Re: Upgrades and Security Requirements...

From: Greg Merritt <gmerritt_at_calmail.berkeley.edu>
Date: Tue Jun 22 2004 - 12:06:30 PDT

> > With at least one exception: Mac OS 8.x and 9.x. No further
>> patches are available from the vendor, Apple Computer, Inc., but a
>> compelling case could be made that none are currently required, and
>> that no network-accessible vulnerabilities requiring patches are
>> likely - with any reasonable degree of probability - to be found in
>> the future.
>
>I disagree.

        Ok........ so what about, say, an HP LaserJet 4 or 5?
Listens on (at least) port 23, right? Any firmware updates for these?

        ...then again, are there any known (or even likely) exploits
against these network devices?

        The question, I think, is whether network devices (computers
or otherwise) are going to be routinely, pro-actively kicked off of
the network just because the are technically bannable via the new
policy, or whether only devices which are actually presenting some
reasonable amount of risk are going to be shut down.

        Basically, we don't know what's going to happen when the new
policy goes into effect. Here's what I guess to be the possible ends
of the spectrum:

        1) Devices running out-of-date/misconfigured/unsupported
software will be immediately kicked off of the network once they
misbehave, OR when there is a reasonable likelihood of said devices
becoming compromised by a known exploit; or,

        2) On May 1, SNS will terminate network service for anything
and everything that doesn't present itself on the network as being
up-to-date/properly configured/supported by the vendor.

        I expect the landscape will look more like 1) than 2), but I
don't know. I think it would be really helpful if SNS would let the
campus support community know what their intentions are regarding how
they plan to operate under the new policy. It will really help
support folks plan ahead now and anticipate what the actual climate
will be like when the new policy goes into effect.

-Greg

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Tue Jun 22 12:10:08 2004

This archive was generated by hypermail 2.1.8 : Tue Jun 22 2004 - 12:10:09 PDT