Home > Security Tips > Threat Monitor > Blocking worms
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

THREAT MONITOR

Blocking worms


Tom Lancaster
09.09.2003
Rating: -3.75- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Once again, more than 500,000 users, by Symantec's estimate, failed to follow the trivial steps required to patch their computers. Again and again, these derelicts give hackers the tools they need to create mischief, but it affects us all, not just those who can't be bothered to patch their machines. This failure was the last straw for many companies.

Many organizations have come to the conclusion that fighting worms from the desktop isn't going to work. They have decided to protect themselves in the network as well by installing Access Control Lists on their routers. Unfortunately, these ACLs will spell the end of some user functionality, but that is always the price we pay for security.

The ACLs identify troublesome ports that are frequently abused by virus writers, while at the same time, rarely used by legitimate traffic, especially to the Internet. Examples of some ports that were closed for the msblaster, nachi/welchia worms of the past few weeks are

MS DCOM RPC – TCP and UDP ports 135
MS SMB – TCP 445
MS RPC Ep Map – TCP 593

While some organizations are a little overzealous and blocking this traffic from passing through any router in their network, you should at least consider installing similar ACLs at your Internet gateway. Installing ACLs on routers is safe and effective, but it usually causes a small performance hit. In high-traffic internal networks, this can be a problem. It's rarely a problem on Internet links.

When you install these ACLs, be sure to block OUTBOUND traffic, as well as inbound traffic. The reason is that these worms often have multiple attack vectors. For instance, a user may get the worm from e-mail, then start sending traffic out of your site onto the Internet. Thus, you need to block outbound traffic. This is also why some organizations plan to block these ports at the default gateway of their users so that one infected user can't spread to the rest of the internal organization. But be careful about this strategy, because there are many worms and many ports to block. Make sure you know which ports the legitimate traffic is using.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


Rate this Tip
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




BROWSE BY TAG
Threat Monitor,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Threat Monitor
Cut down on calls to help desk with cybersecurity awareness training
How to detect software tampering
How to prevent phishing attacks with social engineering tests
An enterprise strategy for Web application security threats
How SSL-encrypted Web connections are intercepted
How a corporate Twitter policy can combat social network threats
Cyberwarfare and the enterprise: Is the threat real?
Software security threats and employee awareness training
Newest malware threats
How to defend against rogue DHCP server malware

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Research Solutions for Network Security, Access Control and Security Threats
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts