[nsp] Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations

Rubens Kuhl Jr. rkjnsp at ieg.com.br
Sun Jan 26 13:54:06 EST 2003


| Revision 1.0

The 1.1 revision of this document contains two added lines that every Cat 6K
admin should consider carefully:

"The Catalyst 6000 can use IOS ACLs; however, for the most effective
mitigation of this worm, VACLs are recommended. "

This is true in order to prevent an infected machine to overload the local
subnet with packets and stop further worm propagation, but not necessary if
you know that no MS-SQL Server has been compromised up to that time, as this
worm seems to be single-vector.

"Caution: As when making any configuration change, use caution when using
VACLs in conjunction with IOS ACLs."

This usually leads to merge failures and TCAM entries explosion on older
code... newer versions are much better at this, but this still might happen.
I suggest adding some TCAM listing commands to this notice, so one can
verify if this is happening on one's box. Merge algorithm selection
(ODM/traditional) may also be mentioned.


Rubens







More information about the cisco-nsp mailing list