[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Code Red: What security specialist don't mention in warnings
Greetings, I'm sure you have heard and read plenty of warnings about the Code Red worm, which is supposed to awake again. The Code Red worm 'infects' Microsoft Internet Information Servers by exploiting a vulnerability (or bug) that Microsoft had issued a patch for middle of June this year. Once the worm has gained a foothold in the web server, it tries to find other web servers that are vulnerable. Many security experts and organizations are recommending to apply the patch from Microsoft in order to prevent the worm from infecting the web server. And while patching a system is an important step, that seems to be all they are recommending. Everyone appears to be focusing on the patch. Let's image there is a similar vulnerability in Microsoft's web server software, that could cause a different type of worm to infect the server and spread out to others. What will the recommendation be? Apply another patch? What after that one is patched and a third worm surfaces? It seems that everyone is overlooking the obvious. The problem here is not that the web server is not correctly patched. Sure, that is one issue. But I'm sure you have heard security experts talk about 'Defense in Depth' and multi-layered security. Is applying 'a patch' really 'Defense in Depth'? Far from it, it just one layer. There is another issue that has not been addressed by any of the advisories at all (even by those who preach the multi-layered defense). What has been overlooked is simply proper firewalling of the web servers. Web servers should only respond to incoming web requests. Web servers do not need to establish connections to the Internet. So if a web server is behind a stateful firewall, and the firewall rules allow incoming web request to the web server, but denies outgoing connections from the web server to the Internet, then the Code Red worm can be contained. Proper firewalling does not prevent the worm from entering (that's what the patch does). But it does prevent the worm from establishing connections to other web servers so that the worm can not infect them and effectively spread itself through the Internet. With proper firewalling the worm does not spread which a) does not use up bandwidth and clog up the Internet, b) does not cause embarrassment to your company when the owner of other infected systems call you asking why your server is attacking them, and c) does not make you potentially liable for any damages the worm causes to other, originating from your systems. The advisories and warnings currently circulating do not mention proper firewalling, which they should. Proper firewalling may also prevent hackers from breaking into web servers, which usually occurs through the installation of 'trojans', programs that establish connections back to the hacker in order to give him full system access. So may I take the opportunity to recommend the following: a) Download and install the patch from Microsoft (available at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp). b) In addition, review your firewall rules and make sure your web server can not establish connections to the Internet. If you have not protected your web server with a firewall, this worm may give you another incentive to do so. There are certainly other steps and precautions that can be taken. However, above are the most effective in regards to the Code Red worm. Recommendation b) extends the original advisories and recommendations to a second level. This is 'Defense in Depth'. If one countermeasure (the patch) fails, the second countermeasure (the firewall) will still prevent the worm from spreading. 'Defense in Depth'. This is how security should be done. Protect your systems with multiple layers of defense. Review and reconfigure your firewall now. Sincerely, Frank Knobbe (concerned netizen) ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|