching, as well as an active scanning and scripting process, would be brought up as a part of the 'private vlan' that would be separate from all other traffic until it was checked and scrubbed by the virus checking and the automated scripts.  Once that is accomplished, you can give it access to the private vlan that feeds into the rest of the environment by allowing ACLs or a simple command to the switching gear to switch it's membership in the vlan structure.  Granted, this will not allow all machines in the lab to communicate whith each other constantly, because when the machine shuts down, it should also be removed from the PVLAN as an automated or manual process to ensure the integrity of the more public VLAN.
 
The whole point of this is to show that it would be possible to do what you want - it's all a matter of policy, rules, and automation enforcing the rules.
 
This is a compromise, at best.  It's not giving management everything that they want, but at the same time - you're not getting everything that you want either.  Possibly the best that you're going to do and still be able to provide a safe environment.  Otherwise, open the lab up and batten down the hatches on everything else.  Create the perimeter at the individual systems and servers.
 
But, I can also see this solution costing a fair amount of cash in the network management department, too.  Tools to automate switching and VLAN management don't usually come too cheap.
 
That's my shot at it......
 

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]

-----Original Message-----
From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 17, 2003 1:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network

Thanks, Bill.
 
We all have had to live with management-driven decisions at one time or the other, no? We change what we can, and accept what we can't and try to make the best of it. This is one of those situations.
 
The line of thought is "we don't care what's running around in the Labs as long as they remain in the Labs, but, by the way, we need to be able to pull files from our Labs machines to our production desktops so we can work on them. So, you see, you can't block off the Labs"
 
Anyway, the cost is really not a factor. Finding what to invest the money in is the issue. The PRIMARY (and, maybe, ONLY) concern is keeping viruses that propagate through network shares from coming to the production network. The device I was testing does SMTP, POP and Web filtering, but 90% of the Virus problems is NetBIOS borne. And, no, I can't filter out NetBIOS ports between the Labs and the production sides. That is my dilemma. IF there is a device on the market that does NetBIOS virus scanning and prevention, a big part of my problem will disappear overnight. And, if wishes were horses ........ :-p
 
From the look of things, though, it seems that this is on of the situations where we say "There are seldom good technological solutions to behavioral problems." Apologies to Ed Crowley :)
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

From: [EMAIL PROTECTED] on behalf of Bill Moran
Sent: Fri 10/17/2003 10:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network

[EMAIL PROTECTED] wrote:
> I forgot to mention that. Yeah, there is a requirement for connectivity
> between the 2 sides. That's why firewalling them is not an option.

I've been following this because I think it's outrageous.  I don't envy
your problem.

I think you're in a situation where you'll have to say "if that's what
you want, then it's going to cost you" to whoever put the connectivity
requirement in place.

First off, you are going to want a firewall between production and lab.
Set it to deny by default, then allow ONLY the EXACT traffic that you
want to allow.  Then configure logging and make it a point to review
the logs regularly.

I would also suggest a dedicated SMTP relay for the lab, with virus
scanning and extensive access restrictions: again, allow only what
you KNOW is safe, log everything, and review the logs regularly.
Configure your firewall so that ONLY mail that's gone through the
SMTP relay is allowed anywhere.  This will stop a lot of SMTP-based
worms from getting anywhere, as well as alerting you to their
existance.

Even this will not protect you from every type of attack, but it
should reduce the rate of occurance significantly.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to