Re: NIMDA, how to stop it

["Robin S. Socha" <robin-dated-1010455832.d88af7 () socha net>]

* Ryan Russell <ryan () securityfocus com> writes:
> On Fri, 4 Jan 2002, Alan Young wrote:

> > speaking of NIMDA, as a general recommendation, what would you all
> > recommend as an effecive firewall setup to stop NIMDA?

> Firewalls aren't, for the most part, designed to combat the weaknesses
> that Nimda exploits to spread.

Firewalls are concepts. If part of your concept is employing content
filters, that's fine. It's got nothing to do with combatting exploits in
broken software.

> > Can I stop NIMDA with just a PIX? Or do I need some sort of other
> > "virus firewall" in addition to our PIX?

> You'd want an antivirus gateway, possibly.  That would help with Nimda
> arriving and leaving via email.  Possibly also via HTTP, depending on
> the gateway.

Mainly depending on what time it is. While I was still running sendmail,
Melissa came in 10 minutes before I left the office. 11 minutes later and
our "yes, Mein Geschaftsführer, red firewalls are faster" company - equipped
with Win2k and 3 (yeah, we're so *fucking* secure) virus scanners would have
gone down the drain. So much for "virus scanners work". Afterwards I had
a security policy employed that:

- prohibits sending Microsoft documents (.doc, .xls. .mdb...) to our
  network; 

- nukes all executables on the mailserver, sending an explanatory
  message to the sender;

- removes multipart/mime;

- has everyone fired who opens email attachments;

- preserves copies of all in- and outbound mail for forensic analysis
  (read: firing lusers).

> > I am sure I must be missing some fundamental firewall knowledge, I
> > suppose there are some good books on this topic???

[...]
> http://aris.securityfocus.com/alerts/nimda/010921-Analysis-Nimda-v2.pdf
[...]
> Nimda is pretty bad once it gets inside your network.  I've spoken
> with a local school district in my area has been completely screwed
> by it.  If it gets inside, and you don't have a centrally updatable
> antivirus install on every desktop, you won't be able to get rid of
> it.

Let's focus on the problem at hand. Your point is only valid iff that
network is running Microsoft products. You will not affect MacOS, $UNIX,
OS/2...

> Let me paint a picture: One of the spreading mechanisms is NetBIOS
> file shares.  Any number of students manage to infect the student
> workstations throughout the day via email or web browsing.  Since the
> workstation is now acting funny, they call over an admin.  The admin
> logs on as themself.  If the admin has a home drive, probably on the
> PDC, then the PDC just got infected. 

Again: iff this admin is using broken software.

> Now every student that logs on gets a copy from the PDC.  When it
> manages to execute on the PDC with privs, it uses its domain trust to
> infect every drive share in the network neighborhood.  They now have
> to clean every machine, and be extreamly careful about what accounts
> are allowed to do.  One copy could restart the whole process.

Iff you allow your users to download and execute code on their
workstations. Why would you? Tax money. Spent. Wrong.

> Desktop AV is the only thing that stops the bulk of the process.

Incorrect. If anything, it will stop this _one_ process. It does not
eliminate the problem.

> We're now up to I think 6 Nimda variants.  When a new one comes out
> there's a 24-48 hour window before you can get a new signature for it
> from your vendor, and then you have to have a way to update every
> desktop ASAP.

Right. Do you want me to do a quick calculus using one of my 50GB
bandwidth mailservers running qmail with qmqp?  Really? That 24-48
hour window is good for millions of mails. Which part of "this is not
a solution, it's not even a kluge, it simply *does* *not* *work* -
have the vendor fix the software or get rid of the software" do you
have difficulty in understanding?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards