Don Marti

Sun 17 Apr 2005 08:33:53 PM PDT

Worm attack -- so what?

There are two important security lessons from the Microsoft SQL server worm.

First, apply the principle of egress filtering. Don't let internal systems make connections to the outside that they don't have to.

There is no such thing as "internal network good, Internet bad."
You have to assume that a system on your network could be compromised and be used to attack someone else, or that one of your users could go bad, or that someone could plug a compromised laptop into your "safe" internal network.

Database servers have no business talking to the outside world at all but your web server probably doesn't need to make any outgoing TCP connections, and your mail server only needs to make outgoing SMTP connections.

Second, please don't turn this into an opportunity for mindless Microsoft-bashing.
Worms aren't a vendor-specific problem. Instead, prevent a future worm from becoming a reason for mindless free software-bashing. What if each of your systems were compromised? Pretend that an intruder or a worm has root on mail.example.com. How do you set things up to contain the damage if this happens, while still allowing mail.example.com to do its job?