RE: Purging Blaster.worm

>> My point here was simply that I have yet to have a

You must not have been there during the Code Red or Nimda worm then. :) Because in that case the firewall said, "Web servers on port 80? Oh yeah, they are right over there." In this particular case (Blaster) would a firewall help slow it down. Yeah. And I said so in my first e-mail. However, your statement was, "This infection doesn't seem to be able to get past a properly configured firewall". That just isn't true.  There are other ways around the firewall. My laptop example, uh, for example. :) Or the case of mass mailing worms, etc.

Will a firewall perhaps keep the one home user safe? Perhaps, but only until the next one that hits over port 80, 443, etc. and then nope. Your corporation? Not a chance. However, my guess is that the real issue here is, if you have users that are smart enough to set up some port-blocking firewall at home (something harder than Zone Alarm obviously) and to go in and ensure that certain ports were blocked, they were probably smart enough to apply the patch too. :) The people that hit broadband without a firewall probably didn't patch either, so you have apples and oranges here. This is like saying that everyone that came into your shop that was an Alabama fan wasn't hit, so you must have to be an Alabama fan. Not quite. It just may be that the people that are savvy enough to care enough and set up a firewall, might also be savvy enough to patch. Maybe?

>> Can we ever expect to get ahead of the bad guys here

Well, that would kind of be the point of my first post. :) But there is a big difference in realizing that the firewall is one step and all it does is buy you some time versus saying that "this infection doesn't seem to be able to get past a properly configured firewall". I just don't want all of you guys to think that, "If we had just got the firewall people to respond quicker, this wouldn't have happened." We had explicit rules set up for 3 weeks now and it walked right in on laptops and mooned me on it's way out. The only thing, and I mean ONLY thing that would have stopped this is patching. And according to what I am reading, even a forth of those may have failed anyway. :)

JayW

>>> "Bob Walker" <bobwalker8@comcast.net> 08/14/03 02:21PM >>>
>> Maybe I am a little sensitive to this, being the firewall guy and
all, but come on people.>>

Hmmm... Maybe so :-)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

My point here was simply that I have yet to have a customer walk in the
door that was infected who was running a broadband connection behind a firewall. All (or most)were simple broadband (primarily cable) connections, wide open. A further point was that we all have a lot of work to do here to educate folks, whether it's the home user or the corporate exec, about security and the necessity of applying patches as
they are made available. But seriously, how many of these users are going to do that on their own? By your own admission, your infection came from within your organization from unpatched laptops, and there you
are definitely correct, no firewall in the world would have prevented that.

But consider this too. No matter how timely we do the patches, at some
point, there is a vulnerability discovered prior to the patch being available. Hopefully, that vulnerability is discovered by a good guy and not a bad guy, and the patch developed and made available for the rest of us good guys. But (reading the lowlife that released this worm's mind here), perusing the microsoft web site for patches, and knowing the mindset of most users and the alacrity of applying said patches, that surely gives the bad guy a leg up on most folks. Can we ever expect to get ahead of the bad guys here without some kind of firewall that gives us that "little bit of time to slow it down and apply the patches"?

Bob