05-03-2004 10:18 AM - edited 03-09-2019 07:16 AM
Hello, as you may or may not know the latest virus running around is causing troubles. Symantec advised to block TCP ports 5554, 9996 & 445. Can somebody let me know how I could do this? In coming access should be blocked but how I can I stop outgoing access?
Thank you in advance
John Palmason
05-03-2004 11:48 AM
Best practices:
Create an acl and apply it on your firewalls inside interface. Here are sample how to do this specially for the SASSER worm:
Access-list inside deny tcp any any eq 445
Access-list inside deny tcp any any eq 5554
Access-list inside deny tcp any any eq 9996
Access-list inside permit ip any any (of course this would depend on your companys security policy in terms of whats allowed and not)
Access-group inside in interface inside (or the name of your inside interface)
Now its also good practices (for windows network) to block the following:
- access-list inside deny tcp any any eq 135
- access-list inside deny tcp any any eq 137
- access-list inside deny udp any any eq 137
- access-list inside deny tcp any any eq 139
- access-list inside deny udp any any eq 139
- access-list inside deny udp any any eq 161 (if running snmp;-)
- there are other services you could block, search for them and it depends again on your security policy
Hope this helps.
Amin
05-04-2004 09:24 AM
Amin,
Could you give a brief description of what those other ports are for windows networks, and what the potential risk is?
05-04-2004 10:50 AM
Thank you, would it make sense to place and ACL outgoing blocking these ports from leaving the network? I know that I don't have any incoming ACL that will allow for this, but I am concerned about VPN user at home maybe introducing this to our network and I would hate to let this virus out of our network (if we got infected).
John P
05-05-2004 12:24 AM
Hi Amin,
Is it possible to apply access-lists on to Catalyst switches, I believe this would limit the virus spread throughout the network even if an infected machine was able to connect.
05-05-2004 04:05 AM
I believe that the 12.1 enhanced image code for Cat 2950 switches can let you do IP access-lists.
I think that the newer code that runs on cat 4000 series switches will also do the same. I know for certain that the cat 6000/6500 series can let you do vlan acls (vacls).
For the 2900/3500xl models, you cannot do any type of acls yet with any code.
With all of the models I listed above you can setup vlan private edge ports - this is done via the protected port feature and works even if the ports are on the same vlan. Look into the cat docs for more details. The only drawback with that with regards to 2900/3500xl's is that it won't work across trunk ports - that is you cannot have a port one 3500xl prevented from communicating with a port on another 3500xl via trunk link.
05-05-2004 11:03 PM
A good idea is to add port 9995 , because it's used a new variants of Sasser.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125012
Access-list inside deny tcp any any eq 9995
maxo
05-10-2004 10:01 PM
W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm, as per Symantec. It uses TCP ports 1022 and 1023.
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.e.worm.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide