Configuring Allied Telesyn Equipment to Counter Nimda Attacks A guide to configuring Allied Telesyn routers and Layer 3 switches to protect your network from attack. What is Nimda and Why is it a Threat? The W32/Nimda worm or the Concept Virus (CV) v.5 is spread via multiple mechanisms: from client to client via email from client to client via open shared sessions on a network from web server to client via browsing of compromised web sites from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 Directory Traversal vulnerabilities from client to web server via scanning for the back doors left behind by the Code Red II and sadmind/iis worms. The worm modifies web documents (e.g.,.htm,.html, and.asp files) and certain executable files found on the systems it infects, and creates numerous copies of itself under various file names. The worm s network scanning and email propagation may also result in denial of service. Once Nimda infects a client, the client machine begins scanning for vulnerable IIS servers. It looks for backdoors left by previous IIS worms: Code Red II and sadmind/iis worm. It also attempts to exploit various IIS Directory Traversal vulnerabilities. The infected client machine also attempts to transfer a copy of the Nimda code via TFTP (UDP port 69) to any IIS server that it scans and finds to be vulnerable. For a more complete description of Nimda s propagation and attack mechanisms, please refer to www. cert.org. Recommendations for Configuring Allied Telesyn Routers and L3 Switches This document gives the reader information about how to optimise the configuration of Allied Telesyn equipment in the following areas: IP Filtering HTTP Server Firewall Configuration While every effort has been made to ensure that the information contained within this techical note is accurate, Allied Telesyn International can not accept any liability for errors in, or omissions arising from the use of this information. Copyright 2001 Allied Telesyn International, Corp. Simply connecting the world
IP Filtering Allied Telesyn routers and switches can use IP filtering to protect devices on your LAN and to control the impact of traffic initiated by Nimda-based attacks. Advanced IP filtering is a standard component of the Alliedware Operating System. External Access to Devices on the LAN In most networks, the only hosts which need to be externally accessed are those which offer public services (WWW, for example). There are very few reasons to access machines which do not provide public services, other than for remote management purposes. In order to configure an appropriate IP filter, it is important to understand the profile of the traffic which is to be allowed into the network. In the case of WWW traffic, the protocol is TCP and traffic is sent to destination port 80. While the source IP address of the traffic usually cannot be predicted, the destination IP address will be that of the WWW server. Traffic initiated by the Nimda virus exhibits the same characteristics as valid web traffic, but it is still valuable to configure IP filters that only allow TCP port 80 traffic access to the Web Host/s. These filters will help prevent unwanted network traffic and will also shelter those hosts on the network which do not provide web-based services. If traffic arriving at UDP port 69 is filtered, the worm will be unable to download to IIS servers via TFTP. Outgoing Access from Devices on the LAN Appropriate filters should be applied to the LAN interface via which traffic egresses from (leaves) the network. This will aid in preventing proliferation of the virus, if one of the internal hosts becomes infected and starts scanning. In most situations it is not appropriate to prevent all traffic from egressing the network on destination port 80 because this would prevent clients from browsing the web. However, legitimate web traffic is very unlikely to be initiated by a WWW server, so it is appropriate to filter TCP traffic on destination port 80 that is initiated by the WWW server. TFTP traffic (UDP port 69) should also be appropriately filtered. Configuration Example 1. Configure an IP filter To allow TCP port 80 traffic to access only the web server (where the IP address of the WWW server is 172.16.10.2), use the command: ADD IP FILTER=1 SOURCE=0.0.0.0 SMASK=0.0.0.0 DEST=172.16.10.2 DMASK=255.255.255.255 DPORT=WWW PROTOCOL=TCP SESSION=ANY ACTION=INCLUDE 2. Define filters to allow any other legitimate traffic types. As soon as one filter has been defined and applied to an interface, an implicit deny rule will prevent any traffic from entering the network by that interface, unless that traffic is specifically allowed by a filter. For example, to allow email traffic to pass to a mail server at 172.16.10.3, use the command: Technical Note 2
ADD IP FILTER=2 SOURCE=0.0.0.0 SMASK=0.0.0.0 DEST=172.16.10.3 DMASK=255.255.255.255 DPORT=SMTP PROTOCOL=TCP SESSION=ANY ACTION=INCLUDE 3. Apply the filters to the IP interface on the WAN side of the switch or router. For example, if the WAN interface is ppp0, use the command: SET IP INT=ppp0 FILTER=1 HTTP Server All Allied Telesyn routers and switches include an HTTP server, enabled by default. The HTTP server accepts connections on TCP port 80, including connections to its web-based configuration GUI. To see if the device is currently listening on port 80, and to list other ports the device is listening on, use the command: SHOW TCP Port 80 is scanned by Nimda (and Code Red), so leaving the HTTP server enabled on the device makes the device vulnerable to attack. In the event of an attack, the TCP connection table may eventually fill and the equipment will no longer be able to accept legitimate GUI connections. The performance of the device may also be affected due to the demands associated with accepting and servicing numerous connection requests. There are two possible methods of protecting the device: 1. Disable the HTTP Server. This is very effective, but is a coarse approach to protecting the device because it will prevent all GUI configuration access. To disable the HTTP server, use the command: DISABLE HTTP SERVER 2. Configure IP filters to only allow port 80 access to the device from authorised management station/s. Ideally, use stations on the LAN side of the device, because devices on the LAN are easier to make secure and keep virus-free. First, create the filter, using (for example) the command: ADD IP FILTER=1 SOURCE=192.168.1.1 SMASK=255.255.255.255 DEST=192.168.1.254 DMASK=255.255.255.255 DPORT=WWW PROTOCOL=TCP SESSION=ANY ACTION=INCLUDE where: 192.168.1.1 is the address of the management station 192.168.1.254 is the address of the router or switch to be managed. Then apply the filter to the appropriate IP interface, using (for example) the command: SET IP INT=eth0 FILTER=1 3 Technical Note
Firewall Configuration IP filters will protect non-public hosts from Nimda attacks, but provide no protection for publicly accessible WWW hosts. The difficulty is that Nimda traffic looks like normal IP traffic to the IP filters in the router or switch. While firewalls do not distinguish Nimda traffic from legitimate web traffic, the Allied Telesyn firewall detects reception of an excessive number of TCP requests, and limits the number of partially established sessions. While the performance of the network will still be reduced in the event of a Nimda attack, the Web host will not be crippled. When a switch or router is protected by the firewall, externallyinitiated traffic is only allowed through to devices on the private LAN if a rule exists that allows that type of traffic through. Therefore, you need to create firewall rules to allow desirable traffic to access your public servers. The firewall can also be configured for sophisticated filtering, based on source or destination address, port, protocol, and access times. The Allied Telesyn firewall requires a special feature license on some products. For more information, contact your Allied Telesyn distributor or reseller. Configuration Example 1. Enable the firewall. Use the command: ENABLE FIREWALL 2. Create a firewall policy. To create a policy called demo use the command: CREATE FIREWALL POLICY=demo 3. Attach the WAN interface to the policy. For the frame relay interface fr0-0, use the command: ADD FIREWALL POLICY=demo INTERFACE=fr0-0 TYPE=PUBLIC 4. Attach the private LAN interface to the policy. For the Ethernet interface eth0, use the command: ADD FIREWALL POLICY=demo INTERFACE=eth0 TYPE=PRIVATE 5. Create a rule allowing access to the public web server. To allow web traffic to access the WWW server at 201.162.250.1 via the frame relay interface, use the command: ADD FIREWALL POLICY=demo RULE=1 ACTION=ALLOW INTERFACE=fr0-0 PROTOCOL=TCP PORT=80 IP=201.162.250.1 GBLIP=0.0.0.0 A common error when creating firewall (and IP filtering) rules is to leave the destination IP address ranges too widely defined. Loose rules allow traffic through to hosts that do not need to see it. The performance of these hosts may be impacted and the network may suffer under the load of unwanted traffic. Technical Note 4
URL Filtering 1 With Software Release 2.3.1, the user will be able to compile lists of URLs that are not permitted on request through the proxy. The lists may also contain keywords that are not permitted to appear in the URLs. When an HTTP request is made for a URL that matches one of the entries in the list, the router or switch will return an error denying the URL to the client. It will be possible to have different lists for outbound and inbound sessions. By configuring outbound session lists, network administrators will be able to prevent users from retrieving specific resources from prohibited hosts. By configuring inbound session lists, network administrators will be able to keep restricted resources on the same HTTP server as resources that are cleared for general public access. For more information about Software Release 2.3.1, contact your Allied Telesyn distributor or reseller. 1.Available Q4 2001 5 Technical Note