Home » ZyXEL Manuals » Networking » ZyXEL ZyWALL 5 UTM » Manual Viewer

ZyXEL ZyWALL 5 UTM User Guide - Page 296

SQL Slammer Worm, Blaster W32.Worm, Nimda, MyDoom

Get ZyXEL ZyWALL 5 UTM PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 296 highlights

Chapter 14 Intrusion Detection and Prevention (IDP) Screens SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends. Refer to Microsoft SQL Server 2000 or MSDE 2000 vulnerabilities in Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061. Blaster W32.Worm This is a worm that exploits the DCOM RPC vulnerability (see Microsoft Security Bulletin MS03-026 and Microsoft Security Bulletin MS03-039) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable (if not properly patched), the worm is not coded to replicate on those systems. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not mass mail to other devices. Nimda Its name (backwards for "admin") refers to an "admin.DLL" file that, when run, continues to propagate the virus. Nimda probes each IP address within a randomly selected range of IP addresses, attempting to exploit weaknesses that, unless already patched, are known to exist in computers with Microsoft's Internet Information Server. A system with an exposed IIS Web server will read a Web page containing an embedded JavaScript that automatically executes, causing the same JavaScript code to propagate to all Web pages on that server. As Microsoft Internet Explorer browsers version 5.01 or earlier visit sites at the infected Web server, they unwittingly download pages with the JavaScript code that automatically executes, causing the virus to be sent to other computers on the Internet in a somewhat random fashion. Nimda also can infect users within the Web server's own internal network that have been given a network share (a portion of file space). Finally, one of the things that Nimda has an infected system do is to send an e-mail with a "readme.exe" attachment to the addresses in the local Windows address book. A user who opens or previews this attachment (which is a Web page with the JavaScript) propagates the virus further. Server administrators should get and apply the cumulative IIS patch that Microsoft has provided for previous viruses and ensure that no one at the server opens e-mail. You should update your Internet Explorer version to IE 5.5 SP2 or later. Scan and cleanse your system with anti-virus software. MyDoom MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor can download and execute arbitrary files. Systems affected are Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Server 2003. 296 ZyWALL 5/35/70 Series User's Guide

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	29
List of Tables	41
Introduction	49
Getting to Know Your ZyWALL	51
1.1 ZyWALL Internet Security Appliance Overview	51
1.2 ZyWALL Features	51
1.3 Applications for the ZyWALL	52
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem	52
1.3.2 VPN Application	53
1.3.3 3G WAN Application (ZyWALL 5 Only)	53
1.4 Ways to Manage the ZyWALL	54
1.5 Good Habits for Managing the ZyWALL	54
Hardware Installation	55
2.1 General Installation Instructions	55
2.2 Desktop Installation	55
2.3 Rack-mounted Installation Requirements	56
2.4 Rack-Mounted Installation	57
2.5 3G Card, WLAN Card and ZyWALL Turbo Card Installation	58
2.6 Front Panel Lights	59
Introducing the Web Configurator	61
3.1 Web Configurator Overview	61
3.2 Accessing the ZyWALL Web Configurator	61
3.3 Resetting the ZyWALL	63
3.3.1 Procedure To Use The Reset Button	63
3.3.2 Uploading a Configuration File Via Console Port	63
3.4 Navigating the ZyWALL Web Configurator	64
3.4.1 Title Bar	64
3.4.2 Main Window	65
3.4.3 HOME Screen: Router Mode	65
3.4.4 HOME Screen: Bridge Mode	71
3.4.5 Navigation Panel	74
3.4.6 Port Statistics	80
3.4.7 Show Statistics: Line Chart	81
3.4.8 DHCP Table	82
3.4.9 VPN Status	83
3.4.10 Bandwidth Monitor	84
Wizard Setup	87
4.1 Wizard Setup Overview	87
4.2 Internet Access	88
4.2.1 ISP Parameters	88
4.2.2 Internet Access Wizard: Second Screen	92
4.2.3 Internet Access Wizard: Registration	93
4.2.4 Internet Access Wizard: Status	94
4.2.5 Internet Access Wizard: Service Activation	95
4.3 VPN Wizard Gateway Setting	96
4.4 VPN Wizard Network Setting	97
4.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1)	99
4.6 VPN Wizard IPSec Setting (IKE Phase 2)	100
4.7 VPN Wizard Status Summary	102
4.8 VPN Wizard Setup Complete	104
4.9 Anti-Spam Wizard: Email Server Location Setting	104
4.10 Anti-Spam Wizard: Direction Recommendations	105
4.11 Anti-Spam Wizard: Direction Configuration	106
4.12 Anti-Spam Wizard: Setup Complete	108
Tutorials	109
5.1 Dynamic VPN Rule Configuration	109
5.1.1 Configure Bob’s User Account	110
5.1.2 VPN Gateway and Network Policy Configuration	110
5.1.3 Configure Zero Configuration Mode on ZyWALL B	116
5.1.4 Testing Your VPN Configuration	117
5.1.5 Using the Dynamic VPN Rule for More VPN Tunnels	119
5.2 Security Settings for VPN Traffic	119
5.2.1 IDP for From VPN Traffic Example	120
5.2.2 IDP for To VPN Traffic Example	121
5.3 Firewall Rule for VPN Example	122
5.3.1 Configuring the VPN Rule	123
5.3.2 Configuring the Firewall Rules	127
5.4 How to Set up a 3G WAN Connection	130
5.4.1 Inserting a 3G Card	130
5.4.2 Configuring 3G WAN Settings	131
5.4.3 Checking WAN Connections	132
5.5 Configuring Load Balancing	132
5.6 Configuring Content Filtering	133
5.6.1 Enable Content Filtering	133
5.6.2 Block Categories of Web Content	134
5.6.3 Assign Bob’s Computer a Specific IP Address	136
5.6.4 Create a Content Filter Policy for Bob	136
5.6.5 Set the Content Filter Schedule	137
5.6.6 Block Categories of Web Content for Bob	138
Registration Screens	141
6.1 Overview	141
6.1.1 What You Can Do in the Registration Screens	141
6.1.2 What You Need to Know About Registration	141
6.2 The Registration Screen	142
6.3 The Service Screen	144
Network	147
LAN Screens	149
7.1 Overview	149
7.1.1 What You Can Do in The LAN Screens	149
7.1.2 What You Need to Know About LAN	150
7.2 The LAN Screen	152
7.3 The LAN Static DHCP Screen	155
7.4 The LAN IP Alias Screen	156
7.5 The LAN Port Roles Screen	158
Bridge Screens	161
8.1 Overview	161
8.1.1 What You Can Do in the Bridge Screens	161
8.1.2 What You Need To Know About Bridging	162
8.2 The Bridge Screen	163
8.3 The Bridge Port Roles Screen	164
8.4 Bridge Technical Reference	166
WAN Screens	169
9.1 Overview	169
9.1.1 What You Can Do in the WAN Screens	170
9.1.2 What You Need to Know About WAN	170
9.1.3 Before You Begin	172
9.2 The General Screen	172
9.2.1 Configuring the General Screen	173
9.2.2 Configuring Load Balancing	177
9.2.3 Least Load First	177
9.2.4 Weighted Round Robin	179
9.2.5 Spillover	180
9.3 The WAN1 and WAN2 Screen	182
9.3.1 WAN Ethernet Encapsulation	183
9.3.2 PPPoE Encapsulation	186
9.3.3 PPTP Encapsulation	189
9.4 The 3G (WAN2) Screen	192
9.5 The Traffic Redirect Screen	197
9.6 Configuring the Traffic Redirect Screen	198
9.7 The Dial Backup Screen	199
9.7.1 The Advanced Modem Setup Screen	201
9.7.2 Configuring the Advanced Modem Setup Screen	202
9.8 WAN Technical Reference	204
DMZ Screens	207
10.1 Overview	207
10.1.1 What You Can Do in the DMZ Screens	207
10.1.2 What You Need To Know About DMZ	208
10.1.3 DMZ Public IP Address Example	208
10.1.4 DMZ Private and Public IP Address Example	209
10.2 The DMZ Screen	210
10.3 The Static DHCP Screen	213
10.4 The IP Alias Screen	214
10.5 The DMZ Port Roles Screen	216
WLAN Screens	219
11.1 Overview	219
11.1.1 What You Can Do in the WLAN Screens	219
11.1.2 What You Need to Know About WLAN	220
11.2 The WLAN Screen	220
11.3 WLAN Static DHCP	223
11.4 WLAN IP Alias	224
11.5 WLAN Port Roles	226
Wireless Screens	229
12.1 Overview	229
12.1.1 What You Can Do in the Wireless Screens	229
12.1.2 What You Need to Know	229
12.2 Wireless Card	232
12.2.1 Static WEP	234
12.2.2 WPA-PSK	235
12.2.3 WPA	237
12.2.4 IEEE 802.1x + Dynamic WEP	238
12.2.5 IEEE 802.1x + Static WEP	239
12.2.6 IEEE 802.1x + No WEP	240
12.2.7 No Access 802.1x + Static WEP	241
12.2.8 No Access 802.1x + No WEP	242
12.3 MAC Filter	243
12.4 Technical Reference	244
Security	249
Firewall Screens	251
13.1 Overview	251
13.1.1 What You Can Do Using the Firewall Screens	252
13.1.2 What You Need To Know About the ZyWALL Firewall	252
13.1.3 Before You Begin	252
13.2 Firewall Rules Example	252
13.3 The Firewall Default Rule Screen	254
13.4 The Firewall Default Rule (Bridge Mode) Screen	256
13.5 The Firewall Rule Summary Screen	259
13.5.1 The Firewall Edit Rule Screen	260
13.6 The Anti-Probing Screen	263
13.7 The Firewall Thresholds Screen	264
13.8 The Firewall Services Screen	266
13.8.1 The Firewall Edit Custom Service Screen	267
13.8.2 My Service Firewall Rule Example	268
13.9 Technical Reference	271
Intrusion Detection and Prevention (IDP) Screens	277
14.1 Overview	277
14.1.1 What You Can Do Using the IDP Screens	277
14.1.2 What You Need To Know About the ZyWALL IDP	278
14.1.3 Before You Begin	279
14.2 The General Setup Screen	279
14.3 The Signatures Screen	281
14.3.1 Attack Types	281
14.3.2 Intrusion Severity	282
14.3.3 Signature Actions	282
14.3.4 Configuring The IDP Signatures Screen	283
14.3.5 The Query View Screen	284
14.4 The Anomaly Screen	289
14.5 The Update Screen	291
14.5.1 mySecurityZone	291
14.5.2 Configuring The IDP Update Screen	292
14.6 The Backup and Restore Screen	293
14.7 Technical Reference	294
Anti-Virus Screens	299
15.1 Overview	299
15.1.1 What You Can Do in the Antivirus Screens	299
15.1.2 What You Need to Know About Antivirus	300
15.2 The General Screen	301
15.3 The Signature Screen	303
15.3.1 Signature Search Example	305
15.4 The Update Screen	306
15.4.1 mySecurityZone	307
15.4.2 Configuring Anti-virus Update	307
