> -----Original Message----- > From: Joseph Steinberg [mailto:Joseph@whale-com.com] > Sent: Thursday, August 02, 2001 12:23 PM > To: firewall-wizardsat_private > Subject: [fw-wiz] Re: Code Red: What security specialist don't mention > in warnings (Frank Knobbe) > > > > >Web servers should only respond to incoming web requests. Web servers do > >not need to establish connections to the Internet. So if a web server is > >behind a stateful firewall, and the firewall rules allow incoming web > >request to the web server, but denies outgoing connections from the web > >server to the Internet, then the Code Red worm can be contained. > > Depends on the application and the location of the web server > -- it may need to access content from the internet... Generally, web servers do not need to establish connections to the Internet. Block all outgoing access, and then grant access to specific servers to specific ports on a case-by-case basis. > Also, what if your web server needs to send outbound email > (confirmation messages, etc.)... See above comment. [Note: Specifically for CodeRed, if a web server was blocked for all outbound access and then specificly allowed to sent outbound e-mail (connections to port 25) then CodeRed would still have been prevented from spreading] > BTW: The generic Code Red worm may just deface and connect outward, but the > same vulnerability could have been exploited to steal the information on the > web server, or turn it into a host for a staged attack against other > DMZ/internal machines. As the vulnerability is at the application-level, a > firewall will not likely mitigate against this. And if such a more invasive version of a worm got through and gathered data to send home, or took control of the system to be used as a slave in a DDos attack, then blocking outbound initiated connections from the web server on the firewall WOULD prevent that data from being sent or from the DDoS attack from occuring. I agree that the firewall can not prevent CodeRed from coming in to the local network. Obviously, the firewall must allow traffic on port 80 thru to the web server. So to get a better in-depth security posture, you now have: 1) Allow incoming traffic to specific servers on specific ports. (25 to mail srvr, 80 to web srvr) 2) Block all other incoming traffic. 3) Install all applicable software updates and security patches to minimize the ability of a valid traffic stream to contain code that will negatively impact your system. 4) Allow outgoing traffic from specific servers to specific ports. 5) Block all other outgoing traffic from the servers. R/S, Dave Goldsmith ############################################################ This email message is for the sole use of the intended recipient(s)and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Intelsat, Ltd. and its subsidiaries. ############################################################ _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://list.nfr.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 08:20:24 PDT