I apologize if I missed this in one of the previous postings, but whatever happened to anti-virus or simple ACL's on your core network to prevent propagation of the worm throughout your network? Or am I the only that realizes that virus prevention is not simply segregated to patch updates from vendors?

As soon as the information was released on the worm via CERT and other reliable security resources such as; symantec and of course security focus - you KNEW full well that the propagation is done via 69/udp ... how about something like the following on your cores:

access-list 100 deny udp any any eq 69 log

access-list 100 permit ip any any

So check your syslog servers for any outbreak, it's really simple:

grep -i '169 denied' | grep -v | awk '{print }' | cut -d( -f1 | sort -u | uniq -c | mail -s "whatever"

Cron it and voila, notifications within 5 minutes.

Yes I realize that scanning could potentially cause a DoS, but if you were fairly knowledgeable about this little work of art - it only had a 40% chance of scanning the network in which your machine resided on.

Windows will contiune to function as it does not have a heavy reliance on tftp ... *NIX surprisingly enough, UNIX figured out (10 years ago I believe) that a completely unsecure protocol such as tftp is not a wise process to leave running after system install ... *sigh*

Something as simple as the above will segregate the propagation and will help keep the spread segregated to each floor/building (depending on how smart some of you were when you designed your network). That way you can deploy the necessary teams to clean and patch the virus ...

Complete prevention is of course a whole other issue - many factors are included: internal processes for patch deployments, anti-virus use for VPN and local users, and of course budget!

Just my .02

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6689/21481#21481