Blocking the Slammer Virus with ISA 2004 Firewalls (v1.1)
By Thomas W Shinder MD, MVP
Got questions? Discuss this article over at
The table below lists ports used by Slammer. Outbound access to these ports should be blocked.
|Used by Slammer
By default, the ISA 2004 firewall blocks external attacks on the affected ports. The reason for this is all incoming connections to the ISA firewall are blocked unless explicitly allowed by publishing rules. Do not create Server Publishing Rules allowing the Slammer port inbound access to the corporate network unless the SQL server has been patched to protect against the Slammer attack.
The default installation of the ISA 2004 firewall blocks outbound access to the Slammer ports. You would need to create an Access Rule to allow outbound access to these ports. However, if your ISA firewall is configured with an “All Open” Access Rule for outbound traffic, then you will need to create an explicit Deny rule to block outbound access to the Slammer ports.
To help prevent outbound attacks through ISA Server:
- Create Access Rules that Deny traffic on the Slammer port.
To block outbound traffic on known Slammer ports:
- Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Firewall Policy node.
- Click on the Tasks tab in the Task Pane. Click the Create a New Access Rule link.
- On the Welcome to the New Access Rule Wizard page, enter Block Slammer in the Access Rule name text box. Click Next.
- On the Rule Action page, select the Deny option and click Next.
- On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
- In the Add Protocols dialog box, click the New menu, then click the Protocol command.
- On the Welcome to the New Protocol Definition Wizard page, enter Slammer Outbound in the Protocol Definition name text box and click Next.
- On the Primary Connection Information page, click the New button.
- In the New/Edit Protocol Definition dialog box, select the Protocol type as UDP. The Direction is Outbound. The From port is 1434 and the To port is 1434. Click OK.
- Click Next on the Primary Connection Information page.
- Select the No option on the Secondary Connections page. Click Next.
- Click Finish on the Completing the New Protocol Definition Wizard page.
- In the Add Protocols dialog box, click the User-defined folder and then double click the Slammer Outbound entry. Click Close.
- Click Next on the Protocols page.
- On the Access Rule Sources page, click the Add button.
- In the Add Network Entities dialog box, click the Network Sets folder and then double click the All Networks (and Local Host) entry. Click Close.
We are using the All Networks (and Local Host) network option to protect all networks from each other so that the Slammer connections are always blocked. For example, if you created a rule that had the Source Network set as All Protected Networks and Destination Network as External, this would prevent Internal network hosts from infecting hosts on Internet located networks, but would not protect hosts on your DMZ and perimeter network segments.
- Click Next on the Access Rule Sources page.
- On the Access Rule Destinations page, click the Add button.
- In the Add Network Entities dialog box, click the Network Sets folder and then double click on the All Networks (and Local Host) entry. Click Close.
- On the User Sets page, accept the default entry, All Users, and click Next.
- Click Finish on the Completing the New Access Rule Wizard page.
- Move the Block Slammer rule to the top of the list of rules.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
For More Information
What You Should Know About the Slammer Worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html)
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000111 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.