Next Page Up (Back to this Section First Page) Previous Page Table of Contents
Next: Trends for the Up: Worms Previous: History of Worms

Current Protection Against Worms

Protecting a system against a worm requires a combination of basic system security and good network security. There are a variety of procedures and tools which can be applied to protect the system.

In basic system security, the most important means of defense against worms is the identification &authentication (I&A) controls, which are usually integrated into the system. If poorly managed, these controls become a vulnerability which is easily exploited. Worms are especially adept at exploiting such vulnerabilities; both the Internet and DECnet worms targeted I&Acontrols.

Add-on tools include configuration review tools (such as COPS [GS91] for UNIX systems) and checksum-based change detection tools. Design of configuration review tools requires intimate knowledge of the system, but no knowledge of the worm code.

Another class of add-on tools is the intrusion detection tool. This is somewhat analogous to the PC monitoring software, but is usually more complex. This tool reviews series of commands to determine if the user is doing something suspicious. If so, the system manager is notified.

One type of network security tool is the wrapper program. Wrapper programs can be used to ``filter'' network connections, rejecting or allowing certain types of connections (or connections from a pre-determined set of systems). This can prevent worm infections by ``untrusted'' systems. Overlaps in trust may still allow infection to occur (A trusts B but not C; B trusts C; C infects B which infects A) but the rate of propagation will be limited.Footer

These tools do not protect a system against the exploitation of flaws in the operating system. This issue must be dealt with at the time of procurement. After procurement, it becomes a procedural issue. Resources are available to system managers to keep them abreast of security bugs and bug fixes, such as the CERTFooter computer security advisories.Footer

Another class of security tools can be employed to protect a network against worms. The firewall system [GS91] protects an organizational network from systems in the larger network world. Firewall systems are found in two forms: simple or intelligent. An intelligent firewall filters all connections between hosts on the organizational network and the world-at-large. A simple firewall disallows all connections with the outside world, essentially splitting the network into two different networks. To transfer information between hosts on the different networks, an account on the firewall system is required.


Next Page Up (Back to this Section First Page) Previous Page Table of Contents
Next: Trends for the Up: Worms Previous: History of Worms


konczal@csrc.ncsl.nist.gov
Thu Mar 10 15:32:44 EST 1994