[Courses] [Security] Trend VCS

Wed Mar 20 19:42:47 EST 2002

Heya --

Quoth jennyw (Wed, Mar 20, 2002 at 10:46:17AM -0800):
> Pretty impressive! Your company is lucky they have you! It's so nice to hear
> from someone with a clue. A lot of security people I talk to (granted,
> they're vendors or someone wanting to sell a product in addition to a
> service) are really technical, but they sometimes lack common sense.

	Heh.  Thank you.

	Beware of sales engineers.  There are some good ones out there,
but the majority of the ones that I've talked to don't truly understand
the products they're selling.  So if you ask them something that's
outside of their little prerehearsed speech, they have no idea what
you're talking about.  If this does happen to you when you're dealing
with a vendor representative, nicely ask if they could put you in touch
with a more technical engineer as well.

	That said, it's their job to get you to buy their product.  It's
yours (and mine) to decide whether the product is worth it.  And a good
representative from your vendor(s) is invaluable when you're a working
admin.  If you find a great clueful one, by all means hang on to them.
 
> They support Linux, but not Mac OS. Unfortunately, I don't think their
> global management solution (TVCS) can manage a Linux server. It doesn't
> matter much for us, though, since our OfficeScan servers will all run NT or
> W2k.

	Right.  It sounds like their particular agent will only run on NT
3.51 and up, but that their server can query other agents in the format
they expect, and get info from them too.
 
> It's in may ways lame, but for distributed sites like ours (where all
> clients are Windows), they're the vendor that sucks the least.

	[laughs]  I've had to make that choice a few times before, too.
"Okay, what's the least bad thing?"

> In concept, communicating over port 80 http is pretty good. It's a known
> protocol and you could potentially even write scripts to automate stuff
> through the interface. On the other hand, it's also plain text, which is
> bad. And it's running IIS which is worse (they admit that the IIS solution
> isn't good, so at least they're willing to change). Hence my desire to
> secure the connection using SSH or a VPN.

	Yeah, I tend to favor encrypted communications over plaintext
ones whenever possible, even in supposedly trusted LANs.  (I used to see
a lot of childish pokes at the company servers from inside.  However, I
find that an in-person visit immediately after the incident ensures that
the likelihood of a repeat incident is low.)

> Yeah, I want to block access from all but autorized computers, hence the use
> of the firewalls. And then encrypt those connections, too.

	It's a good idea in general to give static IP addresses to your
sysadmins' workstations, exclude those IPs from the DHCP pool, and then
lock all remote administration interfaces so that they'll only accept
communication from a restricted set of IPs.
 
> > That does sound like it uses https.  Check it out.
> 
> You'd think so, but no -- they invented something.

	Got to love it when "secure http" isn't http secure.  Gaah.

> Not only is this security algorithm not available for peer review,
> their own tech. support doesn't have access to it, or even have a
> basic overview of how it works.

	Not surprising.  From my own days in tech support, the
NOC/developers/engineers rarely keep tech-sup in the loop.  That's one
of the reasons I really try hard to make sure that I do let my customer
service people know what's going on.

Cheers,
Raven
 
"And then we release the killer bees, with dogs in their mouths!"
  -- ChrisJ, on "get away from my router" tactics