Re: reports of DCOM worm on the loose...Report #4
From: Brian S. Bergin (ntbugtraq.1_at_TERABYTE.NET)
Date: 08/13/03
- Previous message: Gavin Haslett: "MS03-026 Update Problems?"
- Maybe in reply to: Russ: "Re: reports of DCOM worm on the loose...Report #4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Aug 2003 15:39:57 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I've been asked by Russ to respond to my post as some were, as Russ put it,
"kinda irate" about my post regarding the need for properly configured
firewalls. While I would never state that patches are not important,
patches, IMHO, without properly configured firewalls and internal security
are all but useless.
To be clear, my definition of a properly configured firewall is: you NEVER
allow traffic into or out of your network that is not absolutely necessary
to doing business. If you need TFTP, for example to upload ACLs to
routers/firewalls, you configure your routers & firewalls to ONLY allow
TFTP connections from one system. That's one IP static address, otherwise
you make changes from the console via serial cable physically connected to
the device (that of course has physical security like in a locked
room). Outbound traffic must be just as controlled as inbound. If your
employees are allowed to check mail and browse the Internet, for example,
that's perhaps 4 ports (80, 443, 25, 110, and perhaps DNS if you don't run
it internally, and better yet bring mail in-house, put an AV server up as
your MX server and make them send/receive mail internally which reduces the
outbound ports to 2 for general users). Why are those general users who
are allowed to browse the Internet allowed to hit TFTP servers or probe
port 135 outside the LAN and spread worms like this? Is there a pressing
corporate need? I doubt it and even if there is, you can put ACLs in place
to limit exactly which users have access to non-typical ports. Blanket
"let 'em at it" approaches to firewalling do NOT produce properly
configured firewalls.
My point is that both defenses are critically important and one without the
other is almost as bad as none at all. The very limited discussion of
proper firewall techniques on this list would lead some to believe that
this list's members believe patches are the end all to security. If
patches were so great at securing systems, there would be no PIX, or
Checkpoint, or Linksys, products. We'd all just hang out there on public
IPs and patch when a new one was released.
I wasn't looking to make anyone "irate", only to point out that if everyone
were running a firewall at work AND at home, even a $50 Linksys, how many
of these non-e-mail worms would spread? Even XP's native ICF would have
PREVENTED the spread to any machine at home if someone were fool enough to
hookup to the Internet with an XP box without a Linksys-type firewall or
ICF at home. Wouldn't ZoneAlarm have also caught this (and it's free for
home use and dirt cheap for others) ? If we can teach people to do both,
apply patches AND use firewalls with well thought out inbound AND outbound
ACLs, the world will be a much safer place. If we teach them how to patch
but fail to tell them to prevent outbound NetBIOS ports, TFTP, etc... if
they miss a patch or it takes a day or 2 for one to get developed that
person could infect thousands.
For mobile users, actually every user, in your company, IMHO, they should
be financially responsible if they infect your LAN, but only after you take
steps to make things as tight as possible. You make them sign a contract
that says if they don't follow corporate usage policies at ALL times, and
those policies state you must use a firewall, they will be 1) fired, and 2)
billed for the damage done by their indiscretions. If a user downloads
porn at any US Fortune 1000 company, they are going to be fired, probably
on the spot, for fear the company could get sued and lose millions of $ in
a sexual harassment lawsuit. How much $ did Slammer and yesterday's fiasco
cost companies them? For some, far more than an offensive image might in a
court room. Make users responsible for EVERYTHING they do on the
Internet. Porn. Viruses. Worms. Corporate
secrets. Everything. Period. Enforce it one or two times and no one will
ever break the rules again. After all, the corporation OWNS the PCs and
the networks and courts have ruled time and time again that the corporation
may set rules and enforce those rules on how corporate property is used.
Anyway, we gotta have both, as one without the other is useless. But that
means a respected, highly read list like NTBugTraq has to talk about well
rounded security, not just 'get this patch, get that patch' and 'bash MS'
and 'bash AV vendors'. We should be bashing ourselves. The patch has been
out there for "weeeeeekkkkssss" as one list member put it to me privately
and simple inbound and outbound ACLs would have limited its spread as some
ISPs showed they could do yesterday - show me just one company that needs
TFTP open to every employee on their LAN and out to the public Internet and
I'll drop my assertion that properly configured firewalls would have helped
prevent the spread yesterday from subnet to subnet inside a large company
or to the rest of the world from a smaller one.
Yet another list member replied to me directly with what I thought was an
excellent analysis of the problem stating, "but of course we don't
[referring to properly configured firewalls]. Practically NOBODY has a
properly let alone common-sense configured firewall. It's all "default
allow"..."
I stand by my assertions, but I'm done defending them. Protect yourselves
as you see fit...
Sincerely,
Terabyte Computers, Inc.
Brian S. Bergin
President
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Gavin Haslett: "MS03-026 Update Problems?"
- Maybe in reply to: Russ: "Re: reports of DCOM worm on the loose...Report #4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
