Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How the Navy's isolation policy stopped the spread of the Welchia worm

The Pentagon's partitioning of agencies served as an inadvertent isolation policy that helped contain the outbreak of the Welchia worm within the Navy's intranet.

Welchia, a variant of the Blaster worm, crippled the Navy/Marine Corps intranet, denying network connections to nearly 70,000 users. Yet, the rest of the Pentagon was spared from widespread infection because the Navy's intranet is segmented from other military departments.

The Navy's isolation was more the result of Pentagon politics than good security planning. The different military departments and agencies have stovepipe infrastructures to maintain their independent identities. But the lesson is clear: Partitioning your network into trust zones helps contain malware outbreaks.

Welchia was designed to remove the original Blaster worm, but its scans had the effect of a denial-of-service attack. The worm's activity put a heavy load on the Navy's infrastructure. Anomaly-based intrusion detection solution Peakflow, by Arbor Networks, proved an effective weapon in the Pentagon's battle with Welchia. When a switch heated up with an unusual load, the operations team shut down the hot port and quarantined the infection.

The Pentagon's segmented IT infrastructure is happenstance, but still stands up as a good example of the benefits of trusted zones. Enterprises may balk at the effort and expense of rearchitecting their networks in this fashion, but building trust zones doesn't have to break the bank.

Most networks are based on switches that support VLANs. For instance, you can put HR on one VLAN and sales on another. To move traffic between VLANs, you generally go through a routing card. This allows you to implement access control. High-value areas can be protected from the internal network threats with low-cost, low-maintenance appliance firewalls. These typically cost between $500 and $800, and are available from Symantec, StoneSoft, WatchGuard Technologies and numerous other vendors.

Welchia's impact on the Pentagon could have been worse. The Defense Information Systems Agency (DISA) -- the Pentagon's ISP -- is one of the few service providers that blocks port 135. Given the huge number of Pentagon employees and contractors that use DISA's service, this action slowed Welchia's spread and reduced the number of "backdoor" infections via modem pools and VPN tunnels. If Windows is too frail to be on the Internet, maybe ISPs should consider blocking some of the commonly exploited ports.

Article 5 of 15
This was last published in November 2003

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All