15.5 The Backup and Restore Screen	309
15.6 Technical Reference	310
Anti-Spam Screens	313
16.1 Overview	313
16.1.1 What You Can Do in the Antispam Screens	313
16.1.2 What You Need to Know About Antispam	314
16.2 The General Screen	315
16.3 The External DB Screen	318
16.4 The Lists Screen	320
16.5 Anti-Spam Lists Edit Screen	322
16.6 Technical Reference	324
Content Filtering Screens	327
17.1 Overview	327
17.1.1 What You Can Do in the Content Filtering Screens	327
17.1.2 What You Need to Know About Content Filtering	327
17.2 General Screen	328
17.3 The Policy Screen	331
17.4 Content Filter Policy: General	332
17.5 Content Filter Policy: External Database	334
17.6 Content Filter Policy: Customization	341
17.7 Content Filter Policy: Schedule	342
17.8 Content Filter Object	343
17.9 Content Filtering Cache	346
Content Filtering Reports	349
18.1 Overview	349
18.2 Checking Content Filtering Activation	349
18.3 Viewing Content Filtering Reports	349
18.4 Web Site Submission	354
IPSec VPN	357
19.1 Overview	357
19.1.1 What You Can Do in the IPSec VPN Screens	357
19.1.2 What You Need to Know About IPSec VPN	358
19.2 The VPN Rules (IKE) Screen	360
19.3 The VPN Rules (IKE) Gateway Policy Edit Screen	361
19.4 The Network Policy Edit Screen	367
19.5 The Network Policy Edit: Port Forwarding Screen	372
19.6 The Network Policy Move Screen	374
19.7 The VPN Rules (Manual) Screen	375
19.8 The VPN Rules (Manual): Edit Screen	376
19.9 The VPN SA Monitor Screen	379
19.10 The VPN Global Setting Screen	379
19.11 Telecommuter VPN/IPSec Examples	382
19.11.1 Telecommuters Sharing One VPN Rule Example	383
19.11.2 Telecommuters Using Unique VPN Rules Example	383
19.12 VPN and Remote Management	385
19.13 Hub-and-spoke VPN	385
19.13.1 Hub-and-spoke VPN Example	386
19.13.2 Hub-and-spoke Example VPN Rule Addresses	387
19.13.3 Hub-and-spoke VPN Requirements and Suggestions	387
19.14 IPSec VPN Background Information	388
Certificates	399
20.1 Overview	399
20.1.1 What You Can Do in the Certificate Screens	399
20.1.2 What You Need to Know About Certificates	399
20.1.3 Verifying a Certificate	400
20.2 The My Certificates Screen	401
20.2.1 The My Certificate Details Screen	403
20.3 The My Certificate Export Screen	406
20.4 The My Certificate Import Screen	407
20.4.1 Using the My Certificate Import Screen	407
20.5 The My Certificate Create Screen	409
20.6 The Trusted CAs Screen	413
20.7 The Trusted CA Details Screen	415
20.8 The Trusted CA Import Screen	418
20.9 The Trusted Remote Hosts Screen	419
20.10 The Trusted Remote Hosts Import Screen	421
20.11 The Trusted Remote Host Certificate Details Screen	422
20.12 The Directory Servers Screen	424
20.13 The Directory Server Add or Edit Screen	425
Authentication Server Screens	427
21.1 Overview	427
21.1.1 What You Can Do in the Authentication Server Screens	427
21.1.2 What You Need To Know About Authentication Server	427
21.2 The Local User Database Screen	428
21.3 The RADIUS Screen	430
Advanced	433
Network Address Translation (NAT)	435
22.1 Overview	435
22.1.1 What You Can Do Using the NAT Screens	435
22.1.2 What You Need To Know About NAT	435
22.1.3 Before You Begin	436
22.2 The NAT Overview Screen	436
22.3 The NAT Address Mapping Screen	438
22.3.1 NAT Address Mapping Edit	440
22.4 The Port Forwarding Screen	441
22.4.1 Default Server IP Address	441
22.4.2 Port Forwarding: Services and Port Numbers	442
22.4.3 Configuring Servers Behind Port Forwarding (Example)	442
22.4.4 NAT and Multiple WAN	442
22.4.5 Port Translation	443
22.4.6 Configuring The Port Forwarding Screen	443
