[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Code Red: What security specialist don't mention in war nings
Actually, to add to this discussion... With the exception of servers providing UDP-based services, any outbound connection that is not established should be dropped at a the router level. This includes the relevant IP's bound to your firewall, which is still a host, and could still be compromised. access-list 113 permit tcp host X.X.X.X eq 80 any established access-list 113 permit tcp host X.X.X.X eq 443 any established Better still: ip inspect name watch_tcp tcp 360 ip inspect watch_tcp in Keith >-----Original Message----- >From: Avishai Wool [mailto:[email protected]] >Sent: Tuesday, July 31, 2001 10:58 PM >To: Frank Knobbe >Cc: [email protected] >Subject: Re: [FW1] Code Red: What security specialist don't mention in >warnings > > > >Frank, > >> Web servers should only respond to incoming web requests. >> Web servers do not need to >> establish connections to the Internet. So if a web server is behind a >> stateful firewall, and the firewall rules allow incoming web request >> to the web server, but denies outgoing connections from the >> web server to the >> Internet, then the Code Red worm can be contained. > >This is absolutely right on. Furthermore, assuming that the >web server is in a DMZ, the firewall rules should also block >http access originating from the web server to any internal machine; >that will block the worm from infecting any internal web servers. > >I would recommend that a web server: >(*) should be in a DMZ, off a separate interface on the firewall), >(*) should not be allowed to initiate ANY traffic to ANYWHERE > (except maybe ping for troubleshooting) >This should not affect its ability to serve pages, will help contain >the Code Red worm, and will help protect your net. >And this stance holds even if you are using >a non-Microsoft web server: you may be vulnerable to the next worm or >hack that shows up. > >Avishai > > >===== >Avishai Wool, Ph.D., Chief Scientist & Co-Founder, Lumeta Corp. >220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA >Email: [email protected] Web: http://research.lumeta.com/yash/ >Phone:Cell:Fax:> ** Want to audit or debug your firewall's policy? ** >Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html > >__________________________________________________ >Do You Yahoo!? >Make international calls for as low as $.04/minute with Yahoo! >Messenger >http://phonecard.yahoo.com/ > > >=============================================================== >================= > To unsubscribe from this mailing list, please see the >instructions at > http://www.checkpoint.com/services/mailing.html >=============================================================== >================= > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|