427 Botnet fm qxd

only allows exactly what you need. However, in the days of mobile
systems and VPNs, firewalls are less perfect than ever. Network access
to files, printers, and network instrumentation gear (and SQL servers)
should be minimized.
■
Network-based monitoring systems such as Ourmon, cricket, and
netflow provide graphical or log-based histories of what happened on
your network.These can be invaluable for forensic examination of
network attacks.
■
For outbound spam, block port 25 access to the Internet for hosts
using dynamic IP. Hosts that show up in the logs trying to get out to
the Internet on port 25 are candidates for “bothood.” Open mail
relays are not the problem they once were, but open proxy “Web”
servers are a real possibility.
■
Monitor suspicious sources of e-mail (you should know and closely
control e-mail servers in the enterprise). Use an application or service.
■
If you have a mail server, it should have some way to check e-mail
for viruses. We hope this point is obvious, but it needs repeating.
Open source virus checkers exist (for example, see www.clamav.net).
■
Layer 2 measures can help minimize internal post-exploit fan-out.
For example, Cisco’s recent switch mechanisms (port security) for
detecting DHCP, IP address, and ARP spoofing can all help.
■
Work with networking managers, sys admins, and facilities manage-
ment to ensure the infrastructure (maps of building and data jack
locations, data jack to switch mappings, DHCP historical logs, Mac to
IP address mappings, and IP address to NetBIOS names) will permit
you to track down the physical locations of botnet clients
■
Require that all remote authorized users’ access to internal systems be
via encrypted VPNs.
■
Develop and use a network quarantine for use whenever a botnet
client is detected.
■
Work with operations to ensure security is permitted time to gather
intelligence from victims’ computers before they are re-imaged and
returned to service.

Download 6,98 Mb.

Do'stlaringiz bilan baham: