IP Addresses? (complete newbie question)

Well, I have a special situation when it comes to computers on the LAN. They have to be what we call secure trusted workstations (if there really is such a thing that is networked!) I can't go into much detail, let's just say they are used to process intelligence, and anything else is classified, so that's about all I can say. (Seriously).

I guess my stance on the MBSA was because I still had my blinders on :p

And really, I am sorry for the defensiveness...It's just been rough here the last few days, and I guess I was using your post to vent. Not that any of the points you made were not vaild.

Seriously though, If you have a better NetBIOS exploit example, I wouldn't mind seeing at least a synopsis of what, how, why it works. Always looking to learn somthing! :D

Quote:

---

Well, I have a special situation when it comes to computers on the LAN. They have to be what we call secure trusted workstations (if there really is such a thing that is networked!) I can't go into much detail, let's just say they are used to process intelligence, and anything else is classified, so that's about all I can say.

---

I am gonna call bullshit on this.

Windows is not approved (nor does it even have the tools) to process multi-level data, which means that all systems would have to be at the same level. This means that it pretty much doesn't matter what workstations you connect since there are no labels to be maintained. Not only that, but Windows' security policy is too anemic to prevent data from being exported beyond the system. (no "email", "print", or per object NIC access controls)

Additionally MBSA or some similar (TFM supporting) tool would be require to ensure that all systems are sufficiently current and configured correctly all from a central point.

Quote:

---

Seriously though, If you have a better NetBIOS exploit example, I wouldn't mind seeing at least a synopsis of what, how, why it works.

---

The specifics of a given exploit are not needed in this thread. Suffice to say, file sharing, like any service especially any superflous services merely increases the system's exposed surface, requiring greater effort on the system custodian to maintain the system in a secure manner.

A lot of users like to try and discuss very specific exploits and fixes, unfortunately this linear analysis doesn't address unknown vulnerabilities. People need to learn to look at security more thematically (removing unneeded services rather than patching them / place subjects in compartments rather than auditing the code)

cheers,

catch

Actually, catch, I never said that I was processing multi-level. The Windows system will only process at a single level, which means multiple systems...one for Unclassified, one for Confidential, one for Secret...they can only be used to process data at a single classification level i.e.: a seperate domain, SUS Server, AV Server, and physical network for Secret, the same for Unclassified.

They do have print and email. The ones that process data above Unclassified are also on a closed network for the very reasons that you describe. But when configured in this manner, they are (reasonably) secure trusted workstations.

The Unclassified systems have an internet connection via NIPRNet. We even have to seperate the premise wiring and devices that interconnect the systems so that there is no less than 6 ft of seperation between devices that process data at different levels, because of crosstalk and the possibility of bleeding Secret data over onto the Unclass net.

Now, we even have DoD approved wireless network cards that are certified to transmit encrypted data at Secret and below. Never thought I'd see the day...

Most likely, unless the architecture of the Windows OS gets a radical re-design of the kernel, it will never be certified for multi-level data processing. It simply cannot do this securely in its present state.

Quote:

---

People need to learn to look at security more thematically (removing unneeded services rather than patching them / place subjects in compartments rather than auditing the code)

---

I couldn't agree more...A lot of us (myself included at times) are guilty of that.

I think I'm beginning to like you...so persistant! :D
(pours catch a cold beer)

What can someone do if they know your postal address? :p Most of the possibilities for attack are men standing on giant's shoulders.

Quote:

---

What can someone do if they know your postal address?

---

2600 ran an article on this a few years back. The 'hacker' was able to get a credit bureau to update someone’s record with just a persons name and address. Then they applied for a card with a company who used this bureau. They got the card without raising any red flags and then began receiving pre-approved cards for the person in the mail.

Nice huh? Of course the article didn't mention how much information the USPS keeps track of or how to get below their radar.

