RE: Re: [Security] Newest Symantic Security Software

Additionally, the native host-based firewall in Windows XP SP2 does not allow for "trusted" hosts, only for port exceptions (you can configure this via the local box or Active Directory). If one were mandated to allow SNS through their host-based firewall, they would need to move to another solution (like SCS). I agree that this would be terrible policy.

John

John E. Weber
Microsoft Certified Systems Engineer
Central Computing Services - IS&T
Campus Active Directory Architect, CalNetAD
University of California, Berkeley
johnweber@berkeley.edu
2195 Hearst Avenue, #300B-07
(510) 642-8426
http://calnetad.berkeley.edu
 

-----Original Message-----
From: owner-micronet-list@lists.berkeley.edu [mailto:owner-micronet-list@lists.berkeley.edu] On Behalf Of Robert Hiramoto
Sent: Tuesday, May 10, 2005 4:06 PM
To: ucb-security@lists.berkeley.edu; micronet-list@listlink.berkeley.edu
Subject: RE: [Micronet] Re: [Security] Newest Symantic Security Software

Hi all,

"...the management hassle of coding IP addresses onto every machine on
campus, and maintaining those addresses as SNS's setup changes.."

I apologize for the thread jack, and I am not trivializing Tom's comments,
but I thought I'd ask this:

(Sorry if this has been covered already,) but with the SCS admin tools,
can't one push out new firewall policies and rulesets to the clients?

I've seen this documented in the SCS admin book; I just haven't gotten
around to learning how to do this yet.

~Robert

-----Original Message-----
From: owner-micronet-list@lists.berkeley.edu
[mailto:owner-micronet-list@lists.berkeley.edu] On Behalf Of Tom Holub
Sent: Tuesday, May 10, 2005 3:57 PM
To: Ryan L. Means
Cc: ucb-security@lists.berkeley.edu; micronet-list@listlink.berkeley.edu
Subject: Re: [Micronet] Re: [Security] Newest Symantic Security Software

On Tue, May 10, 2005 at 01:42:29PM -0700, Ryan L. Means wrote:
> Tom,
>
> CISC did approve changes to the implementation guide that required holes
> for the SNS scanners as part of a "correct configuration". Note that the
> language of the standard specifies that the firewall configuration must be

> configured according to the implementing guidelines. My revision of this
> page has not been posted to the SNS site yet, but these changes were
> approved 4-5 months ago. However, I assume that we'll be discussing this
at
> our next meeting anyway, so maybe it won't make it up there at all.

Perhaps this was at a meeting I didn't attend; it certainly wasn't at
any meeting I attended. Since no one sends out notes for CISC
meetings, I guess there's no record.

In any case, I think it's bad policy, even if it's documented
somewhere. Even if you leave aside the security issues, the
management hassle of coding IP addresses onto every machine on campus,
and maintaining those addresses as SNS's setup changes, is
significant.

--
Tom Holub (tom_holub@LS.Berkeley.EDU, 510-642-9069)
Director of Computing, College of Letters & Science
249 Campbell Hall
<http://LS.berkeley.edu/computing/>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.