On Tue, 05 Jun 2007 11:40:36 -0400, Steven wrote in message <030f37e8000023b8@xxxxxxxxxxxxxxxxxxxxxx>: > Arnt Karlsen wrote: > > On Tue, 05 Jun 2007 10:16:40 -0400, Steven wrote in message > > <46657048.4040600@xxxxxxxxxxxxx>: > > > > > > > And, most important for folks here, do egress filtering on your > > > firewall! Help prevent zombie machines on your own networks from > > > being a problem, you can't stop your end users from bringing infections > > > into your network but you can control their spread. > > > > > > > ..what tricks _are_ out there? Set up some kinda p0f deamon and > > cut 'n tarpit any and all Wintendo network traffic attempts? > > Or even feed them LROS thru ActiveX if they need firm hints? > > > > Not really very tricky, limit outbound traffic to what is needed. Do > all of your workstations need UDP ports outbound? Smtp? For a lot of > sites the average workstations internet requirements are very small, > especially if proxys are used for SMTP,HTTP,FTP, etc. Just by blocking > most of the end users from direct internet access (or at least to a > small set of outbound protocol/ports) we render those machines pretty > useless to the bad guys. ..no problem, GNU/Linux only /25 shop here. ..but I also want to deny all windroids access to internet and make them fetch and use some safe os off my (Debian etc) lan mirror, before I allow them outbound. Just a wee wifi spot biz idea, but if Microsoft can't secure their "OS", HTFAISTDI? ;o) > It does, however, become very tricky if it's not done up front. It's > really really tough to figure out what the requirements are if anyone > could historically do anything they wanted. It's far better to > seriously restrict things up front and put in the exceptions as you find > them. Sites that have historically allowed all outbound traffic are a > two fold problem, it's hard to fix and they are exactly the sorts of > sites the bad guys like to use. ..aye, but easy if it's your net, just enforce your ban on Wintendo. Now, I'm GNU+Linux only shop and have no recent Wintendo experience since early 1998, I had Wintendo95 and ran away, so I look for pointers on "ID their OS first, then chk if they have paid my bill and deserve access." -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