As for the interesting MBSA discussion going on… MBSA is a nice tool. It does have 'bugs' just like any other software. Do not rely on it exclusively. In some instances it will list a patch as installed that is not and/or list a patch as not installed that is actually installed. Related to this something I've seen on servers is a discrepancy between Windows Update and MBSA one says patch X, Y, and Z are missing while the other might say patch X and Y are missing and patch Z is installed. Again this is a thankfully a rare occurrence so the extra analysis to determine which one is wrong (sometimes both) is not a huge time sink.

As for recommending Shields Up I stand by that recommendation. The user asking the original question indicated his/her n00b status. The information presented on that site is in an easy to understand USA today type format. It may not cover security in depth or offer DOD level security recommendations but it does go step by step with hand holding how to disable file and print sharing, unused services, close unused ports, get a free firewall etc. Almost everything an n00b needs to get started.

Quote:

---

Actually, catch, I never said that I was processing multi-level. The Windows system will only process at a single level, which means multiple systems...one for Unclassified, one for Confidential, one for Secret...they can only be used to process data at a single classification level i.e.: a seperate domain, SUS Server, AV Server, and physical network for Secret, the same for Unclassified.

---

Which is exactly my point. :-P Since the system cannot handle data at multiple levels, each system must be isolated on a same level network. This is a terrible solution for the simple fact that it does not take into consideration either sensitivity expiration or aggregation. (the idea that object is more sensitive than the sum of its parts) This architecture doesn't allow more sensitive objects to be supplemented with less sensitive objects and users cannot change their level of access without going to a different workstation. In fact... this architecture loses all the benefits of the B-L model.

While it is true that a few of these issues can be dealt with using a multi-level secure network processor, that does not effectively deal with all of the issues. Also, it stands to reason that if an organization were to use an MLS-NP that the same organization would have also selected a higher assurance workstation architecture.

Quote:

---

They do have print and email. The ones that process data above Unclassified are also on a closed network for the very reasons that you describe. But when configured in this manner, they are (reasonably) secure trusted workstations.

---

For such isolated systems I can't see much of an increased need for security at the workstation level. True it would be wise to supplement MBSA with the NSA's Windows configuration guidelines and it should be noted that these two are not mutually exclusive. The MBSA is useful for assuring that the workstation are configured correctly, especially with regard to functionality beyond the scope of the domain's security policy.

Even in such an environment, MBSA is one of the (if not the) best tools a Windows admin can use.

Quote:

---

Most likely, unless the architecture of the Windows OS gets a radical re-design of the kernel, it will never be certified for multi-level data processing. It simply cannot do this securely in its present state.

---

Well, when the system doesn't have ANY implementation of labels MLS is clearly not even a question. The Trusted Systems people did a paper on this about nine years ago. The architecture of the NT line has changed very little in this time and the MLS requirements have not changed at all, so the document is still fairly valid. It is attached.

cheers,

catch

edited to add:

Quote:

---

As for recommending Shields Up I stand by that recommendation. The user asking the original question indicated his/her n00b status. The information presented on that site is in an easy to understand USA today type format. It may not cover security in depth or offer DOD level security recommendations but it does go step by step with hand holding how to disable file and print sharing, unused services, close unused ports, get a free firewall etc. Almost everything an n00b needs to get started.

---

No one is suggesting that this user needs "DOD level security", I do think however that tools like ShieldsUp build bad habits. It's one thing to suggest that to someone just looking to secure their own computer, it is something completely different to suggest that to someone who seems to have an honest desire to learn about computer security.

Quote:

---

No one is suggesting that this user needs "DOD level security", I do think however that tools like ShieldsUp build bad habits. It's one thing to suggest that to someone just looking to secure their own computer, it is something completely different to suggest that to someone who seems to have an honest desire to learn about computer security.

---

I agree. But I also see merit in recommending ShieldsUp! to a noob, you just have to do it right. It's a good starting point (it's where I started), but you should understand on the front end that so much of what Gibson spouts is grade A crap (which I didn't know when I started), and should only use GRC as a stepping stone to higher (and more consistently correct) learning sources.