Using a security gateway to clean up worm viruses

Since the advent of the first worm virus in 1988, the computer worm has been bringing disaster to the network world with its rapid and diverse transmission. In particular, the rapid development of the network of worms caused by the increasingly serious harm, resulting in a talk about poisonous color changes in the network world.

Unlike the general virus, the worm is computer-borne, replicating itself in the Internet environment for transmission, worm transmission target is all computers on the network-LAN conditions of Shared folders, email e-mail, malicious Web pages in the network, A large number of vulnerable servers have become a good way for worms to spread.

First, Scan: The worm's scanning function module is responsible for detecting vulnerabilities in the host. Random selection of an IP address, and then the host on this address segment scan, the scanner may continue to repeat the above process. Thus, as the worms spread, the newly infected hosts began to scan, and the scanners did not know which addresses had been scanned, and it was simply a random scan of the Internet. The more the worm spreads, the more scanning packets are on the network. Even if the scanner sends a small packet of probes, the network congestion caused by a large number of worm scans is very serious.

Second, attack: When a worm scans a host on the network, it begins to take advantage of its own destructive capabilities to gain administrator privileges on the host. Finally, use the interaction of the original host and the new host to copy the worm to the new host and start. This shows that the worm's harm has two aspects:

First, a large number of worms and rapid replication of the network scan packets increased rapidly, resulting in network congestion, occupy a large number of bandwidth, resulting in network paralysis.

Second, the network on the vulnerability of the host is scanned into the future, will be quickly infected, so that administrator rights are stolen. Easy Hacker's attack.

Magic a ruler, road high, with the rapid evolution of worms, detoxification of the master has also been emerging, tamin Prosperity Network security gateway to a simple "detection-shielding" two steps to solve the above "bug poison" problem.

First of all, the use of Tamin Prosperity Network Network detection: This step requires manual to operate. These scan packets have obvious characteristics because the worms in the network constantly send out scanning packets to the outside computer. For example, a worm in an infected computer sends a scan packet to a segment of IP address in the network, and the worm needs to establish a large number of session connections, so the number of sessions from the host can be used to determine which host is infected with the worm. Tamin Flourishing network security gateway for the network sent to receive packets will be dynamic detection and record, through the Tamin ERA Network security Gateway Web management interface into the firewall-> session list, can see the current Prosperity Network security gateway recorded the current number of the top 10 sessions, The top 10 hosts with the largest number of current sessions.

The average number of sessions in the normal state of the host does not exceed 100. However, when the worm attack will increase the number of tamin, the network security gateway in the real time to detect the abnormal network characteristics of infected host the number of NAT sessions suddenly increased sharply, which determined that the host has been infected with worms. The following figure, 19.168.1.50, is already infected with the worm virus.

In this case, you need to go to step two to shield the host in the network. Shielding method is: the use of Tamin Prosperity Network security gateway access rules function, establish the corresponding strategy to close the virus to the external contract port. The following figure, into the Taminos management interface-> Firewall-> access rules-> New, add rules to the host 19.168.1.50 implementation shielding. After shielding the host, take anti-virus measures or install the appropriate patches. In this way, it is easy to eliminate the worm virus.