sasser virus (was Re: [unisog] student fees for cleaning.)

Russell Fulton r.fulton at
Sun May 9 08:44:55 GMT 2004

On Sun, 2004-05-09 at 16:17, John Kristoff wrote:
> On Sat, 08 May 2004 13:23:22 -0400
> Gary Flynn <flynngn at> wrote:
> > This is true but an agent based system on the client, whether a domain
> > login or something else, can still detect problems. NIDS in general will
> The vendors who sell security agents and their central controllers would
> agree with you.  To some extent they probably can, but I find it unlikely
> that a large portion of the systems will be running any agent or be
> centrally managed any time in the near future.  They will work for only a
> small subset of the population of hosts that can be 'managed'.

We already have a small software agent on all our student systems which
enables network access for these machines, we are currently looking at
using this system for all, or at least most, staff desktop systems too. 
If we do go this way then we will probably extend it to doing basic
integrity patch checking.

Like John I have alway been a strong advocate of good host based
security, however I have also quietly kept on strengthening our
perimeter defences as well.  Most of the time I have downplayed our
firewall -- I don't want people to get complacent.  

I believe that it is possible to have quite effective fire-walling in an
academic environment without substantially affecting legitimate academic
activity.  All systems on campus have individual firewall settings which
are set by departmental IT support staff (not by central IT or security
staff).  Of the 10,000 systems in our database only around 400 have any
inbound access configured and for most of these it is just http, rdp or

We also have a list of blocked ports that include netbios, berkeley r*
and sundry other 'unsafe' protocols.

I think we all agree that the key thing is to have lots of different
overlapping measures each of which provides a layer of protection.
Having something at the perimeter that bounces most of the mindless crap
means that you have more time to do other things that improve the
overall security, like getting machines patched (or better still helping
SAs to get automated systems in place that apply patches to the 90% of
straight forward systems).

I've been quite dismayed at the amount of time some .edu site are having
to spend fighting 'bots as witnessed on the unisog IRC channel.  We have
yet to see any 'bots on campus here (touch wood ;), nor have we had any
sasser (yet).  Welchia B caused a small flurry a few weeks back when
someone finally brought it on to campus but apart from one department
that lost 20 machines (they now have all their machines pointing to our
SUS server) it has been a case of a handful of systems. 

Firewalls are not much use against a determined intelligent adversary,
nor are they any use against attacks that target applications (unless
you also have very smart protocol inspection stuff and even then I have
serious doubts) but they are quite effective against mindless worms and
(so far) have given us valuable time in which to prepare before they
(the worms) get in by the windows (laptops) or chimneys (dial-up or vpn)

Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the unisog mailing list