Internal Intrusion by a
Proxy"> In the initial phase of a worm attack, the worm is planted on a system. In the second phase, an automated internal propagation of the worm virus to peer systems can occur. This phase is actually an internal attack, and the infected initial system is considered a hijacked system. Server-Specific Security cant stop the initial virus attack, but it can stop the second phase. Even with an entirely trusted workforce, this is a reason to deploy Server-Specific Security. This isnt serendipity-- eliminating the concept of a trusted network in your architecture can also help limit the ability of rogue systems from quickly doing the same type of damage that an individual might on a corporate intranet. The concept is called FireDoor , and was shown to be 100% effective at a recent SANS security bakeoff, where intrusion was invited from a group of experienced security hackers. After days of assaults with state of the art intrusion tools, an offered prize remained unclaimed. The FireDoor concept is simple and easy to implement (see details in the section titled "Implementation of Server-Specific Security" below).Quite simply, FireDoor stops a worm in its tracks. While an unanticipated access path may compromise one server, it cannot spread the infection to its peer systems. Server-Specific Security on the corporate intranet can therefore protect servers from malicious users, AND hijacked systems. The FireDoor can alert systems management to block other similar intrusions, and invoke a recovery service for the lone infected server. Like the surgical mask on hospital personnel, it blocks the internal spread of infection.
Each individual firewall is fitted with appropriate inbound rules. Outbound rules are then added on a per server basis that will quarantine the worm to the originally infected server. The rule-set defines that:
- The server may not initiate a transfer; it can only respond.
- The server may not communicate with other servers within its perimeter protection.