Re: [logs] Re: Reliably detecting things like the SQL worm....

From: Chris Adams (cadamsat_private)
Date: Mon Jan 27 2003 - 09:50:11 PST

  • Next message: H C: "Re: [logs] Re: Reliably detecting things like the SQL worm...."

    On Monday, January 27, 2003, at 06:12  AM, Bennett Todd wrote:
    > 2003-01-26T16:53:00 Chris Adams:
    >> The biggest lesson is simply network structure:
    > Hear, hear!
    >> if you have all of your control and logging going over the same
    >> network (or a VLAN without some sort of prioritization or reserved
    >> bandwidth), you're screwed.
    > Now _that_ I'm less completely in agreement with.
    > Rather, I'd say that you need to stay on top of security; anybody
    > who had any MS-SQL servers anywhere approaching visible from the
    > internet wasn't paying attention to basics.
    I completely agree on that count - I was thinking more about the 
    consequences of when someone inadvertently releases a worm inside the 
    firewall (laptop, VPN, etc.). Being able to react quickly is key and 
    that's much easier if you use some sort of QoS so your control requests 
    get handled ahead of worm traffic (syslog should also be above normal 
    priority but below the control channel). It sounds like what happened 
    to BofA was a case of the ATM VLAN getting nailed because it shared 
    physical connections with a separate VLAN which was getting the worm 
    Anyway, we're rapidly heading off topic with the possible exception of 
    syslog QoS, so I'll drop the list from future replies.
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 10:19:28 PST