RE: Cisco CTR

["Michael Marziani" <marziani () oasis com>]

This solution is definitely suboptimal which I noted in the need for
increased administrative workload.  It could probably be semi-automated in a
number of ways yet still require a sysadmin to verify the updates to keep it
secure.

-Michael

> -----Original Message-----
> From: Gary Halleen [mailto:ghalleen () cisco com]
> Sent: Friday, November 07, 2003 12:44 PM
> To: 'Michael Marziani'; Rob Shein; 'Gary Flynn'
> Cc: 'Liran Chen'; focus-ids () securityfocus com
> Subject: RE: Cisco CTR
>
>
> In that case, though, you're using stagnant information.  How
> would this be
> kept accurate in an environment when users patch their computers,
> or when IP
> addresses change due to DHCP?
>
> Gary
>
>
> > -----Original Message-----
> > If this type of attack can succeed as I think it could, I
> > think a solution
> > would be for the IDS to keep a record of the patch levels of
> > every system in
> > the network and allow those patch levels to be updated only through an
> > administrative interface (requiring additional authentication
> > and of course
> > increasing the administrative workload).  Then the system
> > wouldn't be fooled
> > by this technique.
> >
> > -Michael


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------