Re: Block Nimda Virus at the router level

From: Kevin Saling (kevin@SALING.COM)
Date: 09/21/01 

Message-ID:  <NDBBLDEBGJCAGIPHBKFBEEFEDGAA.kevin@saling.com>
Date:         Fri, 21 Sep 2001 08:38:56 -0700
From: Kevin Saling <kevin@SALING.COM>
Subject:      Re: Block Nimda Virus at the router level
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Please check with your Cisco SE or contact Cisco TAC _before_ you attempt to
apply NBAR filtering techniques to your ingress routers. With the volume of
traffic I am seeing at my client sites, NBAR taxes the router cpu's heavily
and will likely result in an unstable router unless you have _serious_
horsepower.

I'm not going to speculate on minimum required horseys for your particular
router because there are too many variables. I will say that one client has
AT&T managed DS3's on 7200's. AT&T refuses to use NBAR to filter for worm
sigs on these routers given current traffic volume. I have escalated this
all the way up to the "product house" manager for the managed service and
they have proven to me beyond reasonable doubt that this will overtax the
router.

I have also spoken to an anonymous source at Cisco who claims that many of
his accounts have tried to use NBAR at the ingress point with varying levels
of success and side effects, but most are deciding it's too unstable.

Your readers would be wise to check with their Cisco contacts first!
...Kevin

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

Relevant Pages

  • T1 Site-to-Site VPN
    ... Cisco 1841 ... crypto isakmp policy 1 ... set security-association level per-host ... Cisco Router and Security Device Manager is installed on this device. ...
    (comp.dcom.sys.cisco)
  • RE: Router with security features
    ... Subject: Router with security features ... Unlike other companies Cisco tells their customers about bugs and security ... Using this information you can proactively secure your network. ... turn on a router configure it and then never look at it again. ...
    (Security-Basics)
  • RE: [fw-wiz] Worms, Air Gaps and Responsibility
    ... but hundreds of thousands of Cisco routers allow connections from the ... It is not that Windows couldn't lower the ... As to the issue of the internal router interface being less than tight, ... I'm just saying that ubiquity doesn't equal targeting. ...
    (Firewall-Wizards)
  • Re: Connecting Cisco 831 Router behind the D-Link Router
    ... My home network uses D-Link Router providing 192.168.1.x addrress ... When I connect Cisco 831 Router so that I can be ... At its most basic level, the dlink is a switch, and just had a dhcp ...
    (comp.dcom.sys.cisco)
  • Re: Connecting Cisco 831 Router behind the D-Link Router
    ... My home network uses D-Link Router providing 192.168.1.x addrress ... When I connect Cisco 831 Router so that I can be ... At its most basic level, the dlink is a switch, and just had a dhcp ...
    (comp.dcom.sys.cisco)