I think everyone at SNS does a great job in providing system and network
security on campus. No complaints here. Everyone is doing their best
to make the campus a safer place to work.
I agree that the virus definition files are updated and not the product
version itself, however it is not difficult to configure SAV to
automatically update from Symantec on a user defined schedule.
Occasionally we do run into computers which have live update failures,
and when we do, we uninstall the old version, we do a offline virus scan
on the computer, spyware scan, and registry check, then install the
newer version. (Obviously there is more that is specifically done to
those computers - that's just in general).
To me the selling point of the 'custom' version is not increased
security but rather outsourcing the responsibility of maintaining SAV
and SCS to campus for convenience and centralized control and
monitoring. I have nothing against this.
What I am against is forcing the lack of choice through inconvenience
and difficulties just to push an agenda. The option for system
administrators to provide our own methods of installations and updates
is gratefully welcomed and I believe shouldn't be discouraged or its
availability made more difficult, but rather the 'custom' version
indicated as preferred and encouraged.
It should be mentioned that even managed machines have had past failures
during updates and patches. There were some issues patching and
upgrading May 2006 managed machines due to msiexec and vpremote.dat
problems. This resulted with sysadmin to manually uninstall the old
version and install the new version - anyways. I believe that the
choice of using the non-managed version available in May 2006 was what
prevented exploitation on a even wider scale.
Allison Henry wrote:
> A few comments on some specific issues,
>
> Bruce Satow wrote:
>
>
>> However, to make things clear, the unmanaged version of the SAV is
>> easily configured to automatically update software from Symantec
>> directly. Automatic updates and downloads can be set on a daily basis
>> and at whatever time of day the user wishes.
>>
>
> No, this is incorrect. Only the virus definition files are updated, not
> the product itself. The security fixes necessary to correct bugs in the
> software are only available through updates to the product itself
> (maintenance releases and maintenance patches), which must be pushed out
> using software management tools or through visiting each machine.
>
> Also, you should be aware that some clients have problems running
> LiveUpdate; we have observed a small but significant failure rate so if
> you don't have a manager you should have a system for spot-checking
> LiveUpdate success, at least for key systems.
>
>
>> Extracting SAV from the SCS Admin CD is easily done. It is not a lot of
>> work However downloading the entire CD from campus is time consuming.
>>
>
> SNS does more than extract SAV from the admin CD, we repackage the
> installer using NSIS in order to turn a folder full of installation
> files into a single executable, then add all the items to
> software-central along with appropriate labeling and documentation. It
> is time consuming, especially with the many flavors of SAV now
> available: SAV 10.1, SAV 10.1 x64, SAV 10.2, SAV 10.2 x64
>
> That said, if there is significant demand to justify the extra work on
> the part of SNS, we can extract the raw directories from the admin CD
> and provide them as separate downloads.
>
>
>> Regardless of whether one encourages departments and individuals to use
>> the 'Custom' version or not, this should not mean that the download
>> availability of either one should be made more difficult than another.
>>
>
> I believe SNS should focus our resources on maintaining custom
> installers in a configuration we believe is most secure based on our IT
> security experience and expert knowledge of the product. For those
> administrators who feel their security needs are best met by alternate
> configurations, by all means download the admin CD and provide your own
> installer to your clients. But providing your own service is going to
> involve more work than using one developed by others.
>
>
>> Defense in depth would not allow a single point of failure due to
>> software bugs and vulnerabilities. If everyone were forced to use the
>> same managed version in May 2006, there would be much more damage and
>>
>
> Our "UCB custom" software blocks access to the Symantec management port
> to all IPs except our management server. This custom configuration would
> have protected users from exploit of this vulnerability, and we would
> have been able to warn system administrators specifically which machines
> were vulnerable before the exploits hit the network, which was months
> after the vulnerability was announced.
>
> Allison Henry
> System and Network Security
> University of California, Berkeley
> http://security.berkeley.edu
>
-- Bruce Satow Space Physics Research Group Space Sciences Laboratory University of California Berkeley, California 94720-7450 (510) 643-2348
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Received on Fri Dec 14 2007 - 12:16:44 PST
This archive was generated by hypermail 2.2.0 : Fri Dec 14 2007 - 12:16:49 PST