Problem solve Get help with specific problems with your technologies, process and projects.

Segmenting a LAN to isolate malware

The disadvantages of segmenting a LAN to isolate a worm or virus, and alternatives for keeping malware off a network.

What you will learn from this tip: The disadvantages of segmenting a LAN to isolate a worm or virus, and alternatives for keeping malware off a network.

The following question and answer thread was excerpted from ITKnowledge Exchange. Click here to read the entire...

thread or begin a new thread.

A user identified as rbos77 posted:

Is it possible to isolate a worm once it's on a network by dividing the LAN into departments or sections with firewalls or managed switches and VLANs? Does anyone have any advice for or warnings against doing this?

A user identified as bobkberg posted:

This would NOT be a good idea. First of all, it puts you into a purely reactive (as opposed to proactive) position; you'll forever be playing catch up.

Second, I doubt very much that it would work without also crippling your production network. After all, a worm just uses the existing network connections just as your servers and workstations do.

As to what you SHOULD be doing, (whether or not your management is allowing the budgeting for this or not).

  • Make sure that all systems -- especially those that travel -- have current antivirus with automated updating. All respectable vendors have this capability. BUT the traveling systems need stand-alone antivirus -- not the corporate version -- because there's no guarantee that they'll be online when the central server needs to do a push of new definitions or other updates.
  • Install Snort with the Bleeding Snort rules to look for anomalous traffic.
  • Spend some time (again, management support is essential) educating your users.

If your management doesn't want to support these efforts and expenditures, then point out to them that they're handcuffing you into a relatively helpless position.

A user identified as analog posted:

A few things here. I'm not a hobbyist. I'm real-world kinda guy responsible for dozens of firewalls, intrusion boxes and related devices. The size of your company and resources have everything to do with how you approach this.

First, it is important to realize that you can't rely on any one piece of equipment, practice or tool set to eliminate all potential problem areas. Yes, you could divide your LAN into departmental firewalls and/or VLANS and yes that might, in some cases, keep worms from spreading. I think your time would be better spent doing other things though.

While antivirus and spyware removal/detection tools are important, they don't stop everything even if they're updated regularly. And, in some cases it is not feasible to run either of those tools in real-time protection mode. I have seen numerous production environments (servers and workstations) suffer due to real-time protection features of AV software. But by all means, use those software tools every chance you get. They do help a lot.

The key is to create multiple ways of detecting, identifying and removing malicious software.

A Snort box is a great idea. We have four Snort network sensors in production right now, and believe me, you don't just drop a Snort box in and leave it be. You've got to know how to actually use it. Unless you are properly staffed, chances are you're not going to get much use out of it. Too many people install Snort boxes and then have no idea what they are doing with it afterwards. It sits, collecting lots of information that nobody cares to (or knows how) to manage. In other words, be sure you are giving your IDS enough attention after you get it installed. I highly recommend the use of IDS (and IPS, too) if you are serious about protecting your network.

Employees MUST know basic information about how to prevent worms and other malicious software from getting on their machine. Some level of training is usually necessary. It does not have to be complicated. Simple is usually better, and you will want a functional security policy that is clearly communicated to everyone as well. Cover the basics. For example, forbid the use of any peer-to-peer software on your network and you will have successfully eliminated a percentage of possible worm infection right there. Again, simple is good.

I think you see the idea here. Read up on defense-in-depth and other terms floating about the Internet. Again, your approach will totally depend on budgeting, number of employees, executive level support and so on.


This was last published in April 2005

Dig Deeper on Network Access Control technologies