Obviously they didn't filter 135, 137-139, 445, and 4444 inbound
Not obvious. I know of several sites that were infected even though they had filters in place, due to infected laptops being brought on-site. Vern
On Tue, 19 Aug 2003 vern@ee.lbl.gov wrote: : > Obviously they didn't filter 135, 137-139, 445, and 4444 inbound : : Not obvious. I know of several sites that were infected even though they : had filters in place, due to infected laptops being brought on-site. :: The new EDS managed Navy Marine Corps Intranet with 100,000 users has :: become so congested by worm traffic it can not be used for useful work :: today. I figured that a network with 100K+ users that could "become so congested by worm traffic it can not be used for useful work" would've been been compromised by more than some infected laptops and whatnot being brought onsite. I have that method of infection and I was still able to keep things under control. (Now if I could get all the end-users to not click on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most likely, though, they did not create "security zones" to keep problems contained within certain network segments and not let them out to destroy other networks. scott
On Tue, 19 Aug 2003, Scott Weeks wrote:
on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most likely, though, they did not create "security zones" to keep problems contained within certain network segments and not let them out to destroy other networks.
Luck is very important. Like most other people I have no knowledge about how the Navy Marine Internet works, but that won't stop me from commenting. It sounds like a "turnkey" operation, with EDS managing everything. They may have 100,000 users with identical configurations (software, patch levels, etc) in one big flat network. A large homogeneous population is vulnerable to a common infection. Nachia has a very effecient scanning and infection process, particularly if your entire network uses RFC1918 address space internally.
On Wed, 20 Aug 2003, Sean Donelan wrote: : On Tue, 19 Aug 2003, Scott Weeks wrote: : > on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most : > likely, though, they did not create "security zones" to keep problems : > contained within certain network segments and not let them out to destroy : > other networks. : : Luck is very important. Yes, it is. <knock, knock> (on wood) : may have 100,000 users with identical configurations (software, patch : levels, etc) in one big flat network. A large homogeneous population is : vulnerable to a common infection. Nachia has a very effecient scanning I didn't mean to suggest the network was one large, flat network. It can be segmented and have no "security zones", it can be segmented and have said zones, and it could be a BAFN. (Big A$$ Flat Network) It's just security-wise the network should be cut into zones (which may or may not follow the L3 topology) that are controllable from a security stand point. From the article (the author's reputation is an unknown) it appears that this is not the case. I see above I hinted that the security zones followed the network segmentation and I didn't mean that. One security zone could have more than one network segment, etc. Like I need to tell you this... :-) However, I just wanted to clear the point that I fouled up. scott
Obviously they didn't filter 135, 137-139, 445, and 4444 inbound
Not obvious. I know of several sites that were infected even though they had filters in place, due to infected laptops being brought on-site.
Filtering ports 135, 137-139, 445, and 4444 only delays the inevitable...
participants (4)
-
Adi Linden
-
Scott Weeks
-
Sean Donelan
-
vern@ee.lbl.gov