Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIMDA, how to stop it

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 4 Jan 2002 17:38:05 -0500 (EST)

It's a pretty nasty and hard to control viri/worm, much more potents then
what has been seen in the past.

here's a pretty good link for solid info on it:

http://www.europe.f-secure.com/v-descs/nimda.shtml

The best way to defend against this nasty code, in our mind is:

educating users about e-mail and teaching them to not just point and click
on mails they are not sure of origination and contain attachments.  

anti-virus software not just on the servers, but each desktop also,
keeping the virus signatures on the servers and desktops is a must.

Patching IIS servers to prevent their infection, the patches had been
available before this or code red and it's variants had been released, few
folks took the patches seriously and thus the quick spread of these
nasties as well as the vast number of machines that remain infected to
this day.


Of course, folks not using windows related products are less likely to
face difficulties with these nasties, though others infected throughout
the net can affect your companies bandwidth when such viri/worms are
unleashed and start to spread as quickly as such code these days does...

Being this worm has a diverse number of attack vectors, some comprising
oten open ports via smtp and http, it has been extremely difficult to deal
with via simple firewalling concepts.  Proxies can help ome, but, not
completely...

Of course, others might have additional or better info, so, I could well
stand corrected, and would appreciate any corrrections.

Thanks,

Ron DuFresne


On Fri, 4 Jan 2002, Alan Young wrote:


speaking of NIMDA, as a general recommendation, what would you all recommend
as an effecive firewall setup to stop NIMDA?

Can I stop NIMDA with just a PIX? Or do I need some sort of other "virus
firewall" in addition to our PIX?

Please forgive my ignorance, I cant search the archives (the search function
is broken) so I dont know if this has been asked before.

I am sure I must be missing some fundamental firewall knowledge, I suppose
there are some good books on this topic???

Alan Young



-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Behm, Jeffrey L.
Sent: Thursday, January 03, 2002 3:05 PM
To: firewall-wizards () nfr net
Subject: RE: [fw-wiz] The Morris worm to Nimda, how little
we've learned
or gained



At the very least, jobs should be on the line when companies are

compromised by code

that could have long been prevented by patching of

applications and OS's,

especially when those patches have been widely available and publicly
announced.  Even an arson victim faces penalties if they

have violated

I agree with your article as a whole, but take minor
exception to the above
paragraph.

Is the job on the line if there are no or very little
resources available to
test the patches?
I don't think you aren't suggesting blind application of all security
related patches released from a given vendor, so how does one
decide which
are the "real" ones to apply, and which are the "ones we
don't really need."
It's the old adage of "apply patches and take a chance of breaking
something" vs. "don't apply the patch until you are sure you
need it" (but
how are you "sure"?)

I.E. Is my job on the line if I apply a patch and it causes
more damage (due
to my own corporate implementation) than the issue it was
supposed to fix?

I will give you that there are some patches that one should
apply due to the
severity of the consequences of not applying it (BIND, Sendmail, and
others). My point is that if the company is not willing to provide the
resources (time, hardware, people) needed to properly test
the patch(es),
the job should not be "on the line."

A minor point, perhaps, but with the lack of skilled security
admins, and
unwillingness of companies to provide adequate resource to security
infrastructure (including patch testing), I don't think all
the blame lies
on the ones that "should have known the patches needed to be applied."

IMHO (and no flame nor offense intended!),
Jeff

Statements made are my personal opinion and in no way reflect
the views of
any company, corporation, or business.


-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com]
Sent: Thursday, January 03, 02 3:11 AM
To: firewall-wizards () nfr net
Subject: [fw-wiz] The Morris worm to Nimda, how little we've

learned or

gained




                  The Morris worm to Nimda
             how little we've learned or gained


                                by:  Ron DuFresne
                                       (c) 2001




2001 was a tumultuous year.  Prior to the September 11 airline
attacks on


<snip>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  sysinfo.com
                  http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: