RE: Possible method to prevent spread of CodeRed and other simila r wo rms

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: dave.goldsmith () intelsat com
> [mailto:dave.goldsmith () intelsat com] Sent: Wednesday, August 01,
> 2001 12:48 PM
> To: incidents () securityfocus com
>
> Is there normally any reason for a web server to initiate OUTBOUND
> connections to the Internet?  If not, why not block such 
> outbound packets?


Dave,

you're right on. That's exactly the reason I wrote a small article
yesterday. Apparently SecurityFocus decided not to publish it to the
list. It went along the lines that everyone (incl. CERT, SANS, etc)
only focuses on the patch, and completely ignores to mention other
prevent measures, like blocking outbound connections from the web
server. (There are exceptions, like payment processing systems, DNS
in some cases, HIDS, but the idea of limiting outbound access is
something most everyone did not include in their bulletins). Good
security is multi-layered security. Level 1 is the patch, level 2 are
your mentioned firewall rules.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBO2hLsZytSsEygtEFEQJHNACg97SQ5RJ0cukCvO7yZTFpj8CDhFgAoPwj
w5fDQuawFayiiUcsZxcbixmW
=fCeM
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com