The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: FireWalls - ICS


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re: Virus


  • To: <ukha_d@xxxxxxx>
  • Subject: RE: Re: Virus
  • From: "Mark Hetherington (egroups)" <mark.egroups@xxxxxxx>
  • Date: Sun, 23 Sep 2001 13:40:16 +0100
  • Delivered-to: mailing list ukha_d@xxxxxxx
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

> NetBT Datagram
> NetBT Session

These are communication packets very likely to do with your ISP connection.

> Outgoing ICMP Echo Request

This is likely to be the "keep alive" for your ISP connection.

> Trivial File Transfer Protocol App

Not sure, could be anything with a TFTP implentation in e.g. auto update
routines for an AV program. Kill tasks until it dies or examine running
processes to attach it to a specific application. TFTP is not too likely to
be a particularly nasty access to allow anyway and I would hope your
firewall allows seperate treatment of incoming and outgoing connections so
configure it in a way that you feel happy with.

> MMC.EXE

MMC.EXE is the IIS management console. By blocking it's access you
effectively disable IIS functions. Most MMC access is merely on the local
loopback so is safe to allow. You are better placed securing IIS than
merely
blocking it at the firewall.

> Is there a website that lists what should be allowed in/out
> of a system? I

Not sure of any references off hand but there must be some. Check out
firewall sites for documentation since most firewalls include information
about networking and security. Your firewall may even cover itself in the
help files. I would advise that you don't try to learn everything in one
go,
but maybe address things as you come across them (as with this list you
sent
to the list). You could easily end up confusing yourself over what does
what
if you try and learn it all and configure according to what you find out
since there are so many protocols and many look very dangerous from a
theoretical POV.

One good way to pick stuff up is to see it in action. Assuming you have a
pretty secure and versatile firewall program (ATGuard and NIS type
applications), remove all rules and build up a ruleset from scratch as
applications require access. Note: I suggest keeping any trojan rulesets as
your base since you don't really want to install the trojan to configure
against it :) This is quite time consuming and can be annoying, but you
will
learn about everything a given application does that are not immediately
obvious otherwise (e.g. FTP although using ports 21 and 22 in general will
often also query 113 - auth.) You can usually build up the majority of the
rulesets for your common applications within the first few hours of using a
PC but obviously you will have no access in or out until there are some
rules defined. After the first initial run, you will have minor
configuration changes for new apps and apps that are not run very often,
but
as a learning tool, it is good at seeing does what on your Internet
connection.

It is better to stop a program running or properly secure it than block it
at the firewall. Any concerns about MMC.EXE (IIS Management Console) should
be dealt with by turning off unused services rather than blocking it
outright. Blocking it does not recover the resources and the program will
still attempt (maybe more frequently) to access the internet even though it
is blocked possibly resulting in increased use of resources. If you are not
using IIS at all, disable it completely.

HTH.

Mark.



Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.