Sorry, but we do have lake effect snow. I'd say that it isn't enough to brag about but it does happen.
I agree with your statement about the western edge of MI getting a lot of lake effect snow. Most of the time, the wind is blowing toward the east across the big lake (does that make it a Westerly wind?).
I/we never think that we are "impenetrable". We know that we can never be totally secure. We try to make it difficult for the most common worms and viruses (and malicious users) to do damage on our network.
Yes, there are ways to encrypt data to bypass detection by network-based security appliances. Thankfully there aren't many attacks that are that "elegant". The majority of the worms today are "dumb" in that they search willy-nilly for machines with port 135 or 445 exposed.
By securing the "low hanging fruit", we are reducing the liklihood that we will have a major virus outbreak. But we we have not eliminated that risk.
This is *extremely* easy to do. If I don't want you to connect to a certain site on TCP port 6667, I add a rule that denies connections that have a dst port of 6667. It's a piece of cake.
An easy way to do this for quite a lot of ports is to just block everything (every outbound port) and then open the holes that you need.
If your "worm" uses a totally random port (let's say 44332), it will be blocked. If the worm tries 44333, that is blocked too. If the worm tries 44334, that is also blocked. And so on.
If your response is "Oh yeah?!? I'll make my worm use port 80!", I'll find you there too. We have appliances filtering inbound and outbound port 80 traffic (at Layer 7) to find stuff like this. Also, connecting outbound on port 80 would subject you to our URL filtering policy. It would be funny (to me) if your worm tried to connect to a site that was banned by Websense.:^)
I like the SSH work-around to connect to the proxy that is your egress from the corporate network. Very elegant.
You mentioned worms that encrypt their traffic. This traffic would be difficult to detect and block using Layer 7-aware appliances.
There is a similar trick to your SSH-workaround to get the Citrix client to work over port 80. Part of Citrix (nfuse?) can use port 80 and the traffic *looks* like HTTP. But it's really not HTTP and a proxy can break the Citrix connection. The solution is to tell Citrix to use a "secure" connection so that it sends the "HTTP CONNECT" command to the proxy. Then the proxy doesn't monkey with the Citrix traffic passing through. It's an ugly work-around but is needed because of the HTTP proxies at our perimeter. (You also need to tell your HTTP proxy that port 80 is okay for HTTPS traffic so that it will accept the HTTP CONNECT command on port 80).
Right, and what will happen with people running services that are blocked? That's right, they'll just start using the "magical" port 80 that lets people connect to it.
This actually makes it easier to detect the "rogue apps" trying to exit the corporate network. If everyone tries to use port 80, then I have to redirect only port 80 with WCCP. I run the port 80 traffic through various Layer 7 scrubbing appliances to pick off the stuff that we don't want to leave our network.
I'm willing to bet it will take exactly the same amount of time for someone to swim the Channel as it did previously.
but if you were swimming the route underwater, wouldn't the distance between England and France be shorter due to the curvature of the Earth? If you were 20 feet closer to the center of the Earth (meaning you are swimming 20 feet below the surface of the water), wouldn't that be a shorter trip than swimming at the surface?
"you cannot turn a dodge into a mercedes just by changing the badge"
Actually, there is very little difference between the 2005 Toyota Solara V6 and one of the Lexus V6 beasties (I can't remember the exact model).
In this case, the badges are pretty much the only way to tell the cars apart.
It'd suck to be a Lexus owner and have someone ask you "How's that new Solara ride?":^)
True dat. VMS still rocks in healthcare, manufacturing, finance and a few other vertical markets.
All of those environments have strict requirements for availability. They can't tolerate the "Oh, the Windows server locked-up again. I'll reboot it in the middle of the day" mentality.
The only platform that I would put ahead of or above VMS is the NonStop stuff from Tandem (now also an HP product).
Slashdot Mirror
...or perhaps my friend Gina's restaurant (which was named after the Pyare Square building).
5 2.asp
http://www.jsonline.com/entree/cooking/feb05/3038
pi r squared?
I think you may be thinking of the Pyare Square building in Madison:
http://raid.danenet.org/bcp/pyare.jpg
...and WI does not have lake effect snow.
Sorry, but we do have lake effect snow. I'd say that it isn't enough to brag about but it does happen.
I agree with your statement about the western edge of MI getting a lot of lake effect snow. Most of the time, the wind is blowing toward the east across the big lake (does that make it a Westerly wind?).
Plover, thank you for the kind words.
I/we never think that we are "impenetrable". We know that we can never be totally secure. We try to make it difficult for the most common worms and viruses (and malicious users) to do damage on our network.
Yes, there are ways to encrypt data to bypass detection by network-based security appliances. Thankfully there aren't many attacks that are that "elegant". The majority of the worms today are "dumb" in that they search willy-nilly for machines with port 135 or 445 exposed.
By securing the "low hanging fruit", we are reducing the liklihood that we will have a major virus outbreak. But we we have not eliminated that risk.
-s
Because my admin knows the second he did this I'd find him and strangle him.
That's okay. We'll mail your last paycheck to the home address you have on-record in Human Resources.
How can they block the outgoing ports?
:^)
This is *extremely* easy to do. If I don't want you to connect to a certain site on TCP port 6667, I add a rule that denies connections that have a dst port of 6667. It's a piece of cake.
An easy way to do this for quite a lot of ports is to just block everything (every outbound port) and then open the holes that you need.
If your "worm" uses a totally random port (let's say 44332), it will be blocked. If the worm tries 44333, that is blocked too. If the worm tries 44334, that is also blocked. And so on.
If your response is "Oh yeah?!? I'll make my worm use port 80!", I'll find you there too. We have appliances filtering inbound and outbound port 80 traffic (at Layer 7) to find stuff like this. Also, connecting outbound on port 80 would subject you to our URL filtering policy. It would be funny (to me) if your worm tried to connect to a site that was banned by Websense.
I like the SSH work-around to connect to the proxy that is your egress from the corporate network. Very elegant.
You mentioned worms that encrypt their traffic. This traffic would be difficult to detect and block using Layer 7-aware appliances.
There is a similar trick to your SSH-workaround to get the Citrix client to work over port 80. Part of Citrix (nfuse?) can use port 80 and the traffic *looks* like HTTP. But it's really not HTTP and a proxy can break the Citrix connection. The solution is to tell Citrix to use a "secure" connection so that it sends the "HTTP CONNECT" command to the proxy. Then the proxy doesn't monkey with the Citrix traffic passing through. It's an ugly work-around but is needed because of the HTTP proxies at our perimeter. (You also need to tell your HTTP proxy that port 80 is okay for HTTPS traffic so that it will accept the HTTP CONNECT command on port 80).
Right, and what will happen with people running services that are blocked? That's right, they'll just start using the "magical" port 80 that lets people connect to it.
This actually makes it easier to detect the "rogue apps" trying to exit the corporate network. If everyone tries to use port 80, then I have to redirect only port 80 with WCCP. I run the port 80 traffic through various Layer 7 scrubbing appliances to pick off the stuff that we don't want to leave our network.
It's like shooting fish in a very small barrel.
Say "Hello" to my little friend WCCP.
e chnology_support_protocol_home.html>
http://www.cisco.com/en/US/tech/tk122/tk717/tsd_t
*Everything* is working at Layer 7 these days: Juniper/Netscreen IDPs, Websense's Network Agent, Blue Coat and so on.
There are many good tools which can do "deep inspection" and take action.
Hell, you could do it with Snort if you wanted to invest the time.
Egress filtering is evil. The first thing I do upon encountering it is erect a tunnel.
The first thing I do upon encountering people bypassing corporate security is to email their manager (cc'ing Human Resources).
Don't bother to unpack your stuff, you won't be here very long.
"Roommate, meet my friend, Mister Keylogger. Mister Keylogger, this is my dopey roommate."
I would like to see a worm that goes around and patches servers for a change. It can be done.
c /data/w32.welchia.worm.html
Something like this?
http://securityresponse.symantec.com/avcenter/ven
I'm willing to bet it will take exactly the same amount of time for someone to swim the Channel as it did previously.
but if you were swimming the route underwater, wouldn't the distance between England and France be shorter due to the curvature of the Earth? If you were 20 feet closer to the center of the Earth (meaning you are swimming 20 feet below the surface of the water), wouldn't that be a shorter trip than swimming at the surface?
I'm having trouble thinking of ANY other activities where you can be under ten meters of water.
So I take it that you've never hitched a ride home from a party in Chappaquiddick with Edward Kennedy?
Thank you for justifying the money we spend on Websense, Blue Coat and all of the other employee monitoring tools.
People just can't be trusted to police themselves at work.
-Scott
...in Hitler's butt?
:^)
http://www.imdb.com/title/tt0185431/
or perhaps just disconnect the ethernet cable
;^)
But..but..but I'm connected via FDDI. What does that mean for me? Am I doomed? Please tell me!
"you cannot turn a dodge into a mercedes just by changing the badge"
:^)
Actually, there is very little difference between the 2005 Toyota Solara V6 and one of the Lexus V6 beasties (I can't remember the exact model).
In this case, the badges are pretty much the only way to tell the cars apart.
It'd suck to be a Lexus owner and have someone ask you "How's that new Solara ride?"
but without software to run on that cluster, what's the point?
Software companies that have customers who demand 24 x 365 availability write the software that runs on OpenVMS. A few examples are listed below:
http://www.cerner.com/public/
http://www.idx.com/
http://www.hosp.misyshealthcare.com/Products/
http://www.epicsys.com/
True dat. VMS still rocks in healthcare, manufacturing, finance and a few other vertical markets.
All of those environments have strict requirements for availability. They can't tolerate the "Oh, the Windows server locked-up again. I'll reboot it in the middle of the day" mentality.
The only platform that I would put ahead of or above VMS is the NonStop stuff from Tandem (now also an HP product).
it cost him his soul
;^)
Are you sure that you aren't thinking of the Dread Pirate Roberts?
http://www.thisisawar.com/LaughterPB1.htm
I'll bet NPR has some of the most popular shows on radio
But NPR will ways be playing second fiddle because it doesn't carry this:
http://www.coasttocoastam.com/
Another good reason to eliminate The Human Factor. Let the Robot Age begin!
;^)
I say we take it one step farther and eliminate the Human League!
But only if the Robot Age lets a person keep feeling fascination....