Came across this story yesterday on how Zombie PCs and their botnet brethren are getting smarter. Recently there was news that a number of botnets were shut down along with their Colo provider, only to have re-appeared a few weeks later along with their army of zombies and a new way to avoid detection: ipconfig /renew. Well maybe not from the DOS command but these zombies are able to request new IPs in order to evade the spam software configured with the naughty IP ranges.

While this does create some new challenges to spam software that is specifically looking for a bad IP ranges but if you have the F5’s MSM (Message Security Module), you should still be very well protected against this new threat, just depends on where the thresholds are set.  MSM uses repudiation data from Secure Computing’s TrustedSource multi-identity repudiation engine.  TrustedSource returns a “neutral” score for IPs that it hasn’t seen mail originate from so, for instance, most consumer-grade dynamic broadband IPs show up as neutral.  So if MSM is configured to allow mail from a source that’s never sent mail before, then yeah, this stuff might get through, but MSM can be also set to quarantine or block anything that TrustedSource doesn’t think is a reputable sender for further scrutiny.  It’s not really a ‘good’ senders list, it’s just a number, and it’s up to the intelligent filtering and real-time lookup of the sender’s repudiation that helps MSM decide if it’s a good or bad number on every new connection.   You can use dynamic classification on one side and configurable thresholds on the other to ensure your covering all bases.

So that’s great if you’re only worried about rogue machines sending spam and clogging your network.  What about clients who happen to be infected that want access to network and application resources?  Maybe someone doesn’t realize their personal computer is infected and they often use it for work.  This is often the case for contractors, freelancers and certainly many tele-workers.  So while this infected machine might not be spamming you, it is requesting access to you sensitive applications.  You need to protect your infrastructure from both the malicious botnet streams bombarding your servers and the living, unaware zombies wanting to get some work done (even though they might be one in the same).

This is where F5’s FirePass and BIG-IP Secure Access Manager step in.  Both products offer a wide array of secure connectivity needs to address remote VPN’ers to securing your guest wireless to protecting your internal LAN to encrypting sensitive data.  In addition, they offer incredible tools to ensure the requesting device abides by your security policy.  First, they both can do extensive host inspections like checking AV/FW settings, inspecting a client/machine certificate, scanning for malware, enforcing a Group Policy; to quarantine/remediate sub-par hosts or even putting the client into a protected workspace.  Now say they make it past all those checks and you’re still concerned.  You could just offer web applications (reverse proxy portal apps) to those clients you’re still unsure of, but what about a valid machine with a trusted user?  To get even more granular, FirePass and BIG-IP SAM give you the ability to create Packet Filer rules for client’s that need a SSL VPN layer 3 tunnel.  You can lock down that tunnel by Protocol, Port, DestinationIP, SourceIP along with the desired action. 

packetfilter rules 

You can even lock it down further for specific resources.

So while the bad guys are changing tactics, F5 still has you covered in these ever changing attempts by Rif-Raff to compromise your business.

 

ps