 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Hi all, There has been a lot of discussion about the code red and nimda viruses, but most of the solutions have been aimed at repairing and patching infected computers. I have seen less emphasis on protecting networks from virus traffic to non-vulnerable machines. At work, we run Solaris on Sun boxes, and thus can't actually be infected by nimda and code red. Additionally, most of our front-end web servers are behind a hardware load balancer, and so the code red traffic doesn't actually get to them. But we have a few more specialized servers that are load balanced, and they are getting hit. Even though they are not vulnerable, the actual load from the Code Red/Nimda traffic is so high that it is causing noticeable slowdowns on those portions of our site that use those servers. First I looked at Cisco's website and found that their routers are capable of network-based application recognition, which allows them to intercept packets based on application-layer content, and selectively refuse connections: Information on using NBAR/ACL's to block code red http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml Information on blocking Nimda http://www.cisco.com/warp/public/63/nimda.shtml So we contacted our ISP (Genuity) and asked them if they could set this up on our routers. They refused, saying that they didn't think the routers were the right place to handle this problem, and suggested we set up a firewall. (Why would Cisco give their routers this capability, then?) We are now looking into the possibility of either including these other servers in the load balancer, and having a one-to-one load balance set up (not really a load balance, but it allows the traffic to pass through a filtering device), or purchasing our own Cisco router to sit in front of just the affected servers, and do the ACL/NBAR filtering ourselves. Has anyone else dealt with a similar situation, and if so, what solutions did you take? Thanks, Peter -- Peter R. Wood - cephas at cephas.dyndns.org - http://cephas.dyndns.org/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
