Protecting against Nimda and Code Red

[BarryStiefel]

Protecting against Nimda and Code Red



"Smart Defense" (a patch to NG FP2 and available in NG FP3 and later) provide a mechanism to block HTTP worms of all types, including NIMDA and Code Red. This is done in the kernel module and it does not involve the security servers, so performance should be less of a concern.

If you are using NG FP2 without Smart Defense or a previous version, there are two solutions, one listed in the 4.1 SP5 release notes that does not involve the HTTP Security Server (only for Code Red, though), and the other listed below, which will work on any version of FireWall-1. Please note that this "workaround" should only be applied until you can patch the appropriate web servers since it involves using the HTTP Security Server, which is not known for it's high performance.

Create a URI resource of type wildcard with the following settings in the match tab:

scheme: http method: get host:* path:{*cmd.exe,*root.exe,*admin.dll,*readme.exe,*d efault.ida} query: *

To prevent access to your Web Server, create a rule similar to the following:

Source Destination Service Action Any Web_Servers HTTP->code_red_resource Drop

This rule needs to be listed before the rule that permits HTTP to the Web_Servers, which will allow all non-code_red traffic.

To prevent already infected machines on your network to infect other machines on the Internet, create a rule that similar to the following:

Source Destination Service Action Internal-Network Any HTTP->code_red_resource Drop

This rule needs to be listed before the rule that permits outbound HTTP traffic from your internal network.

-- PhoneBoy - 31 Dec 2003

FAQForm FAQs.Class: ContentSecurityFAQs OperatingSystem?: FAQs.Version: