dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
23

jeisenberg
New Year's Eve
join:2001-07-06
Windsor, ON

jeisenberg to jvmorris

Member

to jvmorris

Re: Blackice "Witty" Worm: source port 4000 UDP

said by jvmorris:
(And I would also totally isolate it from machines behind the firewall or second router.)
Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

said by jeisenberg:
. . . Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.
When (and if) I do this, there's definitely going to be a second router/firewall inline.

As for using the software firewall (which I presume you're really using primarily for its logging function), I would point out that PhatBot, in particular, has a very extensive list of AV/AT/PSF applications that it will attempt to nullify -- and Witty of these suckers is the only one I've seen to date that tries to work by exploiting a vulnerability in a particular PSF; the others rely on social engineering to get 'on the box'.

In other words, I would always consider the box in the DMZ 'at risk' (regardless of what security applications are installed on it) and I certainly would not depend on software applications (residing on that box) to isolate it from the rest of my machines. (And it's gonna get worse out there, RSN.)