[AusNOG] Fw: important

Rhys Hanrahan rhys at nexusone.com.au
Fri Oct 2 21:45:19 EST 2015


Yeah, I totally agree with those points. And for those customers we manage internal IT for, we try and implement a number of strategies. But depending on the size of the customer, or if they have their own IT of varying levels of competence, sometimes it’s not possible.

This in particular is why I thought it might be an idea to post on AusNOG (which I know for a lot of people would deem border-line off-topic), because this is NOT a scenario of a single enterprise/corporate network. That would be clear-cut not for AusNOG, IMO, and I guess that’s probably what a lot of people have assumed I’m posting about – I guess I should have been clearer about that.

But it’s because we’re dealing with a classic ISP style situation where we don’t have control over the end user’s network, but are trying to provide them the best experience possible that we reasonably can, without controlling all of their internal IT.

And I figure a number of network operators on this list in particular (depending on their product set, size, etc) would be facing a similar situation.

So I agree with all your points, but for all of those (well I’m sure there’s still more to look at) we’ve already worked to try and solve the problem from that fundamental angle, where it’s possible to do so. There’s, unfortunately, still customers we can’t really approach it like that with. So we’re now looking to try and work on solving this particular angle as well.

On another note, thanks to everyone for their suggestions. I’ve got a few options to start looking over! Hopefully this has been useful for others as well.

Hope everyone has a great weekend.


From: Mister Pink [mailto:misterpink at gmail.com]
Sent: Friday, 2 October 2015 4:31 PM
To: Rhys Hanrahan <rhys at nexusone.com.au>
Cc: Noel Butler <noel.butler at ausics.net>; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Fw: important

The thing with a lot of modern malware is that it often goes through a crypter before it gets sent out, which means that it's not uncommon for every single sample in a given campaign to be completely unique - this is why people have been bemoaning the fact that signature based AV has been broken for years.

Ironport is for stopping spam, it can look for known malware whilst it's at it but this relies upon signatures (see above).  There are some pretty good cloud based as a service offerings for Spam/Malware filtering but email is just one vector of attack, as has been mentioned.  Users are used to clicking on dropbox links etc and downloading files all day long, even more so if you block all zip files on your mail server.

Everyone has a laptop and a smartphone these days, so if you stop them doing something on the corp gateway, they will often tether their phone, grab what they want and drop back on the corp network minutes later.

You need defence in depth, you need ongoing security awareness training (Schools not prisons), you still need good backups, you should be thinking about next gen firewalls, you still need traditional AV, and you might want to consider app whitelisting (Esp for problem users or vulnerable vectors like HR opening resumes all day) .

There are a bunch of cool things on the market that can also solve some of these problems from Sandboxing to MicroVM's etc but they can be costly so I think you need to address the fundamentals first.

On 2 October 2015 at 12:36, Rhys Hanrahan <rhys at nexusone.com.au<mailto:rhys at nexusone.com.au>> wrote:
Hi Noel,

Personally, I agree with your opinion, and typically have stayed away from these solutions over the years for exactly this reason. However, over the last few months things seem to have worsened to the point where we need to try something different.

We've been running a typical postfix+rbls+spamassassin+clamav+lots of other bits for about the last 5 years, with me running the same setup personally, prior to that. And over the years, aside from some performance tweaks to get more throughput on Amavis, it's done fine. There's always been stuff it's missed, but like people have said, there's no silver bullet.

The problem is that the amount of stuff it misses seems to miss has gone up by a fair amount for us in recent times - not just with the crypto stuff, but with general junk that comes through.

I'm not going to extend this thread to "how do I fix our setup", because that's way outside the scope of the list, but I'll just say that I've already looked at improving the config in several ways and I feel like I've taken the setup as far as I can take it in terms of tweaks to reasonably improve its accuracy.

I know they're probably running the same or similar setup under the hood of any appliance, but the thing is, if they're going to provide me 24x7x365 signature updates that they manage, which can stay on top of outbreaks, then to me that's worth paying for.

Hopefully I manage to find something that doesn't end up falling over. :-)

Rhys.

-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>] On Behalf Of Noel Butler
Sent: Friday, 2 October 2015 10:07 AM
To: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] Fw: important
nearly missed this, found it in Junk because you replied direct, please reply to list only

On 01/10/2015 17:10, Brad Peczka wrote:
> Google will also show me examples of the aliens that landed at
> Roswell, if I look hard enough. Doesn't mean it's real! :-)
>

That maybe so, but the nightmares of ironport are well realised by those with a clue, including those that run networks large enough to make telstra look like a ma 'n pa part time vISP


> Ironport ESAs are a solid product, as evidenced through their use in
> Australia by iiNet, Micron21, and many others in both the ISP and

and I (and assume others) recall a numnber of problems with mail and iinet in recent times because of ironport

Like I said YMMV, but most are shying away from these things, well, those that care do :)

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151002/2e91bffa/attachment.html>


More information about the AusNOG mailing list