Firewall Wizards mailing list archives
Re: NIMDA, how to stop it
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 4 Jan 2002 17:38:05 -0500 (EST)
It's a pretty nasty and hard to control viri/worm, much more potents then what has been seen in the past. here's a pretty good link for solid info on it: http://www.europe.f-secure.com/v-descs/nimda.shtml The best way to defend against this nasty code, in our mind is: educating users about e-mail and teaching them to not just point and click on mails they are not sure of origination and contain attachments. anti-virus software not just on the servers, but each desktop also, keeping the virus signatures on the servers and desktops is a must. Patching IIS servers to prevent their infection, the patches had been available before this or code red and it's variants had been released, few folks took the patches seriously and thus the quick spread of these nasties as well as the vast number of machines that remain infected to this day. Of course, folks not using windows related products are less likely to face difficulties with these nasties, though others infected throughout the net can affect your companies bandwidth when such viri/worms are unleashed and start to spread as quickly as such code these days does... Being this worm has a diverse number of attack vectors, some comprising oten open ports via smtp and http, it has been extremely difficult to deal with via simple firewalling concepts. Proxies can help ome, but, not completely... Of course, others might have additional or better info, so, I could well stand corrected, and would appreciate any corrrections. Thanks, Ron DuFresne On Fri, 4 Jan 2002, Alan Young wrote:
speaking of NIMDA, as a general recommendation, what would you all recommend as an effecive firewall setup to stop NIMDA? Can I stop NIMDA with just a PIX? Or do I need some sort of other "virus firewall" in addition to our PIX? Please forgive my ignorance, I cant search the archives (the search function is broken) so I dont know if this has been asked before. I am sure I must be missing some fundamental firewall knowledge, I suppose there are some good books on this topic??? Alan Young-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Behm, Jeffrey L. Sent: Thursday, January 03, 2002 3:05 PM To: firewall-wizards () nfr net Subject: RE: [fw-wiz] The Morris worm to Nimda, how little we've learned or gainedAt the very least, jobs should be on the line when companies arecompromised by codethat could have long been prevented by patching ofapplications and OS's,especially when those patches have been widely available and publicly announced. Even an arson victim faces penalties if theyhave violated I agree with your article as a whole, but take minor exception to the above paragraph. Is the job on the line if there are no or very little resources available to test the patches? I don't think you aren't suggesting blind application of all security related patches released from a given vendor, so how does one decide which are the "real" ones to apply, and which are the "ones we don't really need." It's the old adage of "apply patches and take a chance of breaking something" vs. "don't apply the patch until you are sure you need it" (but how are you "sure"?) I.E. Is my job on the line if I apply a patch and it causes more damage (due to my own corporate implementation) than the issue it was supposed to fix? I will give you that there are some patches that one should apply due to the severity of the consequences of not applying it (BIND, Sendmail, and others). My point is that if the company is not willing to provide the resources (time, hardware, people) needed to properly test the patch(es), the job should not be "on the line." A minor point, perhaps, but with the lack of skilled security admins, and unwillingness of companies to provide adequate resource to security infrastructure (including patch testing), I don't think all the blame lies on the ones that "should have known the patches needed to be applied." IMHO (and no flame nor offense intended!), Jeff Statements made are my personal opinion and in no way reflect the views of any company, corporation, or business.-----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Thursday, January 03, 02 3:11 AM To: firewall-wizards () nfr net Subject: [fw-wiz] The Morris worm to Nimda, how little we'velearned orgained The Morris worm to Nimda how little we've learned or gained by: Ron DuFresne (c) 2001 2001 was a tumultuous year. Prior to the September 11 airline attacks on<snip> _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Morris worm to Nimda, how little we've learned o r gained Behm, Jeffrey L. (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned o r gained Jon O . (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)
- Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Christopher Lee (Jan 05)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
- Re: NIMDA, how to stop it Ryan Russell (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Ryan Russell (Jan 06)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
- Re: NIMDA, how to stop it Ryan Russell (Jan 07)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)