Security Basics
Network Segregation to prevent spread of malware Jan 22 2013 05:33PM
tomright006 gmail com (2 replies)
Re: Network Segregation to prevent spread of malware Jan 23 2013 05:01PM
Vic Vandal (vvandal well com)
Tom,

The short and simple answer to your question is no. And now I'll explain why.

Worm-type malware that spreads autonomously will sometimes leverage ports and protocols you would have to leave open for typical network/server/workstation operations, so access lists and firewalls aren't a bullet-proof approach to the problem. That approach will also be difficult to implement, tune, and maintain. It would not be my first recommendation for solving the problem you posed. It might be down the list somewhere on a multi-pronged approach for organizations with deep pockets and enough human resources to manage a lot of different technologies.

Another approach would be to implement network-based IPS devices, where you would have implemented said firewalls. They will likely detect and knock down the spread of a decent amount of malware, as well as provide reporting so you'll know what's going on. But of course zero-day stuff will get through, although future signature updates could detect old infections via their ongoing noise.

The most effective way of preventing the spread of malware would be to keep all operating systems and applications patched as timely as possible. Worm-type malware needs a vulnerable service to attack. If you put extra emphasis on deploying security patches for those vulnerable network services to 100% coverage, then the only avenue for initial infections and infection spreading is via end user action (opening malicious emails, visiting malicious links, etc.). Widely deployed anti-virus software with updated signatures, along with end user education, are critical components to prevent that, as we all know.

I don't know what kind of shop you work in (heterogeneous, homogeneous, Windows, Linux, Mac, etc.). Windows is still the dominant office desktop OS. So for sake of example here are Windows patches that you should have applied to every single Windows workstation and server.

MS05-039 - Vulnerability in Plug and Play - KB 899588 - Affects Win-2000, Win-2003, Win-XP
MS05-051 - Vulnerabilities in MSDTC and COM+ - KB 902400 - Affects Win-2000, Win-2003, Win-XP
MS06-032 - Vulnerability in TCP/IP - KB 917953 - Affects Win-2000, Win-2003, Win-XP
MS07-029 - Vulnerability in Windows DNS RPC Interface - KB 935966 - Affects Win-2000, Win-2003
MS08-063 - Vulnerability in SMB - KB 957095 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS08-067 - Vulnerability in Server Service - KB 958644 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS09-001 - Vulnerabilities in SMB - KB 958687 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS09-022 - Vulnerabilities in Windows Print Spooler - KB 961501 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS09-048 - Vulnerabilities in Windows TCP/IP - KB 967723 - Affects Win-2000, Win-2003, Win-2008, Win-XP, Win-Vista
MS09-049 - Vulnerability in Wireless LAN AutoConfig Service - KB 970710 - Affects Win-2008, Win-Vista
MS09-050 - Vulnerabilities in SMBv2 - KB 975517 - Affects Win-2008, Win-Vista
MS09-063 - Vulnerability in Web Services on Devices API - KB 973565 - Affects Win-2008, Win-Vista
MS10-012 - Vulnerabilities in SMB Server - KB 971468 - Affects all supported editions of Microsoft Windows
MS10-054 - Vulnerabilities in SMB Server - KB 982214 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7
MS10-061 - Vulnerability in Print Spooler Service - KB 2347290 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7
MS11-020 - Vulnerability in SMB Server - KB 2508429 - Affects all supported editions of Microsoft Windows
MS11-083 - Vulnerability in TCP/IP - KB 2588516 - Affects Win-2008, Win-Vista
MS12-020 - Vulnerabilities in Remote Desktop - KB 2671387 - Affects all supported editions of Microsoft Windows
MS12-036 - Vulnerability in Remote Desktop - KB 2685939 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7
MS12-053 - Vulnerability in Remote Desktop - KB 2723135 - Win-XP
MS12-054 - Vulnerabilities in Windows Networking Components - KB 2733594 - Affects Win-2003, Win-2008, Win-XP, Win-Vista, Win-7
MS13-001 - Vulnerability in Windows Print Spooler Components â?? KB 2769369 - Affects Windows 7, Windows Server 2008

That personal list only goes back 7 years, which is all that I had handy. And if any shop is missing patches as old as many of those listed above or older than that, then they probably deserve whatever pain they get for not having their InfoSec priorities and budget straight. Each of those vulnerabilities can be exploited by an unauthenticated worm. And we all learned our lessons from Nimda, Blaster, SQL-Slammer, etc, etc.

What I didn't include in that list were Windows app-specific vulnerabilities that could also be attacked by an autonomous exploit over the network. Such as this month's MS13-007 - Vulnerability in Open Data Protocol â?? KB 2769327, which is a DoS vulnerability that is exploited by sending HTTP requests to an un-patched Windows IIS web server. Sorry, but I don't have that data personally consolidated in a handy list form, nor do I have time at the moment to review my patch archive to consolidate it. I'd like to tell you that I have a consolidated Solaris, Linux, Oracle, etc. list also, but that's a hodge-podge of data that I've never sat down to filter and consolidate into worm-vulnerable lists.

There are some other technologies available to help with malware identification, such as host-based IDS and/or network-based sensors that key on malware that tries to reach out to the Internet over HTTP or other protocols. It's not the same as traditional IPS because it's not strictly signature-based and employs several mechanisms for detecting advanced infections.

In closing, a multi-layer approach to prevent infections, prevent the spread, identify infections, and eradicate malware is important. And timely patching is critical to preventing network-based infections and their spread.

Peace,
Vic

----- Original Message -----
From: tomright006 (at) gmail (dot) com [email concealed]
To: security-basics (at) securityfocus (dot) com [email concealed]
Sent: Tuesday, January 22, 2013 12:33:05 PM
Subject: Network Segregation to prevent spread of malware

Hello All,

I need few tips on Network Segregation to prevent spread of Malware. Can I avoid Malware spreading from one network segment to another just by segregating network with access list or firewalls?

Thanks,

Tom

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]
Re: Network Segregation to prevent spread of malware Jan 23 2013 12:07PM
Jerry Bell (jerry riskologist com) (4 replies)
Re: Network Segregation to prevent spread of malware Jan 24 2013 02:48PM
Sagar (sagarnseas gmail com) (1 replies)
Re: Network Segregation to prevent spread of malware Jan 25 2013 03:43PM
Alex Creek (acreek83 yahoo com)
Re: Network Segregation to prevent spread of malware Jan 23 2013 01:48PM
Dave, Manish, R. - ESIL \(MUM\) (Manish Dave essar com)
AW: Network Segregation to prevent spread of malware Jan 23 2013 01:43PM
Mohammad Ilyas (m ilyas itsecc com) (1 replies)
RE: Network Segregation to prevent spread of malware Jan 25 2013 01:47AM
Mohammad Ellyas Bin Hashim (ellyas hashim vads com)
Re: Network Segregation to prevent spread of malware Jan 23 2013 01:07PM
Rob (synja synfulvisions com) (6 replies)
RE: Network Segregation to prevent spread of malware Jan 24 2013 12:04AM
David Gillett (gillettdavid fhda edu)
Re: Network Segregation to prevent spread of malware Jan 23 2013 07:28PM
DaKahuna (da kahuna gmail com)
Re: Network Segregation to prevent spread of malware Jan 23 2013 07:12PM
Michael Peppard (mpeppard impole com)
Re: Network Segregation to prevent spread of malware Jan 23 2013 03:41PM
Steve Figures (sfigures gmail com) (1 replies)
RE: Network Segregation to prevent spread of malware Jan 25 2013 02:19PM
Mcmillan, Arlan (Arlan Mcmillan cityofchicago org)
RE: Network Segregation to prevent spread of malware Jan 23 2013 02:30PM
Daniel Buentello \(Corp - MEIMail\) (Daniel Buentello meitechinc com)
Re: Network Segregation to prevent spread of malware Jan 23 2013 01:49PM
Jeffrey Walton (noloader gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus