Tip

Segmenting a LAN to isolate malware


What you will learn from this tip: The disadvantages of segmenting a LAN to isolate a worm or virus, and alternatives for keeping malware off a network.

The following question and answer thread was excerpted from ITKnowledge Exchange. Click here

    Requires Free Membership to View

to read the entire thread or begin a new thread.

A user identified as rbos77 posted:

Is it possible to isolate a worm once it's on a network by dividing the LAN into departments or sections with firewalls or managed switches and VLANs? Does anyone have any advice for or warnings against doing this?

A user identified as bobkberg posted:

This would NOT be a good idea. First of all, it puts you into a purely reactive (as opposed to proactive) position; you'll forever be playing catch up.

Second, I doubt very much that it would work without also crippling your production network. After all, a worm just uses the existing network connections just as your servers and workstations do.

As to what you SHOULD be doing, (whether or not your management is allowing the budgeting for this or not).

  • Make sure that all systems -- especially those that travel -- have current antivirus with automated updating. All respectable vendors have this capability. BUT the traveling systems need stand-alone antivirus -- not the corporate version -- because there's no guarantee that they'll be online when the central server needs to do a push of new definitions or other updates.
  • Install Snort with the Bleeding Snort rules to look for anomalous traffic.
  • Spend some time (again, management support is essential) educating your users.

If your management doesn't want to support these efforts and expenditures, then point out to them that they're handcuffing you into a relatively helpless position.

A user identified as analog posted:

A few things here. I'm not a hobbyist. I'm real-world kinda guy responsible for dozens of firewalls, intrusion boxes and related devices. The size of your company and resources have everything to do with how you approach this.

First, it is important to realize that you can't rely on any one piece of equipment, practice or tool set to eliminate all potential problem areas. Yes, you could divide your LAN into departmental firewalls and/or VLANS and yes that might, in some cases, keep worms from spreading. I think your time would be better spent doing other things though.

While antivirus and spyware removal/detection tools are important, they don't stop everything even if they're updated regularly. And, in some cases it is not feasible to run either of those tools in real-time protection mode. I have seen numerous production environments (servers and workstations) suffer due to real-time protection features of AV software. But by all means, use those software tools every chance you get. They do help a lot.

The key is to create multiple ways of detecting, identifying and removing malicious software.

A Snort box is a great idea. We have four Snort network sensors in production right now, and believe me, you don't just drop a Snort box in and leave it be. You've got to know how to actually use it. Unless you are properly staffed, chances are you're not going to get much use out of it. Too many people install Snort boxes and then have no idea what they are doing with it afterwards. It sits, collecting lots of information that nobody cares to (or knows how) to manage. In other words, be sure you are giving your IDS enough attention after you get it installed. I highly recommend the use of IDS (and IPS, too) if you are serious about protecting your network.

Employees MUST know basic information about how to prevent worms and other malicious software from getting on their machine. Some level of training is usually necessary. It does not have to be complicated. Simple is usually better, and you will want a functional security policy that is clearly communicated to everyone as well. Cover the basics. For example, forbid the use of any peer-to-peer software on your network and you will have successfully eliminated a percentage of possible worm infection right there. Again, simple is good.

I think you see the idea here. Read up on defense-in-depth and other terms floating about the Internet. Again, your approach will totally depend on budgeting, number of employees, executive level support and so on.


MORE INFORMATION:


This was first published in April 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.