Vaccination Against Worms and Viruses

Enterprise Networks & Servers, Nov 2003 by Welcher, Peter J, Reece, Carole Warner

Many networks were severely affected by the recent computer worm/virus outbreaks. If you were afflicted, you have my sympathy.

Now that most staff have their life back, it may be appropriate to do "lessons learned" before the next wave hits. I'm planning on doing a couple of articles on this topic.

The topic rather naturally falls into Before and After categories. Before is Best Practices and things to do before you have a problem. After is the things you can do to facilitate repairs and mitigate nasty side-effects after an attack. I plan to cover this topic backwards, with the After part first, since it may be helpful to some, and there seem to be more new ideas floating around here. As far as the Before part, I'm a bit hesitant to claim sufficient expert (ego?) status to be putting out my own list of Best Practices. However, I do have some thoughts I haven't seen elsewhere, I've got lists of things from various sites, and I can certainly provide a set of links to other compendiums of Best Practices that you may find useful.

This article is going to be biased a little bit toward the network side. That's because the network side is where I feel most of my expertise lies. I'm pretty darn good on Unix/Linux and can hold my own with Windows, but I cannot claim to be current with what system administrators are doing on the security front. The other justification for any network bias: too often viruses are seen as a systems problem, but there is a valuable role for the network team in helping fight the virus attacks as well.

New Factors

Sometimes events cause changes in how we think about things. (I'm very carefully not saying "paradigm shift.") The recent viruses were qualitatively a bit different from their predecessors in several ways: rate, scale, impact, and other.

Concerning rate, viruses are spreading faster and faster. This was discussed in the article "How to Own the Internet in Your Spare Time," which can be found at the www.icir.org/vern/papers/cdc-usenix-sec02/. (Love that catchy title. Wish the predictions had taken longer to arrive.)

What we're seeing now is that the viruses hit so fast and hard that many networks were effectively down, sites couldn't download patches or fixes, etc. The other impact here is that perhaps the virus scanner signature file mechanism is getting overtaken by the bad guys. If all your computers are infected before the vendors have signature updates, or before your hourly/daily refresh of host signature files, you caught the virus.

The partial good news is that the vulnerabilities were known, so those who had kept up on patches weren't as badly hit. There are always home users and others who get missed in patching, which is why automation and tracking of who's got what patches is so crucial. (Note to self: Stop preaching to the choir!)

Cisco seems to be in the right place at the right time with the Okena acquisition. Their Host Intrusion Prevention System (HIPS), or CSA, doesn't use signatures and supposedly would have blocked these attacks. See also Cisco Security Agent, www.cisco.com/ en/US/products/sw/secursw/ps5057/index.html. I like the idea of attempting to protect against the unknown, but there are obvious limits to how far that can effectively be done.

Rate leads to another thought, one that I've now heard from several sources: Is there a way to slow or contain the spread of the virus? The analogy is perhaps SARS and face masks.

Cisco PVLANs (Private VLANs) in switches can help keep one host from infecting another. They have the virtue of being unlikely to disrupt services, if implemented with reasonable care.

Another idea is what I'm calling network lockdown. In network lockdown, switch VACLs (VLAN Access Lists) allow end-user hosts to only talk to the server subnets (not too hard if you have server farms). You do need to be careful with this approach; what about networked printers or print servers? Other services some staff may need, such as local file servers? If printers and services are all local, then do ACLs (Access Lists) controlling inter-VLAN traffic help? I've noticed recently (see the previous DSNIFF article) that smaller VLANs or subnets to help mitigate the impact of Layer 2 attacks, such as MAC flooding or ARP spoofing. I'm not sure any of the above are complete answers, but they may work in your environment.

What I've just said can also be thought of as at least having some internal firewalling, be it PIX or ACL or whatever. You may wish to put some extra protection in front of the server farm even. For quite a while we've been doing the hard exterior/soft interior firewalling model. The security experts have been saying that's not enough. One way to think about this: Do you have to wear a badge in the building, or is showing it to the guard at the front door enough? Do you have security on just airport passengers, or do you also have some internal controls on airport employees?

Scale

Scale comes in because so many hosts were infected. Sites needed automatic scan or quarantine, auto-detection of viruses, automated cleanup.