Re: [FW1] Code Red: What security specialist don't mention in warnings

[Avishai Wool <avishai_w@FW1-NOSPAMyahoo.com>]

Frank,

> Web servers should only respond to incoming web requests. 
> Web servers do not need to
> establish connections to the Internet. So if a web server is behind a
> stateful firewall, and the firewall rules allow incoming web request
> to the web server, but denies outgoing connections from the 
> web server to the
> Internet, then the Code Red worm can be contained. 

This is absolutely right on. Furthermore, assuming that the
web server is in a DMZ, the firewall rules should also block
http access originating from the web server to any internal machine;
that will block the worm from infecting any internal web servers.

I would recommend that a web server:
(*) should be in a DMZ, off a separate interface on the firewall), 
(*) should not be allowed to initiate ANY traffic to ANYWHERE
   (except maybe ping for troubleshooting)
This should not affect its ability to serve pages, will help contain
the Code Red worm, and will help protect your net.
And this stance holds even if you are using
a non-Microsoft web server: you may be vulnerable to the next worm or
hack that shows up.

Avishai


=====
Avishai Wool, Ph.D.,  Chief Scientist & Co-Founder, Lumeta Corp.
220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA
Email: yash@acm.org        Web: http://research.lumeta.com/yash/
Phone:Cell:Fax:** Want to audit or debug your firewall's policy? **
Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================