[sdnog] Network Full with malicious activities
Philip Paeps
philip at trouble.is
Thu Nov 22 15:36:37 SAST 2018
On 2018-11-22 10:45:47 (+0100), Nishal Goburdhan wrote:
> On 22 Nov 2018, at 17:53, Khadiga Elhassan wrote:
>> Hi all ,what is the most proper way of dealing with a network full of
>> malicious activities . From where to start and does free anti-viruses
>> help? if yes which is the best?
>> Would some one suggest a strategy or a policy to implement?
>> Please specify in details..
>
> [...]
>
> one way to limit the spread of infections is to limit the size of the
> network segments; put each lab into their own layer-3 domain, and
> filter *both* in and outbound, to the lab. that’ll help you contain
> thing easily; especially for example, if you’re filtering udp
> 135-139 (and the other commonly abused ports). of course - this
> needs to fit into your connectivity strategy; ie. you don’t have
> devices “mapped” from other devices across the university, etc.
This bears reinforcing: a firewall that filters only ingress traffic is
only half finished.
Please make sure to filter egress traffic too.
No TCP or UDP traffic should be leaving your network to ports 135-139 or
445.
You should also restrict outbound traffic to port 25 to your designated
mail relays. Hosts inside your network should relay mail through those
relays or use submission (TCP/587 or (better) TCP/465).
Philip
--
Philip Paeps
Senior Reality Engineer
Ministry of Information
More information about the sdnog
mailing list