[rescue] Fair Warning RPC Worm
Daniel de Young
daniel at velvetsea.com
Tue Aug 12 15:09:11 CDT 2003
On Tue, 2003-08-12 at 12:03, Michael A. Turner wrote:
> Now imagine this. You have a frame relay, 20 T1s,1 DS3, many ISDN
> connection, and two total control chasis with 100 modems each. All the ISDN
> and Modem people are downstream customers, the T1s and the frame relay both
> go downstream to customers and upstream to our providers. The DS3 is
> strictly backbone for us. The T1s up stream all go to different providers.
You are a provider so I'll admit the rules are a little different,
however there are many things you could do it they'd let you...
> The downstream T1s go to many different schools and areas. In you NOC you
> are running just about every app under the sun for these downstream , and
> outside, customers. Most of these are using High ports and more need to be
> opened at any time. Your Ip range runs from 64.5.129.* to 64.5.156.* but a
> lot of those numbers are being used by the downstream school who must be
> considered hostile in this case, so simple 64.5.*.* filterring is not going
> to work. If you block a port that someone above you wants open then it gets
> reopend, like port 135 has to be open so they can use exchange from home
> from there provider.
I'm confused. Does your company provide these "services" with their own
servers or allow clients to co-locate their own servers? This address
space is segmented in some way. Therein lies the key to *some* control.
> Now the question. Where do you put the one firewall? what do you block?
> if you do multiple Firewalls how do you sync all the rules? I would have
> snuck one in a while ago if I had a good answer to this question.
1. company user segments at the very least.
This is probably the easiest given the complexity of your environment.
All local desktops should be on their own segment and firewalled
(perhaps with NAT). This contains and protects the resources you use
2. company internal server segments.
All servers designated for use by company users (print, file, etc.)
should be on their own segment and firewalled (perhaps with NAT).
3. client server segments.
Obviously a challenge. The key here is to isolate these segments from
your LAN and each other where possible. These machines ARE going to be
owned. The key is to limit who they can attack... namely the LAN.
There other things you can do such as allow only downstream segments to
access certain services and not allow downstreams to talk to each others
services. Does this make any sense?
Don't forget that you can install firewalls with "pass all" default
rules. While obviously LAME(tm) by definition, it will allow you to
setup simple policies for what nodes/segments can talk to who and allow
obvious things like spoofing and well known attacks from being blocked.
I don't know your topology, but I would imagine that you have some key
routers that could be considered "pinch" points. Some basic
access-lists and/or filtering should be used here to protect against
spoofing and invalid addresses. Just blocking those would increase
security over what you have.
Get a feel for how traffic flows through the network devices. What
hosts/segments absolutely do not need to inititiate traffic to which
other hosts/segments. Think about inbound and outbound traffic on each
Take baby steps. You may not be able to save this company from
themselves, but you can darn well do somethings to limit their exposure
and therefore your stress level :-) Don't forget to keep looking for a
More information about the rescue