Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Worms, Air Gaps and Responsibility

From: "Claussen, Ken" <Ken () kccweb com>
Date: Wed, 12 May 2004 11:04:05 -0400
Paul,
Even Cisco is not immune to the exploits. 
http://www.enterprisenetworksandservers.com/monthly/art.php/290 
While this was patched quickly by ISPs and others, it did cause
intermittent outages across the Internet for a period of time (several
days).
Excerpt from article;
"On Wednesday, July 16, 2003, Cisco Systems published an advisory
warning that Cisco IOS - the operating software of the most widely used
routers and switches in the world - was carrying a vulnerability that
could put any unprotected IOS device out of order. Two days later, an
"exploit" was published on a public mailing list, where hackers
explained in detail how to reproduce the very packet sequence that would
allow anyone to "exploit" the vulnerability and bring any unprotected
device down."

Then there was the Nimda worm which affected Cisco Cable Modem devices
(800 Series), while not critical infrastructure, this disrupted many
households Internet Access.

I think it is fair to say any OS has had it's share of vulnerabilities
over the years (some more than others in terms of numbers, but that does
not necessarily account for the severity). A good share of these have
allowed remote execution of code(System=Owned). Some Historical
Examples; Sadmind for Solaris, Rootkits for Unix taking advantage of
Portmapper flaws, Nimda/CodeRed and Slammer for MS. There are many
others, these are just some off the top of my head. To say that any one
of these is worse than the other is simply favoritism as they all
allowed Root/Administrator access to the system.  

I have read several mentions of issues with corporate desktops and no
one has mentioned the use of Group Policy through AD to control which
EXEs are allowed to run by a user. This is one of the best methods to
stop malicious code at the desktop level. While it may be painful to
setup initially it is effective in many cases. In order to bypass this,
malicious code would need to use an "approved" EXE to launch itself.
This raises the bar significantly.
Ken


-----Original Message-----
From: Paul D. Robertson [mailto:paul () compuwar net] 
Sent: Monday, May 10, 2004 2:49 PM
To: Erick Mechler
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility


On Mon, 10 May 2004, Erick Mechler wrote:


I bet you'd see the same sort of behavior from worms no matter what OS



the World's critical infrastructures were to run.  If they ran *NIX, 
you'd see more worms targeting those OSs.  There's something to be 
said for heterogenous computing environments.


Funnily enough, I don't recall a Cisco IOS worm with any traction...

Paul
------------------------------------------------------------------------
-----
Paul D. Robertson      "My statements in this message are personal
opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure
Corporation _______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: