On Fri, Feb 05, 2016 at 01:00:44AM -0800, Billy Vierra wrote: > I highly recommend that you place all black boxes into their own (small) > subnet (either 1 for all of the black boxes or 1 for each type... ie if you > have anti-spam servers they all go into 1 subnet) that is considered > untrusted. > > I was at a company a few years back and we had an audit which included a > penetration test. The audit rules were pretty strict with a pass / fail > scenario on a number of areas, one of them being unpatched servers. There > was a lot of resistance due to the fact that some of the vendors didn't > directly play nice saying that we would have to have some of the black > boxes with no firewall between them and AD servers, things like that. I > eventually made the call to do it anyways as I tend to err on the side of > caution. Long story short a few different types of black boxes failed the > pen test due to things like openssh not being fully updated (even though it > was ssh was firewalled off from the internet) however I was able to show > the tester that even if those servers were completely hacked they had no > direct access to anything but each other which moved it from a fail to a > pass with a note to contact vendor (we were already up to date, they just > ran 3-6 months behind on updates).
I work primarily in a closed environment, too, and I hear a lot of, "Why do we need to worry about X, we aren't connected to the network, there's no way for anyone to hack us!" And my response is, "the insider threat". Edward Snowden showed us that a trusted insider as as big, or a bigger, concern than some outside attacker who doesn't already have access and who's likely to be looking for a defacement target or a spam relay / 'bot C&C node. I've been aggressively pursuing patching everything, including things that "don't matter", like Chrome, because I'd rather be in a proactive mindset rather than a reactive one. And usually, when you're reactive, you find out about a problem after it's too late :-) I'm all for socking "black boxes" away on firewalled subnets, but that's a mitigation, not a resolution. Lots of cracks are things that "couldn'ty possibly happen", and even if you maintain your configuration with religious zealotry, there's a risk that the one exception you just had to have winds up being the vector of the next stage of an attack. I'm always thinking "Defense in depth", and frequently do things that seem redundant or excessive. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
