Security Basics mailing list archives
Re: Network Segregation to prevent spread of malware
From: Vic Vandal <vvandal () well com>
Date: Wed, 23 Jan 2013 09:01:21 -0800 (PST)
Tom, The short and simple answer to your question is no. And now I'll explain why. Worm-type malware that spreads autonomously will sometimes leverage ports and protocols you would have to leave open for typical network/server/workstation operations, so access lists and firewalls aren't a bullet-proof approach to the problem. That approach will also be difficult to implement, tune, and maintain. It would not be my first recommendation for solving the problem you posed. It might be down the list somewhere on a multi-pronged approach for organizations with deep pockets and enough human resources to manage a lot of different technologies. Another approach would be to implement network-based IPS devices, where you would have implemented said firewalls. They will likely detect and knock down the spread of a decent amount of malware, as well as provide reporting so you'll know what's going on. But of course zero-day stuff will get through, although future signature updates could detect old infections via their ongoing noise. The most effective way of preventing the spread of malware would be to keep all operating systems and applications patched as timely as possible. Worm-type malware needs a vulnerable service to attack. If you put extra emphasis on deploying security patches for those vulnerable network services to 100% coverage, then the only avenue for initial infections and infection spreading is via end user action (opening malicious emails, visiting malicious links, etc.). Widely deployed anti-virus software with updated signatures, along with end user education, are critical components to prevent that, as we all know. I don't know what kind of shop you work in (heterogeneous, homogeneous, Windows, Linux, Mac, etc.). Windows is still the dominant office desktop OS. So for sake of example here are Windows patches that you should have applied to every single Windows workstation and server. MS05-039 - Vulnerability in Plug and Play - KB 899588 - Affects Win-2000, Win-2003, Win-XP MS05-051 - Vulnerabilities in MSDTC and COM+ - KB 902400 - Affects Win-2000, Win-2003, Win-XP MS06-032 - Vulnerability in TCP/IP - KB 917953 - Affects Win-2000, Win-2003, Win-XP MS07-029 - Vulnerability in Windows DNS RPC Interface - KB 935966 - Affects Win-2000, Win-2003 MS08-063 - Vulnerability in SMB - KB 957095 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista MS08-067 - Vulnerability in Server Service - KB 958644 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista MS09-001 - Vulnerabilities in SMB - KB 958687 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista MS09-022 - Vulnerabilities in Windows Print Spooler - KB 961501 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista MS09-048 - Vulnerabilities in Windows TCP/IP - KB 967723 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista MS09-049 - Vulnerability in Wireless LAN AutoConfig Service - KB 970710 - Affects Win-2008, Win-Vista MS09-050 - Vulnerabilities in SMBv2 - KB 975517 - Affects Win-2008, Win-Vista MS09-063 - Vulnerability in Web Services on Devices API - KB 973565 - Affects Win-2008, Win-Vista MS10-012 - Vulnerabilities in SMB Server - KB 971468 - Affects all supported editions of Microsoft Windows MS10-054 - Vulnerabilities in SMB Server - KB 982214 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7 MS10-061 - Vulnerability in Print Spooler Service - KB 2347290 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7 MS11-020 - Vulnerability in SMB Server - KB 2508429 - Affects all supported editions of Microsoft Windows MS11-083 - Vulnerability in TCP/IP - KB 2588516 - Affects Win-2008, Win-Vista MS12-020 - Vulnerabilities in Remote Desktop - KB 2671387 - Affects all supported editions of Microsoft Windows MS12-036 - Vulnerability in Remote Desktop - KB 2685939 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7 MS12-053 - Vulnerability in Remote Desktop - KB 2723135 - Win-XP MS12-054 - Vulnerabilities in Windows Networking Components - KB 2733594 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7 MS13-001 - Vulnerability in Windows Print Spooler Components – KB 2769369 - Affects Windows 7, Windows Server 2008 That personal list only goes back 7 years, which is all that I had handy. And if any shop is missing patches as old as many of those listed above or older than that, then they probably deserve whatever pain they get for not having their InfoSec priorities and budget straight. Each of those vulnerabilities can be exploited by an unauthenticated worm. And we all learned our lessons from Nimda, Blaster, SQL-Slammer, etc, etc. What I didn't include in that list were Windows app-specific vulnerabilities that could also be attacked by an autonomous exploit over the network. Such as this month's MS13-007 - Vulnerability in Open Data Protocol – KB 2769327, which is a DoS vulnerability that is exploited by sending HTTP requests to an un-patched Windows IIS web server. Sorry, but I don't have that data personally consolidated in a handy list form, nor do I have time at the moment to review my patch archive to consolidate it. I'd like to tell you that I have a consolidated Solaris, Linux, Oracle, etc. list also, but that's a hodge-podge of data that I've never sat down to filter and consolidate into worm-vulnerable lists. There are some other technologies available to help with malware identification, such as host-based IDS and/or network-based sensors that key on malware that tries to reach out to the Internet over HTTP or other protocols. It's not the same as traditional IPS because it's not strictly signature-based and employs several mechanisms for detecting advanced infections. In closing, a multi-layer approach to prevent infections, prevent the spread, identify infections, and eradicate malware is important. And timely patching is critical to preventing network-based infections and their spread. Peace, Vic ----- Original Message ----- From: tomright006 () gmail com To: security-basics () securityfocus com Sent: Tuesday, January 22, 2013 12:33:05 PM Subject: Network Segregation to prevent spread of malware Hello All, I need few tips on Network Segregation to prevent spread of Malware. Can I avoid Malware spreading from one network segment to another just by segregating network with access list or firewalls? Thanks, Tom ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Network Segregation to prevent spread of malware, (continued)
- Re: Network Segregation to prevent spread of malware Steve Figures (Jan 23)
- RE: Network Segregation to prevent spread of malware Mcmillan, Arlan (Jan 27)
- RE: Network Segregation to prevent spread of malware David Gillett (Jan 23)
- Re: Network Segregation to prevent spread of malware DaKahuna (Jan 23)
- Re: Network Segregation to prevent spread of malware Michael Peppard (Jan 23)
- AW: Network Segregation to prevent spread of malware Mohammad Ilyas (Jan 23)
- RE: Network Segregation to prevent spread of malware Mohammad Ellyas Bin Hashim (Jan 24)
- Re: Network Segregation to prevent spread of malware Dave, Manish, R. - ESIL (MUM) (Jan 23)
- Re: Network Segregation to prevent spread of malware Sagar (Jan 24)
- Re: Network Segregation to prevent spread of malware Alex Creek (Jan 28)
- Re: Network Segregation to prevent spread of malware Vic Vandal (Jan 23)
- Message not available
- RE: Network Segregation to prevent spread of malware Grzegorz Dlugajczyk (Jan 23)