Re: Blocking w32.blaster.worm?
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 12 Aug 2003 09:58:56 -0700
I hear ya L&C...
You wouldn't believe how many times I've had to fight that battle even
here...
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 12, 2003 08:05
Subject: [isalist] Re: Blocking w32.blaster.worm?
http://www.ISAserver.org
Hi Jim,
I like this one, although they do make the same sort of a rediculous
statement at the end regarding 135. Somewhat like the dopes at CERT and
other places who say "close 135, etc". I haven't "closed the port" (cf.
www.tacteam.net/openport.htm) for RPC because I use ISA firewalls, so
I'm not going to get whacked from external hosts. Of course patches are
applied and viruses/worms are scanned for, but I certainly would not
deprive myself, nor my customers the utility of Exchange RPC when there
is no need to.
Its like putting bolts on the doors in the ladies dormitory. The boys
will just come in through the windows ;-) The issue is the "services"
inside the room, not the number on the door in front of the service. You
got to make the "girls" inside resistent to attack, not just close the
door.
This "how do I open/close a port" mentality has to stop! Ports are just
a number on a door, it's the service that's the issue, not the door
number, and if a smart layer 7 aware firewall handles the issue, the
"door number" is immaterial. Leave the "open/close the port" shenanigans
to PIX admins :-). Arrrgh.
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, August 12, 2003 9:26 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Blocking w32.blaster.worm?
http://www.ISAserver.org
This is the best description I've seen so far.
http://www.eeye.com/html/Research/Advisories/AL20030811.html
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Matthew Bunce" <isa.mailinglist@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 12, 2003 06:10
Subject: [isalist] Blocking w32.blaster.worm?
http://www.ISAserver.org
I have done all I can to secure my internal network, patching everything
that even looks like a computer (believe me the toaster did not like
having a CD with the patch on it inserted!)
VPN has been suspended until futher notice while we make sure that all
our
partners are secured and patched and all laptops are being checked in a
sandbox enviroment until we are sure they are clean.
What ports on our external ISA can I block to stop incoming/outgoing
activity by this worm if for any reason we have an infection? Will
failed
connections to RPC on the ISA cause any DoS? Is there anything I can do
to
limit the damage of an infection coming in via VPN? Are there port
filters
I can apply to VPN traffic?
Many thanks.
Matthew Bunce
Kluster (UK) Limited
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
