Monday, August 27, 2007

Sophos Vulns

I saw this at an internal website (internal to my work):

Two vulnerabilities in Sophos’ anti-virus software for Microsoft Windows and Unix/Linux, will allow an attacker to remotely inject arbitrary code and also produce a Denial of Service (DoS) attack. Any version prior to 2.48.0 is affected. Please follow the links below for remediation.

This reminds me that the FAA is running Sophos AV clients on both their Windows and *nix IDSs...its stupid to even run AV on a machine that is dedicated to IDS, but I thought about them nonetheless...heh.

Edited on 8/28/2007:

I wanted to elaborate on my comments.

There's are several reasons why you shouldn't run AV on security devices:

1. The AV solution may have zero-day vulnerabilities. Sure, you can block off all attempts against the management interface of the IDS device, but why even set yourself up to a possible compromise of a critical piece of architecture?

2. AV (and firewall...yes, both installed on an IDS in the FAA's case...I'm not BSing) solutions usually demand quite a bit of system resources. IDSs usually demand major system resources also. The two will eventually bump heads, unless the IDS is seeing no traffic (which, IMO, means that the IDS is worthless or may need its sniffing interface to be placed at a more critical location).

3. Just because NIST recommends a certain security posture doesn't mean that their recommendations should be applied blindly (yes, I'm talking about the FAA). I'm also aware that the Department of Transporation (which FAA falls under) demands this ridiculous requirement. Managers should question anything that isn't apparent in guidelines from higher not do so is to admit that you are a follower and not a 'do-er'.

I say these comments because I worked with the FAA for awhile and certainly didn't like their way of thinking, but I worked there (as a contractor, which didn't help my situation much) and just took what was dished to me. After several years of wondering if I should've voiced my opinion more strongly before leaving their organization, I'd have maybe actually taught their management and DOT's management some things about REAL security and how their security professionals SHOULD operate. All I can say now is that I now know (and experienced) what NOT to do, especially as a security professional.

Bud, if you're reading this, know that I'm in a far better place and while I wish my friends still working there well, I do know that I will never ever be the type of person that put up with sub-par management and sub-par decision-making. I'm certainly working in a better place, but I'd like to thank you for making me a better did make me better at knowing idiots when I see them. IDSs and firewalls on IDS devices...hahahaha!
Post a Comment