From the first Morris worm to the newest Microsoft SQL slammer. Network worms spread wider and faster than ever before. Worms get much more damage than any other attacks. For Linux, the most recent worm is apache ssl slapper worm which happen on September 2002 and attacked more than 13,000 hosts in 24 hours[1].
Worm is a program that makes copies of itself; for example, from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. [2]
From the definition of worm, we know that worm is always trying to propagate itself from the infected machine.
Let's see what is the different behaviors between a normal application and a being attacked application. In normal case, an application will accept connection from a remote client, and then serve the request and then send back the request. But when the application is being attacked, other than the normal operation, the application will also try to connect outside to propagate itself.
So the difference is when under attack, the application will try to connect outside. if we can restrict an application network connection, we can prevent a worm spreading. and make it stop within application.
A properly configured firewall can stop worms at the first tier. For example, sql slammer worm attacks on port 1344, if the firewall filtered out this port, the worm can not spread into the internal the network. But when the port has to be open for publish access, such as HTTP, SMTP, this kind of attack can not be easily blocked for the nature of firewall. For example, firewall can not block apache ssl worm attacking an apache httpd server in a DMZ.
Network based IDS is the second tier to prevent worm spreading. Most IDS product provide anomaly based and signature based technology to prevent known and unknown attacks. Being applied inline, NIDS can be a very effective way to prevent worm spreading. For example, NIDS can be easily drop CodeRed, Apache SSL slapper. But for NIDS, it is difficult to prevent unknown attacks which is also logistically valid in case of RFC.
This final tier is on the host. anti-virus can check the worms which having disk-access, but can not prevent worms like sql slammer which do not have disk access. Host Based IDS can prevent this kind of attacks base on process profile. For example, a SQL process would not connect outside to port 1344, so any network connection activity from the process to outside port 1344 will be denied.
You can not prevent worm effectively without any of these 3 tiers.
LIDS reside on the 3nd tier and prevent worm spreading by restrict the process network access.