Re: [fw-wiz] worm + VPN + firewall

From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 08/17/03

  • Next message: Paul Matuszewski: "RE: [fw-wiz] MSBlast circumventing host firewall" 
    To: Carric Dooley <carric@com2usa.com>
Date: Sun, 17 Aug 2003 12:13:27 -0400 (EDT)

    On Sat, 16 Aug 2003, Carric Dooley wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    > I have worked with a client that started getting RPC scans from their VPN
    > range the day the worm was released. Luckily they had patched most of
    > their systems.
    >
    > I agree that the VPN segment should be DMZ'd, but typically those users
    > have acess to NetBIOS so they can map shares, etc. If you didn't patch,
    > you are hosed on this one. Lots of people didn't learn from Nimda.

    Even many that tried to patch got slammed here, as the tools to determine
    patch level and/or the success of application are not foolproofed. But,
    the biggest thing is coming out from all the recent worms of the past 2
    years or so that have struck the windows platforms is how messed up the
    whole patch process is in that realm! Slammer showed that a patched
    system could be made vulnerable again but simply installing new software,
    or that even other patches might put the system back into high risk. I'm
    just glad it's not my headache!

    Thanks,

    Ron DuFresne 

    -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Paul Matuszewski: "RE: [fw-wiz] MSBlast circumventing host firewall"

    Relevant Pages

    • Re: MicroMonopoly aids Terrorism?
      ... >> Not if the patch makes it so you can't use SQL server. ... >> the multitudes of MS patches that get released. ... > No one is disputing that MS was hit by Slammer. ...
      (microsoft.public.security)
    • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
      ... > With regards to slammer, again it was successful due to, as you put it ... > a VPN-ed laptop the patch has been released for folk, ... > patches are tested and integrated as soon as available. ... >> boxes down for days after the worm hits. ...
      (Full-Disclosure)
    • 9_Recommended error codes (specifically return code 5)
      ... * "return code 2" indicates patches are already installed. ... * "return code 25" means a patches requires another patch that is not yet installed. ... With or without using the save option, the patch installation process ... Installing 114008-01... ...
      (SunManagers)
    • Re: This is [Re:] How to improve the quality of the kernel[?].
      ... The -mm kernel already implements what your proposed PTS would do. ... If patch have no TS ID, ... Thus i can apply for example lguest patches and implement and test new ... How many open source projects use Bugzilla and how many use the Debian BTS? ...
      (Linux-Kernel)
    • Re: ATTACK of the WEEK-fentanyl patches
      ... FDA warns of deaths from fentanyl patch ... Some of the deaths came after doctors prescribed the patches to the ... The drug is only for chronic pain in people used to narcotics, ...
      (alt.support.chronic-pain)