Server platforms Toolkit

Could Symantec have saved you from Slammer?

Tags:
Slammer,
Monitoring,
Symantec

John McCormick Tech Republic

Published: 03 Mar 2003 12:03 GMT

If you manage security on an enterprise network, Symantec's new DeepSight suite of products may be an appealing option for attack detection. But starting at $25,000 per year, this service is definitely not intended for small to midsize networks. It's also probably not worth considering unless your organisation has 24/7 IT support (or at least someone on call at all times), since it would be a waste to get early warnings if no one is on hand to take immediate action to protect the network.

Slammer is the biggest recent network disruption, so it's instructive to consider how this alert service would have enhanced your ability to respond. And in fact, Symantec has made some wild claims about how DeepSight handled Slammer, so we'll look at just how well it performed during the Slammer attack.

Symantec DeepSight

The DeepSight suite of products should not be confused with a local intrusion-detection system. DeepSight integrates data automatically gathered from nearly 20,000 of Symantec's partners' firewall and IDS programs with the aim of spotting emerging attacks and alerting administrators of a current real-world threat, often before their particular system comes under full attack. Notification is based on the hardware and software in use by a particular subscriber, and the value lies in the fact that these aren't just general threat warnings.

DeepSight is intended as an early warning system that transmits alerts via e-mail, fax, and other methods, informing administrators of new threats specific to their environment if they run any of 3,400 products (14,000 different versions). The alerts, which are based on Symantec's monitoring of network threats across the globe, are sent to only those subscribers who may actually be affected by each new attack. The report includes recommendations on how to mitigate the threat, such as installing a specific patch or using a firewall to block a port.

For large networks, especially enterprise installations with a large number of different platforms and versions, the alerts can save a lot of time and effort watching for attacks and researching each threat and each fix, as well as helping to improve general security and attack readiness.

The Slammer attack

There have been loud complaints that Symantec, as part of its DeepSight service, knew about the recent Slammer attack early (which it subsequently bragged about in a press release) but failed to notify anyone other than its clients. Wired, in particular, has claimed that Symantec's failure to spread the word about Slammer was irresponsible, "possibly harming millions of Internet users."

I think this misses the point, in part because Symantec owes its subscribers special service for the hefty price they pay for DeepSight, but mainly because the biggest benefit of using DeepSight is the help provided in pinpointing more targeted or low-profile attacks. Slammer was a major threat and was widely publicised by free alert services. In fact, anyone interested in monitoring such major Internet threats so they can tweak their firewalls or take other preventive steps can see this information by following the top 10 port scans at Incidents.org. Port 1434, the port attacked by Slammer, is one of the ports regularly monitored by the Internet Storm Center.

Go to section: