RE: [Micronet] Which hosts running older OSes will be blocked by min. stds?

> -----Original Message-----
> From: owner-micronet-list@lists.berkeley.edu
> [mailto:owner-micronet-list@lists.berkeley.edu] On Behalf Of
> Aron Roberts
> Sent: Wednesday, June 23, 2004 4:45 PM
> To: Craig Lant
> Cc: Micronet-UCB microcomputer support user group; MAGNet-UCB
> Macintosh support user group; PCSystems - UCB PC/Windows user group
> Subject: [Micronet] Which hosts running older OSes will be
> blocked by min. stds?
>
> Hi Craig,
>
> At 01:34 -0700 2004-06-23, Craig Lant wrote:
> >Our current standard for what we block includes only hosts
> that pose a
> >threat. This policy changes that standard slightly to include hosts
> >that are *likely* to pose a threat. Who makes that judgment call?
> >Ultimately, the CISC does. Though in an emergency, I would make it
> >with input from SNS, CNS, and others.
> >...
> >What this means in practice is that, if a particularly nasty worm is
> >released that includes code to attack older/unpatched versions of
> >Windows, Mac OS, Linux, or whatever, we could immediately block all
> >vulnerable hosts until they can be secured. Many security experts
> >would change that "if" to "when". But, the point is that we would
> >rather block a thousand hosts until they're patched or upgraded than
> >wait and block a thousand hosts until they're rebuilt.
>
> In the hopes of clarifying this further ...
>
> Craig (and all): what might this mean in practice for
> hosts running older versions of Windows, Mac OS, and various
> Unix and Linux distributions for which security patches are
> no longer available from their respective vendors?
>
> Will all of these hosts be:
>
> 1. Allowed to operate 'as is' on the campus network after
> May 1, 2005?
>
> 2. Globally blocked from operating, and thus required to
> be upgraded or
> replaced ... ideally prior to that date :-)?
>
> or
>
> 3. Either allowed or blocked, based on some determination of the
> risk they pose (e.g. "hosts that are *likely* to pose a
> threat")?
>
> And if so, will this determination be based:
>
> a. Generically on the OS they're running, perhaps due to
> vulnerabilities for which no patches are currently available?
> or
> b. Specifically for individual hosts that pose a threat?
>
> My reading of your wording above is that it's closest to 3.a. ...
>
> Thanks!
>
> Aron Roberts
> Workstation Software Support Group
>

There are more issues than just vendor support for patches. Do vendors
still release AV definitions for these older operating systems? Can systems
run host based firewalls? Does the OS meet the password requirements?

How many machines on-campus are we really talking about, anyway? Do
students bring these older operating systems to campus? Administrative
staff shouldn't be using these older systems. None of these older operating
systems should store FERPA or SB1386 data. They won't support OPTRS or
future secure mainframe applications. Are modern web browsers available?

Does it really make sense for departments to keep outdated insecure
operating systems around and have central campus spend more money than it
would cost to upgrade, to make services less secure and backwards
compatible?

--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu
 
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.