Hi Ted,
I'm copying a couple of other lists since this topic was recently discussed
there and is something of an FAQ at this point.
On Thursday 29 September 2005 16:36, Ted Crum wrote:
> We recently had several XP SP-2 boxes, with SCS 2.0x, that were at one
> time happily doing automatic Windows Update.
Note that moving to SCS 3.x may address this issue (see below).
> We recently were advised by SNS that they were out of date. On
> examination, we found that SCS was stopping WU. We had to set the slider
> to maximum and manually enable some operations (I don't have the exact
> information right at hand).
My understanding is that at least two factors are involved: (1) SCS uses
pRules to create program rules which determine which binaries to trust and
(2) processing delays occur when no matching program rule is found and the
default allow policy is invoked. Running a newer version of SCS may
influence both of these factors because (1) more pRules are included (thus
more programs automatically are recognized as trusted) and (2) improved
processing may decrease the delays introduced by following the
allow-by-default policy.
> I know that the WU site was just updated and that a new ActiveX control
> is (again) needed. Are the Berkeley firewall rules not permitting this?
> (Are we now approaching security noise floor?)
As a result of the preceding analysis, I see at least possible three options
to improve the situation:
(1) move to newer SCS releases as they become available: doing so attempts
to avoid the Catch 22 situation where an OS update changes a trusted binary
which SCS does not recognize thus (in the default policy) possibly
preventing further OS updates from occurring. It also allows one to benefit
from any gains in processing efficiencies that reduce the need for a
specific program rule to exist when using the allow-by-default policy.
(2) As time goes on following the installation of a given SCS release,
consider changing the default policy from "allow all unless denied" to
"deny unless allowed" via the SCS slider. This will become increasingly
more likely to avoid the failure scenario as more and more OS components
and apps become patched and thus untrusted by the older SCS release. The
downside is having to manually deal with an alert on the occasion of
changing a trusted app or OS component that uses the network.
(3) Configure clients to use the local campus update service
(windowsupdate.berkeley.edu) and put this host into the trusted network
zone for SCS thus avoiding any processing of firewall rules for traffic to
or from that host.
--Karl
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri Sep 30 09:34:58 2005
This archive was generated by hypermail 2.1.8 : Fri Sep 30 2005 - 09:35:00 PDT