A few comments on some specific issues,
Bruce Satow wrote:
> However, to make things clear, the unmanaged version of the SAV is
> easily configured to automatically update software from Symantec
> directly. Automatic updates and downloads can be set on a daily basis
> and at whatever time of day the user wishes.
No, this is incorrect. Only the virus definition files are updated, not
the product itself. The security fixes necessary to correct bugs in the
software are only available through updates to the product itself
(maintenance releases and maintenance patches), which must be pushed out
using software management tools or through visiting each machine.
Also, you should be aware that some clients have problems running
LiveUpdate; we have observed a small but significant failure rate so if
you don't have a manager you should have a system for spot-checking
LiveUpdate success, at least for key systems.
> Extracting SAV from the SCS Admin CD is easily done. It is not a lot of
> work However downloading the entire CD from campus is time consuming.
SNS does more than extract SAV from the admin CD, we repackage the
installer using NSIS in order to turn a folder full of installation
files into a single executable, then add all the items to
software-central along with appropriate labeling and documentation. It
is time consuming, especially with the many flavors of SAV now
available: SAV 10.1, SAV 10.1 x64, SAV 10.2, SAV 10.2 x64
That said, if there is significant demand to justify the extra work on
the part of SNS, we can extract the raw directories from the admin CD
and provide them as separate downloads.
> Regardless of whether one encourages departments and individuals to use
> the 'Custom' version or not, this should not mean that the download
> availability of either one should be made more difficult than another.
I believe SNS should focus our resources on maintaining custom
installers in a configuration we believe is most secure based on our IT
security experience and expert knowledge of the product. For those
administrators who feel their security needs are best met by alternate
configurations, by all means download the admin CD and provide your own
installer to your clients. But providing your own service is going to
involve more work than using one developed by others.
> Defense in depth would not allow a single point of failure due to
> software bugs and vulnerabilities. If everyone were forced to use the
> same managed version in May 2006, there would be much more damage and
Our "UCB custom" software blocks access to the Symantec management port
to all IPs except our management server. This custom configuration would
have protected users from exploit of this vulnerability, and we would
have been able to warn system administrators specifically which machines
were vulnerable before the exploits hit the network, which was months
after the vulnerability was announced.
Allison Henry
System and Network Security
University of California, Berkeley
http://security.berkeley.edu
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Received on Thu Dec 13 2007 - 17:23:27 PST
This archive was generated by hypermail 2.2.0 : Thu Dec 13 2007 - 17:23:27 PST