22.5 The Port Triggering Screen	445
22.5.1 Configuring Port Triggering	446
22.6 Technical Reference	447
Static Route Screens	451
23.1 Overview	451
23.1.1 What You Can Do in the Static Route Screens	451
23.2 The IP Static Route Screen	452
23.2.1 The IP Static Route Edit Screen	454
Policy Route Screens	457
24.1 Overview	457
24.1.1 What You Can Do in the Policy Route Screens	457
24.1.2 What You Need To Know About Policy Route	457
24.2 The Policy Route Summary Screen	458
24.2.1 The Policy Route Edit Screen	460
Bandwidth Management Screens	465
25.1 Overview	465
25.1.1 What You Can Do in the Bandwidth Management Screens	465
25.1.2 What You Need to Know About Bandwidth Management	465
25.1.3 Application and Subnet-based Bandwidth Management Example	466
25.1.4 Over Allotment of Bandwidth Example	467
25.1.5 Maximize Bandwidth Usage With Bandwidth Borrowing Example	467
25.2 The Summary Screen	467
25.2.1 Maximize Bandwidth Usage Example	470
25.2.2 Reserving Bandwidth for Non-Bandwidth Class Traffic	471
25.3 The Class Setup Screen	471
25.4 Bandwidth Manager Class Configuration	473
25.4.1 Bandwidth Borrowing Example	476
25.5 Bandwidth Management Statistics	477
25.6 The Monitor Screen	478
DNS Screens	479
26.1 Overview	479
26.1.1 What You Can Do in the DNS Screens	479
26.1.2 What You Need To Know About DNS	479
26.2 The System Screen	481
26.2.1 The Add Address Record Screen	483
26.2.2 The Insert Name Server Record Screen	484
26.3 The DNS Cache Screen	485
26.4 The DHCP Screen	487
26.5 The DDNS Screen	488
26.6 Configuring the Dynamic DNS Screen	489
Remote Management Screens	491
27.1 Overview	491
27.1.1 What You Can Do in the Remote Management Screens	491
27.1.2 What You Need To Know About Remote Management	492
27.2 HTTPS Example	493
27.2.1 Internet Explorer Warning Messages	493
27.2.2 Netscape Navigator Warning Messages	493
27.2.3 Avoiding the Browser Warning Messages	494
27.2.4 Login Screen	495
27.2.5 Enrolling and Importing SSL Client Certificates (Example)	496
27.2.6 Installing the CA’s Certificate (Example)	497
27.2.7 Installing Your Personal Certificate(s) (Example)	498
27.2.8 Using a Certificate When Accessing the ZyWALL (Example)	501
27.2.9 Secure Telnet Using SSH Examples	502
27.3 The WWW Screen	504
27.4 Configuring the WWW Screen	505
27.5 The SSH Screen	507
27.6 Configuring the SSH Screen	507
27.7 The Telnet Screen	508
27.8 The FTP Screen	509
27.9 The SNMP Screen	510
27.9.1 Configuring the SNMP Screen	512
27.10 The DNS Screen	513
27.11 The CNM Screen	514
27.12 Configuring the CNM Screen	514
27.13 Remote Management Technical Reference	516
UPnP Screens	519
28.1 Overview	519
28.1.1 What You Can Do in the UPnP Screens	519
28.1.2 What You Need To Know About UPnP	519
28.2 UPnP Examples	520
28.2.1 Installing UPnP in Windows Example	520
28.2.2 Using UPnP in Windows XP Example	522
28.3 The UPnP Screen	526
28.4 The Ports Screen	527
Custom Application Screen	529
29.1 Overview	529
29.1.1 What You Can Do in the Custom Application Screen	529
29.1.2 What You Need to Know About Custom Application	529
29.2 The Custom Application Screen	529
ALG Screen	531
30.1 Overview	531
30.1.1 What You Need to Know About ALG	531
30.2 The ALG Screen	535
Reports, Logs and Maintenance	537
Reports Screens	539
31.1 Overview	539
31.1.1 What You Can Do in the Reports Screens	539
31.2 The Traffic Statistics Screen	539
31.2.1 Viewing Web Site Hits	541
31.2.2 Viewing Host IP Address	542
31.2.3 Viewing Protocol/Port	543
31.2.4 System Reports Specifications	545
31.3 The IDP Screen	545
31.4 The Anti-Virus Screen	547
31.5 The Anti-Spam Screen	549
31.6 The E-mail Report Screen	551
Logs Screens	555
32.1 Overview	555
32.1.1 What You Can Do in the Log Screens	555
32.1.2 What You Need To Know About Logs	555
32.2 The View Log Screen	555
32.2.1 Log Description Example	556
32.2.2 About the Certificate Not Trusted Log	557
32.3 The Log Settings Screen	558
32.4 Technical Reference	561
Maintenance Screens	585
33.1 Overview	585
33.1.1 What You Can Do in the Maintenance Screens	585
33.2 The General Setup Screen	585
33.3 The Password Screen	586
33.4 The Time and Date Screen	587
33.4.1 Time Server Synchronization Example	590
33.5 The Device Mode Screen	591
33.6 Configuring the Device Mode Screen (Router)	592
33.7 Configuring the Device Mode Screen (Bridge)	593
33.8 The F/W Upload Screen	595
33.9 The Backup and Restore Screen	597
33.10 The Restart Screen	599
33.11 The Diagnostics Screen	599
SMT	603
Introducing the SMT	605
34.1 Introduction to the SMT	605
34.2 Accessing the SMT via the Console Port	605
34.2.1 Initial Screen	605
34.2.2 Entering the Password	606
34.3 Navigating the SMT Interface	606
34.3.1 Main Menu	607
34.3.2 SMT Menus Overview	609
34.4 Changing the System Password	610
34.5 Resetting the ZyWALL	611
SMT Menu 1 - General Setup	613
35.1 Introduction to General Setup	613
35.2 Configuring General Setup	613
35.2.1 Configuring Dynamic DNS	615
WAN and Dial Backup Setup	619
36.1 Introduction to WAN and Dial Backup Setup	619
36.2 WAN Setup	619
36.3 Dial Backup	620
36.3.1 Configuring Dial Backup in Menu 2	620
36.3.2 Advanced WAN Setup	621
36.3.3 Remote Node Profile (Backup ISP)	623
36.3.4 Editing TCP/IP Options	625
36.3.5 Editing Login Script	626
36.3.6 Remote Node Filter	628
36.3.7 3G Modem Setup	629
36.3.8 Remote Node Profile (3G WAN)	630
LAN Setup	633
37.1 Introduction to LAN Setup	633
37.2 Accessing the LAN Menus	633
37.3 LAN Port Filter Setup	633
37.4 TCP/IP and DHCP Ethernet Setup Menu	634
37.4.1 IP Alias Setup	636
Internet Access	639
38.1 Introduction to Internet Access Setup	639
38.2 Ethernet Encapsulation	639
38.3 Configuring the PPTP Client	641
38.4 Configuring the PPPoE Client	642
38.5 Basic Setup Complete	643
DMZ Setup	645
39.1 Configuring DMZ Setup	645
39.2 DMZ Port Filter Setup	645
39.3 TCP/IP Setup	646
39.3.1 IP Address	646
39.3.2 IP Alias Setup	647
Route Setup	649
40.1 Configuring Route Setup	649
40.2 Route Assessment	649
40.3 Traffic Redirect	650
40.4 Route Failover	651
Wireless Setup	653
41.1 Wireless LAN Setup	653
41.1.1 MAC Address Filter Setup	655
41.2 TCP/IP Setup	656
41.2.1 IP Address	656
41.2.2 IP Alias Setup	657
Remote Node Setup	659
42.1 Introduction to Remote Node Setup	659
42.2 Remote Node Setup	659
42.3 Remote Node Profile Setup	660
42.3.1 Ethernet Encapsulation	660
42.3.2 PPPoE Encapsulation	661
42.3.3 PPTP Encapsulation	663
42.4 Edit IP	664
42.5 Remote Node Filter	666
IP Static Route Setup	669
43.1 IP Static Route Setup	669
Network Address Translation (NAT)	673
44.1 Using NAT	673
44.1.1 SUA (Single User Account) Versus NAT	673
44.1.2 Applying NAT	673
44.2 NAT Setup	675
44.2.1 Address Mapping Sets	676
44.3 Configuring a Server behind NAT	681
44.4 General NAT Examples	683
44.4.1 Internet Access Only	683
44.4.2 Example 2: Internet Access with a Default Server	685
44.4.3 Example 3: Multiple Public IP Addresses With Inside Servers	685
44.4.4 Example 4: NAT Unfriendly Application Programs	689
44.5 Trigger Port Forwarding	690
44.5.1 Two Points To Remember About Trigger Ports	690
Introducing the ZyWALL Firewall	693

