RE: Re: Code Red: What security specialist don't mention in warnings (Frank Knobbe)

[dave.goldsmith () intelsat com]

> -----Original Message-----
> From: Joseph Steinberg [mailto:Joseph () whale-com com]
> Sent: Thursday, August 02, 2001 12:23 PM
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Re: Code Red: What security specialist don't mention
> in warnings (Frank Knobbe)
>
>
>
> > Web servers should only respond to incoming web requests. Web servers do
> > not need to establish connections to the Internet. So if a web server is
> > behind a stateful firewall, and the firewall rules allow incoming web 
> > request to the web server, but denies outgoing connections from the web
> > server to the Internet, then the Code Red worm can be contained. 
>
> Depends on the application and the location of the web server 
> -- it may need to access content from the internet...

Generally, web servers do not need to establish connections to the Internet.
Block all outgoing access, and then grant access to specific servers to
specific ports on a case-by-case basis.

> Also, what if your web server needs to send outbound email 
> (confirmation messages, etc.)...

See above comment.  [Note: Specifically for CodeRed, if a web server was
blocked for all outbound access and then specificly allowed to sent outbound
e-mail (connections to port 25) then CodeRed would still have been prevented
from spreading]
 
> BTW: The generic Code Red worm may just deface and connect outward, but
the
> same vulnerability could have been exploited to steal the information on
the
> web server, or turn it into a host for a staged attack against other
> DMZ/internal machines. As the vulnerability is at the application-level, a
> firewall will not likely mitigate against this.

And if such a more invasive version of a worm got through and gathered data
to send home, or took control of the system to be used as a slave in a DDos
attack, then blocking outbound initiated connections from the web server on
the firewall WOULD prevent that data from being sent or from the DDoS attack
from occuring.

I agree that the firewall can not prevent CodeRed from coming in to the
local network.  Obviously, the firewall must allow traffic on port 80 thru
to the web server. So to get a better in-depth security posture, you now
have:

1) Allow incoming traffic to specific servers on specific ports. (25 to mail
srvr, 80 to web srvr)
2) Block all other incoming traffic.
3) Install all applicable software updates and security patches to minimize
the ability of a valid traffic stream to contain code that will negatively
impact your system.
4) Allow outgoing traffic from specific servers to specific ports.
5) Block all other outgoing traffic from the servers.

R/S, Dave Goldsmith

############################################################
This email message is for the sole use of the intended
recipient(s)and may contain confidential and privileged
information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended 
recipient, please contact the sender by reply email and 
destroy all copies of the original message.  Any views 
expressed in this message are those of the individual 
sender, except where the sender specifically states them 
to be the views of Intelsat, Ltd. and its subsidiaries.
############################################################
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards