Network security practices survey
On Fri, 8 Dec 2006, Fergie wrote: Sorry for the top-post, but wanted to retain context here. Also, sorry for the specific product mention, but much of is mentioned below is something that we are doing with ICSS/BASE: http://www.trendmicro.com/en/products/nss/icss/evaluate/overview.htm In addition to Trend Micro, there are several other vendors and open source projects. A good overview of what is being used is available at http://resnetsymposium.org/surveys/2006securitysurvey.htm
Re: How to pick a Site-Local Scope multi cast address
Hello; I think that pretty much everything John Kristoff said was spot on, especially to thank you for asking. Unfortunately, there is no general method for doing this except to use your GLOP address, if you have one, and that is not really appropriate for site-local work. Madcap and MZAP were implemented into Windows, but I have never heard of them being used. If you look at http://www.iana.org/assignments/multicast-addresses it says that 239.255.000.000-239.255.255.255 Site-Local Scope [Meyer,RFC2365] should be used for site local scope, but I know that that is not really followed much either. So, my advice is - pick something at random from 239.255/16 - let us know what it is - give the user a config file or some other means to change it if they have too. I would be glad to collect and maintain a list of site-local multicast addresses, but I have no illusions that such a list would be complete. It would be worth doing, however. If you really feel that this is something where there will be millions deployed, contact me offlist and we can discuss getting an address from IANA. Hope this helped, and, again, thank you for asking. Regards Marshall Eubanks On Dec 8, 2006, at 10:54 AM, Dave Raskin wrote: Hello, I have been directed to this list by IANA when I asked the following question: I am researching ways of device/machine discovery on the network. This is similar to the Discovery phase of UPnP devices, which uses the SSDP protocol. I have researched far enough to know that my best bet for UDP multicast address group is the Site-Local Scope address range of 239.255.000.000-239.255.255.255 SSDP and UPnP protocols use the address 239.255.255.250 My question is this: How do I pick a group address within this range and not have a chance of colliding with some other application on the network already using the group address I just picked? Do I just randomly pick an address in that range and hope for the best? I am running on Windows and cannot assume that there is a MADCAP server available. Thanks in advance! Dave Raskin Rimage Corporation
Re: DNS - connection limit (without any extra hardware)
On Fri, 8 Dec 2006, Petri Helenius wrote: Has anyone figured out a remote but lawful way to repair zombie machines? Pete Virtual patching. -Hank
Re: Best Email Time
This account sees something over 10x more spam than genuine traffic, almost all of which is autofiltered. On 12/9/06, Rich Kulawiec <[EMAIL PROTECTED]> wrote: On Fri, Dec 08, 2006 at 07:50:57AM -0500, David Hester wrote: > CNN recently reported that 90% of all email on the internet is spam. > http://www.cnn.com/2006/WORLD/europe/11/27/uk.spam.reut/index.html CNN is behind the times. We passed 90% junk (spam, viruses, bogus virus warnings, worms, outscatter spam, C/R spam, etc.) a few years ago. Locally, over the last three months, we've been rejecting > 98% of incoming traffic with just two reported problems from internal and external users. And almost all of that rejected traffic TCP-fingerprints as originating from hosts running Windows. ---Rsk
Re: Best Email Time
On Fri, Dec 08, 2006 at 07:50:57AM -0500, David Hester wrote: > CNN recently reported that 90% of all email on the internet is spam. > http://www.cnn.com/2006/WORLD/europe/11/27/uk.spam.reut/index.html CNN is behind the times. We passed 90% junk (spam, viruses, bogus virus warnings, worms, outscatter spam, C/R spam, etc.) a few years ago. Locally, over the last three months, we've been rejecting > 98% of incoming traffic with just two reported problems from internal and external users. And almost all of that rejected traffic TCP-fingerprints as originating from hosts running Windows. ---Rsk
Re: repair zombie machines (was: DNS - connection limit)
On Fri, 8 Dec 2006, Jim Popovitch wrote: On Fri, 2006-12-08 at 19:56 +0200, Petri Helenius wrote: Has anyone figured out a remote but lawful way to repair zombie machines? Very interesting question. I personally believe that OS EULAs and ISP ToS guidelines provide for an ISP or an OS mfg (i.e. Microsoft) to force updates and fixes via any means. That is: if I am your customer and my PC/router/USB-Camera/whatever is throwing crap your way, crap that violates your ToS or indicates that I am out of compliance with an EULA, then I believe others have the right (and IMHO the obligation) to step in and correct things (it's what parents do for their kids everyday). So, according to me, any corrective action is lawful when dealing with customers and equipment that have violated an EULA or ToS guidelines. Sending updates in automated way or forcing updates is only ok if person previously authorized such action, i.e. enabled automated updates. This is in fact dangerous in itself since it also presents single point of potential failure if system providing updates is itself compromised - that is why many choose not to do it and enterprises setup their own updates distribution systems. As far as your question, in my opinion it would be legal for you to check if somebody did or did not do an update but only using tools that check publicly available data reported from the system (i.e. what you can gather by sending it packets to open ports). As an ISP it would be legal for you to warn customer that if they fail to install an update you reserve the right to disconnect their system or limit access to certain ports or only to certain sites (i.e. your own for them to check email but nothing else). And obviously once issue is reported to you (i.e. their machine is spewing and compromised), that is exactly what you should do. Just my $.02. ;-) Due to inflation with US currency I'll make it a nickel $.05 :) -- William Leibzon Elan Networks [EMAIL PROTECTED]
