How effective is a firewall against RPC exploits?

[K0ntrol]

As a side not: Check out DCOMbobulator to fix the RPC hole.
Link to information about DCOMbobulator
Link to download DCOMbobulator (Free)

[noahsarc]

One thing I was wondering about....

Can the RPC exploit be redirected to attack through a different port?

If the next worm attacks thru a different port then setting your router to close port 135 and the two other ports mentioned won't protect your system.

The next RPC exploit is on the way... closing port 135 was a very common initial response... will the next exploit take this into acount if it can?

[K0ntrol]

noahsarc:
No, it can't.

[NullDevice]

Originally posted here by nihil
I am beginning to suspect that Null Device has a bot running in my mind

i wonder on which port

[dynamoo]

In a small network where you have a good idea of how laptops are being used, the firewall should be fine.. but then there's no reason not to apply patches on a small network because it won't take much time.

On a large or global network with lots of laptop users, the firewall will probably only buy you some time before some dumbass unpatched user infects you.

However, you're making a dangerous assumption about the "RPC II Worm" if you assume that it will just come as a worm based on MSBlast and Nachi experiences. If the worm carries a mass-mailer component, then your firewall will probably not do a whole lot of good. Imagine something like Sobig.E (mails itself as a ZIP file to avoid firewall blocking and AV disinfection) combined with a Nachi-style worm. You'd probably get infected within a couple of hours tops. Even with external virus scanning (e.g. Messagelabs) you run a risk of infection with a fast spreading blended attack.

In other words.. patch as much as you can as quickly as you can. The best protection is "in depth" security where there are several layers of protection.

[bballad]

The firewall is great as one layer, but don't rely only on a fire wall, we got hit by slammer on soem of our new installas of MSSQL by the virus being spoofing an internal IP, add to that the continued sofistication of virus writers, eventualy something is going to come in on port 53 or 80.

[IFixDaWindoze]

To give you a better overview of the offices in question:

Offices are between 2 users and 70 users (nothing really to big, the big one w/70 users is almost all Win98 and the other machines in the office have been patched so they are safe).
All are protected by a hardware device or ISA.
No access from the outside except Outlook Web Access.
Only one person is actively using VPN and they are using Win98 from outside and going into the network above that is mostly 98.
All ports are closed unless explicitly needed (80, 25, 110, and maybe 1-2 more at each client).
All patches are applied about 1 month after release (mostly to provide a break-in period and allow M$ to finally get it right ), critical patches are applied sooner as needed, service packs are applied on a schedule set by current patch status of the machine (ie. if the machine is missing a lot of patches it will be done soon, if it is pretty well patched I will wait a few weeks and do vulnerable clients first).
Our clients have websites hosted offsite with the exception of Outlook Web Access, this hopefully gives one less entry way into the network.


Just remember, you can't show up every week and put in 15 hours of labor at $75-200/hr (depending on who you are) just because M$ is ghey.......in today's rough economy you have to be cost effective, if not the client sends you packing.