RE: SQL Slammer doing the rounds again?
From: Thompson, Jimi (JimiT_at_mail.cox.smu.edu)
Date: 11/14/03
- Previous message: Josh.Berry_at_compucom.com: "Strange Port 0 Traffic"
- Maybe in reply to: sradnidge_at_hotmail.com: "SQL Slammer doing the rounds again?"
- Next in thread: David LeBlanc: "RE: SQL Slammer doing the rounds again?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Thu, 13 Nov 2003 17:10:28 -0600
All,
Why not use TSSL or a VPN connection? Either of these should be transparent
to the application in question and either of these should obviate the need
to open SQL to the world. Never mind mentioning why you aren't patched
against it.....
Thanks,
Ms. Jimi Thompson, CISSP
Manager, Web Operations
Cox School of Business
Southern Methodist University
"If we want women to do the same work as men, we must teach them the same
things." - Plato
-----Original Message-----
From: Jim Harrison (ISA) [mailto:jmharr@microsoft.com]
Sent: Thursday, November 13, 2003 3:48 PM
To: Harlan Carvey; incidents@securityfocus.com
Subject: RE: SQL Slammer doing the rounds again?
The simple answer is, "if the web app is properly designed, coded and
tested, there should be no reason to 'open a port' (apologies to TS) to
the SQL from the Internet.
<tirade>
Unfortunately, there are many folks who have queried the ISA newsgroups
and other ISA lists about how (not why) to allow inbound SQL connections
because many web designers haven't quite caught up to the idea that the
Internet isn't the friendly little sandbox that they seem to believe it
is.
Consequently, they deploy distributed web apps that expect to have
direct access to a SQL server across whatever network they're installed
in. This often leaves the network admins with one choice; open external
access to the SQL server.
While it's true that you can IP-restrict that traffic, there's also IP
spoofing to contend with. Many ISP's don't even apply the basic ACLs
that any first-year Cisco intern would have been taught, causing the
plethora of "I'm seeing spoof attack reports from 127.0.0.1" complaints
from many new ISA admins. If the upstream devices were properly
configured, their firewall (app, appliance, monkeys & buckets, etc.)
would never see this traffic in the first place.
</tirade>
..I feel better now...
* Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)
"I used to hate writing assignments, but now I enjoy them.
I realized that the purpose of writing is to inflate weak ideas,
obscure poor reasoning, and inhibit clarity.
With a little practice, writing can be an intimidating and
impenetrable fog!"
-Calvin
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Thursday, November 13, 2003 11:30
To: incidents@securityfocus.com
Subject: RE: SQL Slammer doing the rounds again?
While I fully agree w/ Jim's advice, one thing I'm
still curious about...since we first saw Slammer...is
this - Is there a valid business reason to expose UDP
1434 to the Internet?
I've asked this before and not received any responses.
If anyone has one, I'd love to hear it. Please
refrain from the "maybes"...I'd like to hear valid
reasons why this port is exposed.
Thanks,
Harlan
--- "Jim Harrison (ISA)" <jmharr@microsoft.com> wrote:
> It's never stopped.
> Like Nimda, Code Red, Blaster, SoBig and other
> "bugs", as long as there
> is a vulnerable system available to an infected
> system, we'll be seeing
> this traffic on the Internet.
>
> Your best protection:
> 1. Keep yourself patched to the gills
> 2. Place an application-filtering firewall at your
> edge
> 3. Keep your antivirus updated and deployed in your
> servers and clients
> 4. Block or quarantine executable attachments at
> your mail server.
> 5. Establish and enforce "acceptable use" policies
> for corporate
> Internet use
>
>
> * Jim Harrison
> MCP(NT4/2K), A+, Network+
> Security Business Unit (ISA SE)
>
> "I used to hate writing assignments, but now I enjoy
> them.
> I realized that the purpose of writing is to inflate
> weak ideas,
> obscure poor reasoning, and inhibit clarity.
> With a little practice, writing can be an
> intimidating and
> impenetrable fog!"
> -Calvin
>
> -----Original Message-----
> From: sradnidge@hotmail.com
> [mailto:sradnidge@hotmail.com]
> Sent: Monday, November 10, 2003 18:03
> To: incidents@securityfocus.com
> Subject: SQL Slammer doing the rounds again?
>
>
>
> Hi all,
>
>
>
> We seem to be noticing a large increase on UDP 1434
> across our
> enterprise worldwide, first starting in Europe, then
> spreading to the
> Americas and now looks to be heading our way in
> Asia. Anyone else seen a
> resurgence in this Slammer-like activity?
>
>
>
> Cheers
>
>
>
> Stuart
>
>
------------------------------------------------------------------------
> ---
> Network with over 10,000 of the brightest minds in
> information security
> at the largest, most highly-anticipated industry
> event of the year.
> Don't miss RSA Conference 2004! Choose from over 200
> class sessions and
> see demos from more than 250 industry vendors. If
> your job touches
> security, you need to be here. Learn more or
> register at
>
http://www.securityfocus.com/sponsor/RSA_incidents_031023
> and use priority code SF4.
>
------------------------------------------------------------------------
> ----
>
>
>
>
------------------------------------------------------------------------
--- > Network with over 10,000 of the brightest minds in > information security > at the largest, most highly-anticipated industry > event of the year. > Don't miss RSA Conference 2004! Choose from over 200 > class sessions and > see demos from more than 250 industry vendors. If > your job touches > security, you need to be here. Learn more or > register at > http://www.securityfocus.com/sponsor/RSA_incidents_031023 > and use priority code SF4. > ------------------------------------------------------------------------ ---- > --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
- Previous message: Josh.Berry_at_compucom.com: "Strange Port 0 Traffic"
- Maybe in reply to: sradnidge_at_hotmail.com: "SQL Slammer doing the rounds again?"
- Next in thread: David LeBlanc: "RE: SQL Slammer doing the rounds again?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
