From: Jan van Hoek (NL) 

>> machines that go out and in
>> are isolated from the unpatched network machines.

We followed a similar strategy for many years, but there is an end to all
good things(:-((

More and more we see that direct Internet connections are needed for normal
day-to-day business, even for our teller workstations. And it is virtually
impossible to isolate them from the rest of our network, because of the
fact that they need to communicate with various back office applications
(general ledger, data warehouse, etc) continuously.

OTOH their Internet access is limited and they cannot e-mail from the front
office workstations. They only have access to a fixed list of trusted
websites, determined by the Proxy servers they need to pass to reach our
firewall and subsequently to get outside our walls.

I agree with everyone that it's a house of cards, but I don't know a better
solution. The back office workstations and servers are also considered
"inside", hence not every latest and greatest hotfix is applied
as a rule. Since their Internet access is less restricted, plus that they
run Outlook for their e-mail etc, these can be potentially compromised.
That is where our anti-virus policy comes in, which is considered overly
strict and rigorous (I receive many complaints about unjustly attachments,
etcetera).

Until now, we were so lucky to have not a single virus incident since
Loveletter (May 2000). I knock on wood from time to time, and throw salt
over my back on a weekly basis. Some luck is needed.

A spurious Myphotoz.zip attachment passed half way through our defenses
just 2 weeks ago, proving again that a multi layered approach (like we
have) is necessary. This variant of Dumaru.y (mind the "z" in the
filename) was not known in that form by all anti-virus products.

All in all, the inside/outside approach has worked for many years. I'm not
sure, however, that it will work next month, or even next week.
--
-- Jan van Hoek (NL)
-- Fri 6 Feb 2004 01:45 CET

--- BBBS/NT v4.01 Flag-5