The only thing more irritating than the cute names given to viruses -- Bugbear, Klez, Love -- is the fact that even more viruses with catchy names are bound to appear. That being the case, to tweak a football analogy, a good defense can make viruses less offensive.
In this series on protecting IT systems from hacker attacks, I describe some of the best ways to make your systems hacker-proof. In part one, I covered the basic dos and don'ts in virus checkers and backups. Now, let's check out the situation with routers, firewalls and open ports.
Don't skimp on firewalls and routers.
Your routers and firewalls are excellent first lines of defense against both viruses and hackers. Your network should have a good firewall, and a professional should install it. The same thing goes for your routers. You can configure packet and port filtering on both of these items, so they need to be installed by someone who has experience in advanced router and firewall configurations. Do this well, and you can help give your network the maximum protection.
A badly installed firewall or router can be worse than no protection at all because you have the illusion of protection, but not the fact of it.
Unfortunately, I've heard of many IT administrators who were happily living with that illusion. One company I know of installed a firewall which, by default, left all of the ports open, expecting the administrator to close everything he wasn't using. Not knowing any better, the administrator left it that way. Luckily, this company never got hacked. Even luckier, soon after a new administrator came on board, he attended a security course. Worried, he went to the office and checked the firewall. Then, he told me, he did a fast fix.
That company didn't get burned, so why should you worry about your firewalls and routers? You may have noticed that Bugbear uses ports 137 and 139 (NetBIOS name service and NetBIOS session service) to gain entry. These are ports that should be disabled as incoming ports on your firewall. Bugbear uses these ports to search for open shares on Windows systems. When it finds one, it attempts to copy itself to the Windows directory of the share.
Another reason to harden your firewall configurations: your firewall should never allow an incoming packet in with an originating IP address of the internal network, and it should never let a message out with an originating IP address of an external network. I use Zone Alarm Pro for personal use. One thing I like about it is the warning it gives if a program tries to access any external network address. That gives you the opportunity to allow or deny the access. This helps with Trojan horses that may be trying to forward information about your network out to a hacker's system.
Do consider using more than one firewall.
Many networks are very soft internally. Don't overlook the fact that once a virus has penetrated the firewall, usually by invitation -- when someone opens an e-mail, for example, or brings it in from home on a floppy -- your first firewall is useless. If you have only one firewall separating the network from the rest of the world, and it's penetrated, that's it.
While your firewall will stop an external attack on the ports mentioned, it will not stop the worm from spreading internally once it has penetrated. That's because most clients don't have firewalls installed on systems inside the internal network. (I like Zone Alarm Pro as an internal network firewall. It's cheap, fairly configurable and easy to use, but there are a lot of ones you can use.) So you may want to consider internal firewalls such as bastion hosts that can help secure your network internally if a virus or worm gets that far and tries to exploit common security holes. While the issue of securing your network internally is beyond the scope of this article, it is something you should consider as part of your overall security strategy.
Do search for and close unused open ports.
Many attackers will simply scan your network for open ports and try to attack through them. Bugbear, for example, opened port 36794 to send outgoing information. It's a good idea to scan for open ports on your network using a utility like Fport. You can then close those ports that are not needed. The fewer open ports on your system, the better. Microsoft's TechNet offers a list of commonly-used ports. You can also refer to "A List of the Windows 2000 Domain Controller Default Ports," an article indexed as Q289241 on the TechNet site.
Now that you've put some walls around your network and closed off secret passages, it's time to secure your mailboxes.
Continue to part three.
About the author: Douglas Paddock, MCSE, MCT, MCSA, is a CIW security analyst who is also A+ and N+ certified. He teaches at Louisville Technical Institute in Louisville, Ky.
For more information:
Go to part one.
Go to part three.
Check out Douglas Paddock's tutorial on the Microsoft Browser Service.