[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Virus Scanner
From:       Paul Ferguson <pferguso () cisco ! com>
Date:       1997-07-25 14:07:56
[Download RAW message or body]

Oh, goody. One of my favorite threads.

Comments below.

At 04:38 PM 07/25/97 +0200, Basil McCrea wrote:

>
>When I talk to Checkpoint's reseller in germany I get the feeling that we
are the only
>ones who consider internet viruses to be a problem. My question is; has
anyone else 
>made any attempts to check for internet viruses and if so how do you do it?
>

I can't provide any quantitative or qualitative response here, since I
haven't bothered checking for computer viruses at a firewall, but I can
certainly offer some opinion.

>How serious a problem are viruses in internet?
>

This is a common question, and should really be address in the
FAQ.

First, there is no such thing as an 'Internet virus'.  True,
several years ago there was a worm which have affected UNIX
hosts (the infamous Morris worm) and the WANK worm, however,
I believe you are actually referring to is 'computer viruses
transported via the Internet with the assistance of stupid
humans', as opposed to self-propagating worms (Internet virus).

The former is commonly done by people sending attachments,
generally with an infected (macro virus) Microsoft document
to an unwitting recipient, who subsequently opens the document
and infects their PC. Of course, more insidious viruses could
be used to infect attachments which yielded binary executables,
but empirical evidence bears out that the former case is far
more pervasive than the latter.

This falls into the "Is it a dessert topping or a floor wax"
category. Is it a firewall, or a virus checker? Or both?

I would suggest that this is an inappropriate combining
of functions.

I am of the school of thought that virus detection should be
an application which resides on the workstation, not on the
firewall.  There are a couple of reasons for this:

 o Virus checking at a firewall choke point introduces an
   unacceptable amount of performance degradation into
   the data forwarding path.

 o Effort in futility.

   - Too many new, or modified, viruses are introduced
     every day/week/month. By the time you have implemented
     a particular virus detection mechanism, it is already
     obsolete.
   - Simply too may encoding/compression/encryption/pick one
     schemes for a virus detection mechanism to be compatible
     with.



>I would appreciate any opinions on the subject.
>

There you have it.  :-)

- paul

Disclaimer: My opinions do not necessarily reflect those of my
            employer.

>TIA
>
>Basil
>


--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s

[prev in list] [next in list] [prev in thread] [next in thread]