Using Layered Defenses to Stop Internet Worms

An anonymous submitter writes "Following last week's release of security configuration guidance for Mac OS X, the National Security Agency has released a paper on Internet worms and how to stop new worms using layered defenses (pdf). A good read - your US tax dollars at work."

Re:Just Wondering...

[Spoing]

1. Is it possible to use the Xen VM that was on Slashdot earlier today to run multiple OSes and use one OS on the machine as a firewall for the other?

If you mean stacking VMs up to filter traffic...no...that won't work.

If you mean stacking VMs so that only specific VMs 'see' each other at the network level, yes. That works with VMs or connected systems with properly configured routers.

The reason? Firewalls are not designed to block the network. Firewalls are designed to allow access for specific ports in specific ways. If you chain systems together, and each hands off the allowed packets to the destination system, you've just punched a hole through the firewall to that final system.

By isolating systems so that only ones that are required to 'see' each other can 'see' each other, you've added a meaningful level of protection. This does not require a firewall. It requires router configuration even if the router is software running in another VM and routes for VMs on the same machine. It also requires that you design services and apps to work in this environment; seperate the web server from the DB for example. If it is a web server, and you just remap the default web server port 80 to another port, you've done nothing; the data still passes both ways and the destination is still potentially exposed.)