Re: Network Segregation to prevent spread of malware

[Vic Vandal <vvandal () well com>]

Tom,

The short and simple answer to your question is no.  And now I'll explain why.

Worm-type malware that spreads autonomously will sometimes leverage ports and protocols you would have to leave open 
for typical network/server/workstation operations, so access lists and firewalls aren't a bullet-proof approach to the 
problem.  That approach will also be difficult to implement, tune, and maintain.  It would not be my first 
recommendation for solving the problem you posed.  It might be down the list somewhere on a multi-pronged approach for 
organizations with deep pockets and enough human resources to manage a lot of different technologies.

Another approach would be to implement network-based IPS devices, where you would have implemented said firewalls.  
They will likely detect and knock down the spread of a decent amount of malware, as well as provide reporting so you'll 
know what's going on.  But of course zero-day stuff will get through, although future signature updates could detect 
old infections via their ongoing noise.

The most effective way of preventing the spread of malware would be to keep all operating systems and applications 
patched as timely as possible.  Worm-type malware needs a vulnerable service to attack.  If you put extra emphasis on 
deploying security patches for those vulnerable network services to 100% coverage, then the only avenue for initial 
infections and infection spreading is via end user action (opening malicious emails, visiting malicious links, etc.).  
Widely deployed anti-virus software with updated signatures, along with end user education, are critical components to 
prevent that, as we all know.

I don't know what kind of shop you work in (heterogeneous, homogeneous, Windows, Linux, Mac, etc.).  Windows is still 
the dominant office desktop OS.  So for sake of example here are Windows patches that you should have applied to every 
single Windows workstation and server.

MS05-039 - Vulnerability in Plug and Play - KB 899588 - Affects Win-2000, Win-2003, Win-XP
MS05-051 - Vulnerabilities in MSDTC and COM+ - KB 902400 - Affects Win-2000, Win-2003, Win-XP
MS06-032 - Vulnerability in TCP/IP - KB 917953 - Affects Win-2000, Win-2003, Win-XP
MS07-029 - Vulnerability in Windows DNS RPC Interface - KB 935966 - Affects Win-2000, Win-2003
MS08-063 - Vulnerability in SMB - KB 957095 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS08-067 - Vulnerability in Server Service - KB 958644 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS09-001 - Vulnerabilities in SMB - KB 958687 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS09-022 - Vulnerabilities in Windows Print Spooler - KB 961501 - Affects Win-2000, Win-2003, Win-2008, Win-XP, 
Win-Vista
MS09-048 - Vulnerabilities in Windows TCP/IP - KB 967723 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS09-049 - Vulnerability in Wireless LAN AutoConfig Service - KB 970710 - Affects Win-2008, Win-Vista
MS09-050 - Vulnerabilities in SMBv2 - KB 975517 - Affects Win-2008, Win-Vista
MS09-063 - Vulnerability in Web Services on Devices API - KB 973565 - Affects Win-2008, Win-Vista
MS10-012 - Vulnerabilities in SMB Server - KB 971468 - Affects all supported editions of Microsoft Windows
MS10-054 - Vulnerabilities in SMB Server - KB 982214 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7
MS10-061 - Vulnerability in Print Spooler Service - KB 2347290 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7
MS11-020 - Vulnerability in SMB Server  - KB 2508429 - Affects all supported editions of Microsoft Windows
MS11-083 - Vulnerability in TCP/IP - KB 2588516 - Affects Win-2008, Win-Vista
MS12-020 - Vulnerabilities in Remote Desktop - KB 2671387 - Affects all supported editions of Microsoft Windows
MS12-036 - Vulnerability in Remote Desktop - KB 2685939 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7
MS12-053 - Vulnerability in Remote Desktop - KB 2723135 - Win-XP
MS12-054 - Vulnerabilities in Windows Networking Components - KB 2733594 - Affects Win-2003, Win-2008, Win-XP, 
Win-Vista, Win-7
MS13-001 - Vulnerability in Windows Print Spooler Components – KB 2769369 - Affects Windows 7, Windows Server 2008

That personal list only goes back 7 years, which is all that I had handy.  And if any shop is missing patches as old as 
many of those listed above or older than that, then they probably deserve whatever pain they get for not having their 
InfoSec priorities and budget straight.  Each of those vulnerabilities can be exploited by an unauthenticated worm.  
And we all learned our lessons from Nimda, Blaster, SQL-Slammer, etc, etc.  

What I didn't include in that list were Windows app-specific vulnerabilities that could also be attacked by an 
autonomous exploit over the network.  Such as this month's MS13-007 - Vulnerability in Open Data Protocol – KB 2769327, 
which is a DoS vulnerability that is exploited by sending HTTP requests to an un-patched Windows IIS web server.  
Sorry, but I don't have that data personally consolidated in a handy list form, nor do I have time at the moment to 
review my patch archive to consolidate it.  I'd like to tell you that I have a consolidated Solaris, Linux, Oracle, 
etc. list also, but that's a hodge-podge of data that I've never sat down to filter and consolidate into 
worm-vulnerable lists.

There are some other technologies available to help with malware identification, such as host-based IDS and/or 
network-based sensors that key on malware that tries to reach out to the Internet over HTTP or other protocols.  It's 
not the same as traditional IPS because it's not strictly signature-based and employs several mechanisms for detecting 
advanced infections.

In closing, a multi-layer approach to prevent infections, prevent the spread, identify infections, and eradicate 
malware is important.  And timely patching is critical to preventing network-based infections and their spread.  

Peace,
Vic


----- Original Message -----
From: tomright006 () gmail com
To: security-basics () securityfocus com
Sent: Tuesday, January 22, 2013 12:33:05 PM
Subject: Network Segregation to prevent spread of malware

Hello All,

I need few tips on Network Segregation to prevent spread of Malware. Can I avoid Malware spreading from one network 
segment to another just by segregating network with access list or firewalls?


Thanks,

Tom


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------