nanog mailing list archives

RE: FW: Worms versus Bots

From: "Smith, Donald" <Donald.Smith () qwest com>
Date: Tue, 4 May 2004 10:35:13 -0600


Daniel I agree a nat/firewall/router with acl's ... will all help
prevent windows compromises.
I believe security in depth is an essential element of any good security
system.

The goal of this document is help new XP users survive long enough to do
their updates.
Many of them cant/wont put up acls/nat/firewalls ... but if they follow
the steps listed they have a better chance of
successfully downloading and updating their new machine then they will
have with OUT these steps.
It is not meant as a complete XP hardening document. There are lots of
documents that discuss in detail how to harden
windows (xp,nt,2k...). 

Donald.Smith () qwest com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
kill -13 111.2

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
Behalf Of Daniel Senie
Sent: Tuesday, May 04, 2004 9:39 AM
To: Sean Donelan
Cc: nanog () merit edu
Subject: RE: FW: Worms versus Bots



At 10:54 AM 5/4/2004, Sean Donelan wrote:

On Tue, 4 May 2004, Smith, Donald wrote:

If you follow these steps outlined by SANS you should be able to 
successfully update and NOT get infected. This is short,

easy, fully

documented (with pictures :)
http://www.sans.org/rr/papers/index.php?id=1298


The risk is smaller, but still exists if you follow these directions 
for XP pre-SP2.  See the Microsoft release notes for XP SP2

for details

about the fix.

If you do not have XP SP2, you need to disconnect your computer from 
the network prior to every boot cycle until it is fully patched.


A much simpler mechanism than that described by SANS is to 
have a small, 
cheap NAT box in your bag (e.g. D-Link DI-604 or similar). 
Worth the $50 
cost to have one available. Put the little router between the 
new machine 
to be brought up and whatever network you have access to. Now 
you can bring 
up the new machine and update it without having it get 
instantly infected. 
(Use some common sense... don't set up email until the 
machine is patched, 
or use any other sort of mechanism to pull in potential 
viruses before 
patching is done).

(To deflect the inevitable "NAT is not a firewall" 
complaints, the box is a 
stateful inspection firewall -- as all NAT boxes actually are).

Current thread:

RE: FW: Worms versus Bots, (continued)
- - - RE: FW: Worms versus Bots Daniel Senie (May 04)
    - RE: FW: Worms versus Bots Michael . Dillon (May 05)
    - RE: FW: Worms versus Bots william(at)elan.net (May 05)
    - Re: Worms versus Bots Matthew Crocker (May 05)
    - Re: FW: Worms versus Bots Robert E. Seastrom (May 05)
    - Re: FW: Worms versus Bots Alexei Roudnev (May 06)
    - Re: FW: Worms versus Bots Chris Adams (May 07)
    - Re: FW: Worms versus Bots Jeff Shultz (May 07)
    - Re: FW: Worms versus Bots Alexei Roudnev (May 07)
- RE: FW: Worms versus Bots Smith, Donald (May 04)
- RE: FW: Worms versus Bots Smith, Donald (May 04)
  - Message not available
    - RE: FW: Worms versus Bots Daniel Senie (May 04)
  - Message not available
    - RE: FW: Worms versus Bots Rob Nelson (May 04)
    - Re: Worms versus Bots Iljitsch van Beijnum (May 06)
    - Re: Worms versus Bots Valdis . Kletnieks (May 06)
- RE: FW: Worms versus Bots Michel Py (May 04)
- RE: Worms versus Bots Michel Py (May 05)
- RE: FW: Worms versus Bots Michel Py (May 07)
- RE: Worms versus Bots Michel Py (May 12)
- RE: Worms versus Bots Michel Py (May 12)