the only option we could have is with the IDS on PIX or IOS FW feature set.
the problem is that in those version, IDS detects and filters only the 59
most common attacks signatures and you cannot add manually more signatures
(performance issue in the router or PIX if too much signatures to check).
if you use IDS sensor, you can configure the string/pattern of nimda, or
whatever else (code red, blue) to be filtered, and the sensor sends a
command to the PIX which will create a temp ACLs to block it, but it doesn't
scale (attacks with spoofed ip address will block packets from normal
users).
So for the moment the only solution is patches and Host IDS as Entercept
(now acquired by Cisco and orderable from Cisco) or BlackICE.
If any of you have an idea how to fix that, please let us know.
A solution would be to have two firewall, one with normal function and a
second one which would check only specifics signatures. But for that we must
ask cisco to add the feature in the IOS FW or PIXOS that let us add new
signatures in IDS.
A second one would be to have an entry router which routes all application
except http for specific IP addresses (thoses of WebServers) to a PIX
functionning normally and http packets for the WebServers to a home made
firewall,ie. Linux box acting as a router with firewall enabled and which
checks only specific signatures for specific IP addresses. But as I know
such a box doesn't exist in the market today. If yes, please let me know
!!!!!!!!!!!!!!!!!!!
hope it helps and it is right :-) (correct me if not)
cheers
chris
-----Original Message-----
From: MJ [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 1:44 PM
To: [EMAIL PROTECTED]
Subject: Re: nimda virus [7:20523]
I have just came out after patching my servers (IIS on win2K) for this .
I don't know how to really handle such Viruses.
Do we have options on Firewall to fight against such Viruses.
Mukul
""kroywen"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Anyone knows how to block the nimda virus?
>
> thank you,
> kroywen
>
> --
> "Information and attachments herein are intended for the named recipients
> only. It may contain attorney-client privileged or confidential matter.
If
> you have received this message in error, please notify us immediately by a
> collect phone call to +(632)8177746, and destroy the original message. Do
> not disclose the contents to anyone. Thank you."
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20534&t=20523
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
