cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2459
Views
0
Helpful
5
Replies

extended access-list to block 445 microsoft-ds

lewy1961
Level 1
Level 1

Hi ,

My network consists of lots of vlans linking various sites (external via LES circuits and internal departments)to a central server core. We have been hit by the Korgo virus , (we have the Cisco 4235 IDS so identified very quickly) . I want to put access-lists on all my vlans to deny tcp and udp port 445 (microsoft-ds )as this is how the infected hosts scan for suitable victims. I;ve tested it and cannot see any impact apart from the desired one , can anyone confirm this or point out the flaws . Many thanks in advance

1 Accepted Solution

Accepted Solutions

You can find some stuff about these protocols in:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q204/2/79.ASP&NoWebContent=1

I hope you find this useful. If so, please don't forget to fill in the "solved" and "rate this post" fields.

Thanks in advance.

Kevin Dorrell

Luxembourg

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

There are pluses and minuses to filtering this way. The major plus is that you help contain the spread of the virus. There are a couple of potential minuses to keep in mind. The first is that possibility of some mistake in constructing the access list which could impact traffic in a way that you do not anticipate. Perhaps the most important question is the question of whether there is legitimate traffic in your network that uses port 445.

An approach that I see with some frequency is to do this kind of filtering at the edges of the network. It is usually pretty easy to say that there should not be legitimate traffic on port 445 from remote networks to you or from machines in your network to other remote networks. I also sometimes see filters on interior routers that deny traffic for port 445 which have destination addresses in remote networks.

HTH

Rick

HTH

Rick

Thanks very much for both responses.

Previously I had blocked this port (445) on our 100Mb internet link both incoming and outgoing to prevent infections, as per most Cisco web examples.(Also 135 -139).

The interior network is different as we are a core service for all the schools and public services depts (we are a local County Council). Basically we operate one large LAN using many vlans , but with traffic only travaersing our Pix's when they need the internet.

Thanks again , I will keep an eye on any issues that appear ...

Kevin Dorrell
Level 10
Level 10

I have done this on our network, and I can demonstrate that it has saved us from infection several times. It seems to have no ill effect on the Microsoft traffic. From Windows 2000 Microsoft prefer to use port tcp/445 for connection to windows servers, i.e. the direct CIFS file service. However, the (NT or XP) client also tries good old NBT on tcp/137 at the same time, which seems to work just as well with just a little more overhead.

Port/445 must be the most buggy port of any in the Microsoft software. Watch any Internet connection, and you can see continuous worm traffic on this port trying to hack into your system. It is estimated the average life expectancy of any unpatched XP system connected to the Internet is about 20 minutes, and it is almost always tcp/445 that gets it.

I would recommend yes, block it.

Kevin Dorrell

Luxembourg

Thanks very much for both responses.

Previously I had blocked this port (445) on our 100Mb internet link both incoming and outgoing to prevent infections, as per most Cisco web examples.(Also 135 -139).

The interior network is different as we are a core service for all the schools and public services depts (we are a local County Council). Basically we operate one large LAN using many vlans , but with traffic only travaersing our Pix's when they need the internet.

Thanks again , I will keep an eye on any issues that appear ...

You can find some stuff about these protocols in:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q204/2/79.ASP&NoWebContent=1

I hope you find this useful. If so, please don't forget to fill in the "solved" and "rate this post" fields.

Thanks in advance.

Kevin Dorrell

Luxembourg

Review Cisco Networking for a $25 gift card