Obviously they didn't filter 135, 137-139, 445, and 4444 inbound
Not obvious. I know of several sites that were infected even though they
had filters in place, due to infected laptops being brought on-site.
Vern
: > Obviously they didn't filter 135, 137-139, 445, and 4444 inbound
:
: Not obvious. I know of several sites that were infected even though they
: had filters in place, due to infected laptops being brought on-site.
:: The new EDS managed Navy Marine Corps Intranet with 100,000 users has
:: become so congested by worm traffic it can not be used for useful work
:: today.
I figured that a network with 100K+ users that could "become so congested
by worm traffic it can not be used for useful work" would've been been
compromised by more than some infected laptops and whatnot being brought
onsite. I have that method of infection and I was still able to keep
things under control. (Now if I could get all the end-users to not click
on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most
likely, though, they did not create "security zones" to keep problems
contained within certain network segments and not let them out to destroy
other networks.
scott
> Obviously they didn't filter 135, 137-139, 445, and 4444 inbound
Not obvious. I know of several sites that were infected even though they
had filters in place, due to infected laptops being brought on-site.
Filtering ports 135, 137-139, 445, and 4444 only delays the inevitable...
Luck is very important.
Like most other people I have no knowledge about how the Navy Marine
Internet works, but that won't stop me from commenting.
It sounds like a "turnkey" operation, with EDS managing everything. They
may have 100,000 users with identical configurations (software, patch
levels, etc) in one big flat network. A large homogeneous population is
vulnerable to a common infection. Nachia has a very effecient scanning
and infection process, particularly if your entire network uses RFC1918
address space internally.
: On Tue, 19 Aug 2003, Scott Weeks wrote:
: > on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most
: > likely, though, they did not create "security zones" to keep problems
: > contained within certain network segments and not let them out to destroy
: > other networks.
:
: Luck is very important.
Yes, it is. <knock, knock> (on wood)
: may have 100,000 users with identical configurations (software, patch
: levels, etc) in one big flat network. A large homogeneous population is
: vulnerable to a common infection. Nachia has a very effecient scanning
I didn't mean to suggest the network was one large, flat network. It can
be segmented and have no "security zones", it can be segmented and have
said zones, and it could be a BAFN. (Big A$$ Flat Network) It's just
security-wise the network should be cut into zones (which may or may not
follow the L3 topology) that are controllable from a security stand
point. From the article (the author's reputation is an unknown) it
appears that this is not the case.
I see above I hinted that the security zones followed the network
segmentation and I didn't mean that. One security zone could have more
than one network segment, etc.
Like I need to tell you this... 
However, I just wanted to clear the
point that I fouled up.
scott