Welcome to QuarkIT.com.au :: ABN 23 114 975 772

Bagels and Firewalls

Anyone for a Bagle?

There are approximately 20 different variants of the Win32/Bagle worm at present. A number of the latest variants have the ability to disable the Windows Firewall that is built into Windows XP Service Pack 2. This should not really come as a surprise - after all on 13 August, 2004 there was an article published in Techworld that outlined concerns that the Windows Firewall "can be switched off
by another application, possibly even by a clever worm".

That means that if you have no separate hardware firewall and only use the Windows XP SP2 firewall, and if your antivirus software is not up to speed, you are likely to be accessing the Internet completely unprotected. I'd hate to count the number of people in this boat. I'd also hate to have to build a boat to hold this many people!

NOD32 Does It Again!

NOD32 was one of only two antivirus applications that was able to detect and stop these new variants without a specific update. NOD32 was able to do this because of its advanced Heuristics engine. Heuristics is basically where NOD32 makes an intelligent guess about the program being scanned based on what it knows about how viruses behave. In Heuristics mode, NOD32 doesn't use its database of virus signatures. This is a powerful way of detecting new viruses and worms before the database can be updated with the specific information about the latest malware (malicious software).

There are a lot more well known antivirus solutions available, however the reason Quark IT uses and recommends NOD32 is simply because it is the best antivirus scanner available today. In addition to this, its pricing is competitive, and it has a friendly, easy to use, integrated interface. NOD32 for the Desktop looks and operates in a similar fashion to NOD32 for Server and Exchange Server does.

NOD32 has been voted the "Best Antivirus of 2004" in the September 2004 Edition of Australian PC User, and has been awarded a record breaking 29th "VB100" 100% award by the respected Virus Bulletin.

Hardware Firewall

Even if you didn't have decent antivirus software running, a hardware firewall (like m0n0wall or SonicWALL) would have limited the damage that these new Bagle variants could inflict on you. These new variants not only disable the Windows XP SP2 Firewall, but leave a backdoor open into your computer. A hardware firewall would not be susceptible to this "feature".

Although Microsoft recommends using UPnP hardware firewall devices on your network, Quark IT strongly recommends against this. If one worm can close down the Windows Firewall, imagine what the next one will do when it discovers how to use the UPnP features of your hardware firewall? It is for this reason that Quark IT will not enable the UPnP features of any devices we install or maintain.

Windows XP Service Pack 2

Does this mean that Windows XP SP2 is not worth installing? Not at all. It just means that you need to look at security like an onion, not like an apple. IT security is a multilayered beast that only tastes good when prepared properly. Windows XP SP2 is but one layer in this process of securing your network.

Running a software firewall, if you want to, in addition to a hardware firewall is adding another layer in the defence of your network. Running a software firewall in place of a hardware firewall equates to lunacy. But remember that running a software firewall, be it Windows Firewall, Outpost, Zone alarm or any of the other software firewalls available will also increase the complexity of your network - there may be multiple places you need to look to determine what is causing traffic to become blocked.

As per normal, security is always a trade off. It is always a goal. It will never ultimately be achieved. But it is a goal worth striving toward.

Late Breaking MyDoom News

Both Symantec and McAfee are reporting new variants of the MyDoom worm that is evading detection by antivirus applications that scan email messages with attachments. This new MyDoom variant uses a recently discovered vulnerability in Microsoft's Internet Explorer. There's not much more news to hand, but worms using exploits like this, such as the recent BugBear worm, can cause a lot of damage in a short period of time. (source: news.com)

Please note that NOD32 scans both email traffic and general http traffic, and also has an advanced heuristics scanning engine, both of which will detect these new MyDoom variants.

< Prev		Next >