Match case Limit results 1 per page

Chapter 14 Intrusion Detection and Prevention (IDP) Screens

ZyWALL 5/35/70 Series User’s Guide

296

SQL Slammer Worm

W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000,

as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port

1434, the SQL Server Resolution Service Port. The worm has the unintended payload of

performing a Denial of Service attack due to the large number of packets it sends. Refer to

Microsoft SQL Server 2000 or MSDE 2000 vulnerabilities in

Microsoft Security Bulletin

MS02-039

and

Microsoft Security Bulletin MS02-061

Blaster W32.Worm

This is a worm that exploits the DCOM RPC vulnerability (see

Microsoft Security Bulletin

MS03-026

and

Microsoft Security Bulletin MS03-039

) using TCP port 135. The worm targets

only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003

Server machines are vulnerable (if not properly patched), the worm is not coded to replicate on

those systems. This worm attempts to download the msblast.exe file to the

%WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not mass mail to

other devices.

Nimda

Its name (backwards for "admin") refers to an "admin.DLL" file that, when run, continues to

propagate the virus. Nimda probes each IP address within a randomly selected range of IP

addresses, attempting to exploit weaknesses that, unless already patched, are known to exist in

computers with Microsoft's Internet Information Server. A system with an exposed IIS Web

server will read a Web page containing an embedded JavaScript that automatically executes,

causing the same JavaScript code to propagate to all Web pages on that server. As Microsoft

Internet Explorer browsers version 5.01 or earlier visit sites at the infected Web server, they

unwittingly download pages with the JavaScript code that automatically executes, causing the

virus to be sent to other computers on the Internet in a somewhat random fashion. Nimda also

can infect users within the Web server's own internal network that have been given a network

share (a portion of file space). Finally, one of the things that Nimda has an infected system do

is to send an e-mail with a "readme.exe" attachment to the addresses in the local Windows

address book. A user who opens or previews this attachment (which is a Web page with the

JavaScript) propagates the virus further.

Server administrators should get and apply the cumulative IIS patch that Microsoft has

provided for previous viruses and ensure that no one at the server opens e-mail. You should

update your Internet Explorer version to IE 5.5 SP2 or later. Scan and cleanse your system

with anti-virus software.

MyDoom

MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm

that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a

computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127

through 3198, which can potentially allow an attacker to connect to the computer and use it as

a proxy to gain access to its network resources. In addition, the backdoor can download and

execute arbitrary files. Systems affected are Windows 95, Windows 98, Windows Me,

Windows NT, Windows 2000, Windows XP and Windows Server 2003.