Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-virus > 03 > 040146.html (Request Expert securityfocus.com Support)

RE: Article Announcement: Statistical-Based Intrusion Detection

From: Schmehl, Paul L <pauls(at)utdallas.edu>
Date: Tue Apr 22 2003 - 15:54:01 EDT


This is not true. I know of a very large network that had ingress/egress filtering in place and still got hit by Slammer. One user with an infected machine logged on to the network through VPN **on the right (or perhaps you could say wrong) VLAN**, and from that point on it was katie bar the door.

Unless you want to cripple your network to the point that it's essentially unusable, the right way to fix these sorts of problems is to have an aggressive patching program in place. Blocking and filtering merely masks the real problem.

For example, we have SQL Servers that serve clients on multiple VLANs. Even if we filtered at the switch ports, we'd still be exposed to an infection that showed up in any of the VLANs that has access to the server. The proper fix is to keep the servers patched, not to block and filter and cobble protection together.

On a server that we are not allowed to patch (due to vendor restrictions), we deployed a DSL router. This effectively isolated that server from our *internal* network as well as the external network. Closing the door to the Internet only merely reduces, but does not eliminate, the risk of infection and subsequent bandwidth consumption.

You would think that this lesson has been driven home after all the CodeReds, Nimdas, Slappers and Slammers, but perhaps it hasn't yet.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

> -----Original Message-----
> From: Dongen, Jeroen van [mailto:jvandongen@seneca.nl]
> Sent: Tuesday, April 22, 2003 7:27 AM
> To: Focus-Virus
> Subject: RE: Article Announcement: Statistical-Based
> Intrusion Detection
>
> Nice - however you don't need any kind of IDS to stop


Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-virus
Received on Wed Apr 23 10:32:06 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:39 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library