On Tue, 16 Nov 1999, Per Gustav Ousdal wrote:
> > Which still doesn't cover HTTP downloads, especially of self-updating
> > HTTP-based things like say a new release of IE. There are simply
> > becomming too many vectors to get data "in."
>
> Yeah, I agree with you, if I was "mht" I "wouldn't be sleeping as good at
> night" as he/she seems to ;) HTTP is a problem, it just to flexible. And
> I agree: self-updating software is not a good thing.
>
Self-updating software removes costly distribution and support issues, I
expect that we'll see a lot more of it in the future, irregardless of if
we'd like to or not.
> But what if the security policy state that only the SysAdmin (or atleast
> someone who knows about MD5, etc) is allowed to download & install new
> software. Or new software should ONLY be dl from the intranet server. Is
> there a way to enforce such a policy? (i.e. looks at what is beeing sent
> via HTTP, filters out the desired MIME types, unless the person is
> authorised) Might be possible depending on the size and requirements of
> the organisation, but does it exist?
The problem is that it's possible to write HTTP-enabled software that
bypasses such controls. The end-user perhaps won't even be aware of the
fact.
[snip]
> Right, HTTP is a difficult one :/ I think part of the problem here is that
> to many WWW == the Internet, I mean they do everything thru the web
> interface.
>
> Virus scanning everything should help some, ofcoz it woun't prtotect you
> against new stuff (but maybe your security policy allows you to settle
> with this).
Given the traffic/bandwidth requirements of the future, this is going to
be a losing game with streaming media. I'd prefer to look at things that
will work for the next several years, not just a few months.
> One solution to minimizing the risk *could* be to have a net (firewalled
> from the production network, and with a different security policy (maybe
> the modem pool to wich the users connect from home ;)) of sacrificable
> lambs that allows web browsing. And then limit as much as possible, or
> totaly block WWW on the production network.
This works for some sorts of industries, but not for others.
[snip]
> I'd really like to see a (at least partially) solution here, since there
> seems to be no end to this type of virus these days.
The solution is office applications that don't execute foreign content.
[snip]
> > > BTW: Hey, how come everyone else in this tread is @clark.net?? :)
> >
> > We all chose the best regional ISP before the borg ship that is Verio
> > moved in. Or it's all a conspiricy ;)
>
> Wow, quick, block every thing from clark.net :D Ok, so you all know how to
> choose the best ISP, still find it amazing that you are all from the
Yep, and we all don't know how to switch when they go downhill too
> same region :) BTW: what region is that?
Washington, D.C./Maryland/Northern Virginia.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
