RE: Purging Blaster.worm

["Jay Woody" <jay_woody () tnb com>]

> > My point here was simply that I have yet to have a 
> > customer walk in the door that was infected who was 
> > running a broadband connection behind a firewall.  

You must not have been there during the Code Red or Nimda worm then. 
:)  Because in that case the firewall said, "Web servers on port 80?  Oh
yeah, they are right over there."  In this particular case (Blaster)
would a firewall help slow it down.  Yeah.  And I said so in my first
e-mail.  However, your statement was, "This infection doesn't seem to be
able to get past a properly configured firewall".  That just isn't true.
 There are other ways around the firewall.  My laptop example, uh, for
example.  :)  Or the case of mass mailing worms, etc.

Will a firewall perhaps keep the one home user safe?  Perhaps, but only
until the next one that hits over port 80, 443, etc. and then nope. 
Your corporation?  Not a chance.  However, my guess is that the real
issue here is, if you have users that are smart enough to set up some
port-blocking firewall at home (something harder than Zone Alarm
obviously) and to go in and ensure that certain ports were blocked, they
were probably smart enough to apply the patch too.  :)  The people that
hit broadband without a firewall probably didn't patch either, so you
have apples and oranges here.  This is like saying that everyone that
came into your shop that was an Alabama fan wasn't hit, so you must have
to be an Alabama fan.  Not quite.  It just may be that the people that
are savvy enough to care enough and set up a firewall, might also be
savvy enough to patch.  Maybe?

> > Can we ever expect to get ahead of the bad guys here 
> > without some kind of firewall that gives us that "little bit 
> > of time to slow it down and apply the patches"?

Well, that would kind of be the point of my first post.  :)  But there
is a big difference in realizing that the firewall is one step and all
it does is buy you some time versus saying that "this infection doesn't
seem to be able to get past a properly configured firewall".  I just
don't want all of you guys to think that, "If we had just got the
firewall people to respond quicker, this wouldn't have happened."  We
had explicit rules set up for 3 weeks now and it walked right in on
laptops and mooned me on it's way out.  The only thing, and I mean ONLY
thing that would have stopped this is patching.  And according to what I
am reading, even a forth of those may have failed anyway.  :)

JayW

> > > "Bob Walker" <bobwalker8 () comcast net> 08/14/03 02:21PM >>>
> > Maybe I am a little sensitive to this, being the firewall guy and
all, but come on people.>>

Hmmm... Maybe so  :-)

My point here was simply that I have yet to have a customer walk in
the
door that was infected who was running a broadband connection behind a
firewall.  All (or most)were simple broadband (primarily cable)
connections, wide open.  A further point was that we all have a lot of
work to do here to educate folks, whether it's the home user or the
corporate exec, about security and the necessity of applying patches
as
they are made available.  But seriously, how many of these users are
going to do that on their own?  By your own admission, your infection
came from within your organization from unpatched laptops, and there
you
are definitely correct, no firewall in the world would have prevented
that.

But consider this too.  No matter how timely we do the patches, at
some
point, there is a vulnerability discovered prior to the patch being
available.  Hopefully, that vulnerability is discovered by a good guy
and not a bad guy, and the patch developed and made available for the
rest of us good guys.  But (reading the lowlife that released this
worm's mind here), perusing the microsoft web site for patches, and
knowing the mindset of most users and the alacrity of applying said
patches, that surely gives the bad guy a leg up on most folks.  Can we
ever expect to get ahead of the bad guys here without some kind of
firewall that gives us that "little bit of time to slow it down and
apply the patches"?

Bob


---------------------------------------------------------------------------
----------------------------------------------------------------------------