Technical SupportSkip Navigation
border

Conferences and Events | Online Resources | Programs | Security | Services | Shared Network | Technical Support | Training
About MOREnet | Contact Us | Search | MyMOREnet Login | Collaboration Matrix


Home » Technical Support » Blocking the Blaster Worm Using Novell BorderManager (KB0044)
KB0044 Page Topics

Problem/Question

Cause

Solution/Answer
 
Spacer Graphic

Blocking the Blaster Worm Using Novell BorderManager (KB0044)

Operating System/Devices: NetWare, BorderManager

Keywords: BorderManager Blaster filter exceptions

Problem/Question

How can I prevent Microsoft's RPC vulnerability from getting to our unprotected workstations?

Cause

See Microsoft Security Bulletin MS03-026.

Solution/Answer

Microsoft RPC Buffer Overflow vulnerability affects Windows NT-based-kernel operating systems. (Windows NT, Windows 2000 and Windows XP workstation and server). Apply Microsoft's recommended patch to all.

Users of Novell's BorderManager (NBM) with workstations/servers on a public IP address can configure filters to block RPC from accessing their public Windows operating systems. RPC uses Port 135 TCP.

Setting up filters to block RPC

Assumptions
  • Site does not have filters enabled on Novell BorderManager, or
  • Site has filters enable with permit all, deny only in Filter List.

Note: Sites using filters with deny all, permit only in Filter List are protected from the Blaster vulnerability.

Enabling filters

To enable filters, perform the following:

  1. At the Server Console, load INETCFG.

  2. Enable filters using the following menu paths:
    • INETCFG > Protocols > TCPIP > Filter Support > ENABLE
    • INETCFG > Protocols > IPX > Filtering Support > ENABLE
  3. Reinitialize the system.
Configuring filters

To configure filters perform the following:

  1. At the Server Console, load FILTCFG.

  2. Select Configure TCPIP Filters > Packet Forwarding.

  3. At the Packet Forwarding Filters dialog, change Status to ENABLED.

  4. Confirm Action: Deny Packets in Filter List.

  5. Select Filters: (List of Denied Packets)

  6. At the Packets Denied dialog, press the INSERT key to create a new filter.

  7. Skip to the field Packet Type and press INSERT to view the predefined packet types.

  8. Press INSERT to define a new packet type to filter.

  9. Under Define TCP/IP Packet Type, fill in the following:
    • Name: RPC 135 TCP
    • Protocol: TCP
    • Source Port(s): <All>
    • Destination Port(s): 135
    • ACK Bit Filtering: TCP
    • Stateful Filtering: TCP
    • Comment: By Admin 8/12/03

  10. Press ENTER to complete the field and ESC once to return to Define Filter.

  11. Select the filter you just created: RPC 135 TCP

  12. Edit the Comments field to describe your filter: Block RPC 135 In and Out.

  13. Press ESC and save your filter.

  14. Your filter should show up under Packets Denied.

  15. Press ESC until you return to the Console prompt.

  16. Restart filters by typing reinitialize system.

Testing the filters

To verify that filters are working, telnet through NBM to another Windows device using port 135.

Example: Telnet 207.160.133.45  135

If a black terminal window displays, a connection was made to that site. The filter is not working correctly.

If a message saying "Connecting To 207.160.133.45 ...Could not open a connection to host on port 135: Connect failed", the filter is working.

 

If this did not solve your problem or answer your question, please contact:

MOREnet Technical Support
techsupp@more.net
(800) 509-6673

Back to Top
border
Copyright ©2003 MOREnet. All rights reserved. Reviewed July 14, 2003.
Contact techsupp@more.net. DMCA and other copyright information.
Site Information: Copyright, accessibility, privacy and other information about this site.
PageMinder: Receive an e-mail notice when this page updates.

Search MOREnet Advanced Search