Security Basics mailing list archives
RE: Purging Blaster.worm
From: "Jay Woody" <jay_woody () tnb com>
Date: Thu, 14 Aug 2003 15:11:54 -0500
My point here was simply that I have yet to have a customer walk in the door that was infected who was running a broadband connection behind a firewall.
You must not have been there during the Code Red or Nimda worm then. :) Because in that case the firewall said, "Web servers on port 80? Oh yeah, they are right over there." In this particular case (Blaster) would a firewall help slow it down. Yeah. And I said so in my first e-mail. However, your statement was, "This infection doesn't seem to be able to get past a properly configured firewall". That just isn't true. There are other ways around the firewall. My laptop example, uh, for example. :) Or the case of mass mailing worms, etc. Will a firewall perhaps keep the one home user safe? Perhaps, but only until the next one that hits over port 80, 443, etc. and then nope. Your corporation? Not a chance. However, my guess is that the real issue here is, if you have users that are smart enough to set up some port-blocking firewall at home (something harder than Zone Alarm obviously) and to go in and ensure that certain ports were blocked, they were probably smart enough to apply the patch too. :) The people that hit broadband without a firewall probably didn't patch either, so you have apples and oranges here. This is like saying that everyone that came into your shop that was an Alabama fan wasn't hit, so you must have to be an Alabama fan. Not quite. It just may be that the people that are savvy enough to care enough and set up a firewall, might also be savvy enough to patch. Maybe?
Can we ever expect to get ahead of the bad guys here without some kind of firewall that gives us that "little bit of time to slow it down and apply the patches"?
Well, that would kind of be the point of my first post. :) But there is a big difference in realizing that the firewall is one step and all it does is buy you some time versus saying that "this infection doesn't seem to be able to get past a properly configured firewall". I just don't want all of you guys to think that, "If we had just got the firewall people to respond quicker, this wouldn't have happened." We had explicit rules set up for 3 weeks now and it walked right in on laptops and mooned me on it's way out. The only thing, and I mean ONLY thing that would have stopped this is patching. And according to what I am reading, even a forth of those may have failed anyway. :) JayW
"Bob Walker" <bobwalker8 () comcast net> 08/14/03 02:21PM >>>Maybe I am a little sensitive to this, being the firewall guy and
all, but come on people.>> Hmmm... Maybe so :-) My point here was simply that I have yet to have a customer walk in the door that was infected who was running a broadband connection behind a firewall. All (or most)were simple broadband (primarily cable) connections, wide open. A further point was that we all have a lot of work to do here to educate folks, whether it's the home user or the corporate exec, about security and the necessity of applying patches as they are made available. But seriously, how many of these users are going to do that on their own? By your own admission, your infection came from within your organization from unpatched laptops, and there you are definitely correct, no firewall in the world would have prevented that. But consider this too. No matter how timely we do the patches, at some point, there is a vulnerability discovered prior to the patch being available. Hopefully, that vulnerability is discovered by a good guy and not a bad guy, and the patch developed and made available for the rest of us good guys. But (reading the lowlife that released this worm's mind here), perusing the microsoft web site for patches, and knowing the mindset of most users and the alacrity of applying said patches, that surely gives the bad guy a leg up on most folks. Can we ever expect to get ahead of the bad guys here without some kind of firewall that gives us that "little bit of time to slow it down and apply the patches"? Bob --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Ethics Question, (continued)
- Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)
- Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- RE: Purging Blaster.worm Blaxes (Aug 16)
- RE: Purging Blaster.worm Preston, Tony (Aug 13)
- RE: Purging Blaster.worm Rory (Aug 13)
- Re: Purging Blaster.worm Jay Woody (Aug 13)
- RE: Purging Blaster.worm Parolini, Walter A REV:EX (Aug 13)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- Re: Purging Blaster.worm Ken Jacobs (Aug 14)
- RE: Purging Blaster.worm David Gillett (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 15)
- RE: Purging Blaster.worm Vachon, Scott (Aug 15)
- RE: Purging Blaster.worm Jay Woody (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 18)
- RE: Purging Blaster.worm Alfred . Diggs (Aug 19)
- RE: Purging Blaster.worm Meidinger Chris (Aug 20)