Using Layered Defenses to Stop Internet Worms

← Back to Stories (view on slashdot.org)

Using Layered Defenses to Stop Internet Worms

Posted by michael on Friday November 5, 2004 @06:31AM from the belt-and-suspenders dept.

An anonymous submitter writes "Following last week's release of security configuration guidance for Mac OS X, the National Security Agency has released a paper on Internet worms and how to stop new worms using layered defenses (pdf). A good read - your US tax dollars at work."

4 of 148 comments (clear)

Min score:

Reason:

Sort:

Re:Using ggv... by pavon · 2004-11-05 06:40 · Score: 2, Informative

No you should notify the author of the software - the Adobe Acrobat PDFWriter 5.0 team. And possibly gv, since they could possibly be out of date or wrong as well.

I mean, I know that they government is in bed with the cooporations and all, but I think they have better ways to abuse their power then to waste time skiming the web for bug reports :)
Since you guys killed the server last time by Anonymous Coward · 2004-11-05 06:53 · Score: 2, Informative

...and I'm still upset I haven't gotten to read the OSX paper ;)

Here's a mirror. Don't hammer too hard, k?

http://seraphim.ecsis.net/~gregday/WORMPAPER.pdf
Re:my guide to avoiding worms by raddan · 2004-11-05 08:38 · Score: 2, Informative

Actually, if you RTFA, several of the advanced worms that this group study affected Linux. Considering how much stuff comes pre-installed on commercial Linux distros, I wouldn't be surprised if a desktop Linux user got hit with one of these:

ETAP/SIMILE [18] - Cross-platform worm that affects both Windows Portable Executable (PE) and Linux Executable and Linkable Format (ELF) executables. Uses an entry-point obscuring technique and sophisticated polymorphic file infector to avoid detection by anti-virus programs.

LION [21] - Linux worm that spreads by using a known flaw in BIND.

RAMEN [22] - Linux worm that bundles together a number of known exploits against Linux services, including: WuFTP, LPRng, and rpc.statd.
Re:Just Wondering... by Spoing · 2004-11-05 09:15 · Score: 4, Informative
1. Is it possible to use the Xen VM that was on Slashdot earlier today to run multiple OSes and use one OS on the machine as a firewall for the other?
If you mean stacking VMs up to filter traffic...no...that won't work.
If you mean stacking VMs so that only specific VMs 'see' each other at the network level, yes. That works with VMs or connected systems with properly configured routers.
The reason? Firewalls are not designed to block the network. Firewalls are designed to allow access for specific ports in specific ways. If you chain systems together, and each hands off the allowed packets to the destination system, you've just punched a hole through the firewall to that final system.
By isolating systems so that only ones that are required to 'see' each other can 'see' each other, you've added a meaningful level of protection. This does not require a firewall. It requires router configuration even if the router is software running in another VM and routes for VMs on the same machine. It also requires that you design services and apps to work in this environment; seperate the web server from the DB for example. If it is a web server, and you just remap the default web server port 80 to another port, you've done nothing; the data still passes both ways and the destination is still potentially exposed.)
--
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.