-----Original Message-----
From: METE EMINAGAOGLU (IT) [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 06, 2001 9:22 AM
To: 'Carl E. Mankinen'; Wolfgang Kueter; [EMAIL PROTECTED]
Subject: RE: [FW1] Code Red: What security specialist don't mention in war ningsHi to all....
>>Patching IIS,
>>Dropping all outgoing packets from IIS Servers in the DMZ,
>>Using any alternative Web Server to IIS...
These are all good solutions....
But lem'me ask u sthg:
Why don't u use CP FW' s security server? (Checking with resource...)
For example, if Code Red is the case,
Why don't u put a rule above all the http-related rules such as;
Source Dest. Service Action
Any Any http->with resource DropAnd the http->with resource service will be defined as a New Resource ---- URI;
URI:
Connection Methods:Transparent, Proxy (perhaps not so nec. but doesn't give any headache at least...)
Schemes: http (only this will be enough..)
Methods: all (so as to guarantee...)
Host:*
Path:{*/default.ida?*}
Query:*Save everythg, and install....
It should be noted that since mostly *.ida is useless, this rule presumably shouldn't harm any Web-Server-based applications...
RE: [FW1] Code Red: What security specialist don't mention in war nings
Luke, Jason (ISS Southfield) Wed, 08 Aug 2001 06:27:20 -0700
Title: RE: [FW1] Code Red: What security specialist don't mention in warnings
I bet
that if you ever try this rule, you will also discover why it is not a good
idea. The HTTP security server does not work very well and when you put
that rule in, it will probably be fine for a good 30 seconds, and then your CPU
% will skyrocket to 100% and stay there. Analysis will reveal that the
in.ahttpd process is the culprit. You are correct in that this technique
is very effective at blocking that string. While I can't say for certain
that the firewall performance was impacted when I had the CPU at 100%, I would
rather not take the chance.
In my
situation we had (Not LocalNets) -> DMZ web servers
->http_resource Drop.
The
only time it would not peg was when we had only one webserver in the
destination. Two webservers or more would peg it.
- RE: [FW1] Code Red: What security specialist ... Luke, Jason (ISS Southfield)
- RE: [FW1] Code Red: What security specia... METE EMINAGAOGLU (IT)
- RE: [FW1] Code Red: What security specia... Luke, Jason (ISS Southfield)
- RE: [FW1] Code Red: What security sp... Ed Davidson
- RE: [FW1] Code Red: What security specia... METE EMINAGAOGLU (IT)
- RE: [FW1] Code Red: What security specia... T . Higgins
- Re: [FW1] Code Red: What security sp... LEFEVRE David
