Configuring Allied Telesyn Equipment to Counter Nimda Attacks



Similar documents
How to Configure URL Filtering Using the Firewall s HTTP Proxy

Allow Public and Private Address Access to Servers at a Service Provider Client Site. What information will you find in this document?

Load Balancer. Introduction. A guide to Load Balancing.

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Firewalls (IPTABLES)

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

What information will you find in this document?

HoneyBOT User Guide A Windows based honeypot solution

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Basic Network Configuration

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

configure WAN load balancing

Configure Common ISDN Access Concentration With The Firewall. How To. Introduction. What information will you find in this note?

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

CMPT 471 Networking II

Cisco PIX vs. Checkpoint Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

How To Configure some basic firewall and VPN scenarios

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

GFI Product Manual. Administration and Configuration Manual

Chapter 9 Firewalls and Intrusion Prevention Systems

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

PCI Security Scan Procedures. Version 1.0 December 2004

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls. Chapter 3

The network configuration for these examples is shown in the following figure. Load Balancer 1. public address

Implementing Secure Converged Wide Area Networks (ISCW)

Proxies. Chapter 4. Network & Security Gildas Avoine

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Firewalls, IDS and IPS

Chapter 4 Firewall Protection and Content Filtering

ΕΠΛ 674: Εργαστήριο 5 Firewalls

SECURITY ADVISORY FROM PATTON ELECTRONICS

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Source-Connect Network Configuration Last updated May 2009

1. Firewall Configuration

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Chapter 51 Server Load Balancing

Configure WAN Load Balancing

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

FIREWALLS IN NETWORK SECURITY

Norton Personal Firewall for Macintosh

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Intro to Firewalls. Summary

CSCE 465 Computer & Network Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Payment Card Industry (PCI) Data Security Standard

CS Computer and Network Security: Firewalls

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Chapter 4 Firewall Protection and Content Filtering

Chapter 8 Security Pt 2

VegaStream Information Note Considerations for a VoIP installation

The Advantages of a Firewall Over an Interafer

Networking for Caribbean Development

Firewall Firewall August, 2003

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Configure the Firewall VoIP Support Service (SIP ALG)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

1 You will need the following items to get started:

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Directory and File Transfer Services. Chapter 7

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

CS Computer and Network Security: Firewalls

Protecting and controlling Virtual LANs by Linux router-firewall

allow all such packets? While outgoing communications request information from a

Linux MDS Firewall Supplement

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

INTRODUCTION TO FIREWALL SECURITY

Role of Firewall in Network. Security. Syed S. Rizvi. CS 872: Computer Network Security. Fall 2005

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Layer 2 Networking. Overview. VLANs. Tech Note

Web Tap: Detecting Covert Web Traffic. Presented By: Adam Anthony

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Service Overview & Installation Guide

Firewalls Overview and Best Practices. White Paper

Cryptography and network security

Implementing Network Address Translation and Port Redirection in epipe

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Using Tofino to control the spread of Stuxnet Malware

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Configuration Example

How To Behind A Dynamically-Assigned Public IP Address

Polycom. RealPresence Ready Firewall Traversal Tips

Transcription:

Configuring Allied Telesyn Equipment to Counter Nimda Attacks A guide to configuring Allied Telesyn routers and Layer 3 switches to protect your network from attack. What is Nimda and Why is it a Threat? The W32/Nimda worm or the Concept Virus (CV) v.5 is spread via multiple mechanisms: from client to client via email from client to client via open shared sessions on a network from web server to client via browsing of compromised web sites from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 Directory Traversal vulnerabilities from client to web server via scanning for the back doors left behind by the Code Red II and sadmind/iis worms. The worm modifies web documents (e.g.,.htm,.html, and.asp files) and certain executable files found on the systems it infects, and creates numerous copies of itself under various file names. The worm s network scanning and email propagation may also result in denial of service. Once Nimda infects a client, the client machine begins scanning for vulnerable IIS servers. It looks for backdoors left by previous IIS worms: Code Red II and sadmind/iis worm. It also attempts to exploit various IIS Directory Traversal vulnerabilities. The infected client machine also attempts to transfer a copy of the Nimda code via TFTP (UDP port 69) to any IIS server that it scans and finds to be vulnerable. For a more complete description of Nimda s propagation and attack mechanisms, please refer to www. cert.org. Recommendations for Configuring Allied Telesyn Routers and L3 Switches This document gives the reader information about how to optimise the configuration of Allied Telesyn equipment in the following areas: IP Filtering HTTP Server Firewall Configuration While every effort has been made to ensure that the information contained within this techical note is accurate, Allied Telesyn International can not accept any liability for errors in, or omissions arising from the use of this information. Copyright 2001 Allied Telesyn International, Corp. Simply connecting the world

IP Filtering Allied Telesyn routers and switches can use IP filtering to protect devices on your LAN and to control the impact of traffic initiated by Nimda-based attacks. Advanced IP filtering is a standard component of the Alliedware Operating System. External Access to Devices on the LAN In most networks, the only hosts which need to be externally accessed are those which offer public services (WWW, for example). There are very few reasons to access machines which do not provide public services, other than for remote management purposes. In order to configure an appropriate IP filter, it is important to understand the profile of the traffic which is to be allowed into the network. In the case of WWW traffic, the protocol is TCP and traffic is sent to destination port 80. While the source IP address of the traffic usually cannot be predicted, the destination IP address will be that of the WWW server. Traffic initiated by the Nimda virus exhibits the same characteristics as valid web traffic, but it is still valuable to configure IP filters that only allow TCP port 80 traffic access to the Web Host/s. These filters will help prevent unwanted network traffic and will also shelter those hosts on the network which do not provide web-based services. If traffic arriving at UDP port 69 is filtered, the worm will be unable to download to IIS servers via TFTP. Outgoing Access from Devices on the LAN Appropriate filters should be applied to the LAN interface via which traffic egresses from (leaves) the network. This will aid in preventing proliferation of the virus, if one of the internal hosts becomes infected and starts scanning. In most situations it is not appropriate to prevent all traffic from egressing the network on destination port 80 because this would prevent clients from browsing the web. However, legitimate web traffic is very unlikely to be initiated by a WWW server, so it is appropriate to filter TCP traffic on destination port 80 that is initiated by the WWW server. TFTP traffic (UDP port 69) should also be appropriately filtered. Configuration Example 1. Configure an IP filter To allow TCP port 80 traffic to access only the web server (where the IP address of the WWW server is 172.16.10.2), use the command: ADD IP FILTER=1 SOURCE=0.0.0.0 SMASK=0.0.0.0 DEST=172.16.10.2 DMASK=255.255.255.255 DPORT=WWW PROTOCOL=TCP SESSION=ANY ACTION=INCLUDE 2. Define filters to allow any other legitimate traffic types. As soon as one filter has been defined and applied to an interface, an implicit deny rule will prevent any traffic from entering the network by that interface, unless that traffic is specifically allowed by a filter. For example, to allow email traffic to pass to a mail server at 172.16.10.3, use the command: Technical Note 2

ADD IP FILTER=2 SOURCE=0.0.0.0 SMASK=0.0.0.0 DEST=172.16.10.3 DMASK=255.255.255.255 DPORT=SMTP PROTOCOL=TCP SESSION=ANY ACTION=INCLUDE 3. Apply the filters to the IP interface on the WAN side of the switch or router. For example, if the WAN interface is ppp0, use the command: SET IP INT=ppp0 FILTER=1 HTTP Server All Allied Telesyn routers and switches include an HTTP server, enabled by default. The HTTP server accepts connections on TCP port 80, including connections to its web-based configuration GUI. To see if the device is currently listening on port 80, and to list other ports the device is listening on, use the command: SHOW TCP Port 80 is scanned by Nimda (and Code Red), so leaving the HTTP server enabled on the device makes the device vulnerable to attack. In the event of an attack, the TCP connection table may eventually fill and the equipment will no longer be able to accept legitimate GUI connections. The performance of the device may also be affected due to the demands associated with accepting and servicing numerous connection requests. There are two possible methods of protecting the device: 1. Disable the HTTP Server. This is very effective, but is a coarse approach to protecting the device because it will prevent all GUI configuration access. To disable the HTTP server, use the command: DISABLE HTTP SERVER 2. Configure IP filters to only allow port 80 access to the device from authorised management station/s. Ideally, use stations on the LAN side of the device, because devices on the LAN are easier to make secure and keep virus-free. First, create the filter, using (for example) the command: ADD IP FILTER=1 SOURCE=192.168.1.1 SMASK=255.255.255.255 DEST=192.168.1.254 DMASK=255.255.255.255 DPORT=WWW PROTOCOL=TCP SESSION=ANY ACTION=INCLUDE where: 192.168.1.1 is the address of the management station 192.168.1.254 is the address of the router or switch to be managed. Then apply the filter to the appropriate IP interface, using (for example) the command: SET IP INT=eth0 FILTER=1 3 Technical Note

Firewall Configuration IP filters will protect non-public hosts from Nimda attacks, but provide no protection for publicly accessible WWW hosts. The difficulty is that Nimda traffic looks like normal IP traffic to the IP filters in the router or switch. While firewalls do not distinguish Nimda traffic from legitimate web traffic, the Allied Telesyn firewall detects reception of an excessive number of TCP requests, and limits the number of partially established sessions. While the performance of the network will still be reduced in the event of a Nimda attack, the Web host will not be crippled. When a switch or router is protected by the firewall, externallyinitiated traffic is only allowed through to devices on the private LAN if a rule exists that allows that type of traffic through. Therefore, you need to create firewall rules to allow desirable traffic to access your public servers. The firewall can also be configured for sophisticated filtering, based on source or destination address, port, protocol, and access times. The Allied Telesyn firewall requires a special feature license on some products. For more information, contact your Allied Telesyn distributor or reseller. Configuration Example 1. Enable the firewall. Use the command: ENABLE FIREWALL 2. Create a firewall policy. To create a policy called demo use the command: CREATE FIREWALL POLICY=demo 3. Attach the WAN interface to the policy. For the frame relay interface fr0-0, use the command: ADD FIREWALL POLICY=demo INTERFACE=fr0-0 TYPE=PUBLIC 4. Attach the private LAN interface to the policy. For the Ethernet interface eth0, use the command: ADD FIREWALL POLICY=demo INTERFACE=eth0 TYPE=PRIVATE 5. Create a rule allowing access to the public web server. To allow web traffic to access the WWW server at 201.162.250.1 via the frame relay interface, use the command: ADD FIREWALL POLICY=demo RULE=1 ACTION=ALLOW INTERFACE=fr0-0 PROTOCOL=TCP PORT=80 IP=201.162.250.1 GBLIP=0.0.0.0 A common error when creating firewall (and IP filtering) rules is to leave the destination IP address ranges too widely defined. Loose rules allow traffic through to hosts that do not need to see it. The performance of these hosts may be impacted and the network may suffer under the load of unwanted traffic. Technical Note 4

URL Filtering 1 With Software Release 2.3.1, the user will be able to compile lists of URLs that are not permitted on request through the proxy. The lists may also contain keywords that are not permitted to appear in the URLs. When an HTTP request is made for a URL that matches one of the entries in the list, the router or switch will return an error denying the URL to the client. It will be possible to have different lists for outbound and inbound sessions. By configuring outbound session lists, network administrators will be able to prevent users from retrieving specific resources from prohibited hosts. By configuring inbound session lists, network administrators will be able to keep restricted resources on the same HTTP server as resources that are cleared for general public access. For more information about Software Release 2.3.1, contact your Allied Telesyn distributor or reseller. 1.Available Q4 2001 5 Technical Note

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information