[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Re: Virus Scanner
From:       harley () icrf ! icnet ! uk
Date:       1997-07-28 18:37:46
[Download RAW message or body]


> This problem can be fixed in 2 ways: 1)a more powerful CVP server (the
> anti-virus CVP machine should always be independent from the firewall
> machine, and should have at least 64 MB RAM and Pentium 200+ processor for
> good performance. In this setup, the user sees NO noticeable difference.
> 
A possible solution. What was the 2nd one, though?

> >When I talk to Checkpoint's reseller in germany I get the feeling that we
> are the only
> >ones who consider internet viruses to be a problem.
> 
> Maybe your reseller should try to become more informed on viruses. The

Indeed. Since FW-1 aspires to incorporate an anti-virus solution of sorts, 
it behoves those who sell it to learn about the field. Unfortunately, it's
not uncommon for resellers of all sorts of AV products to be sadly 
ignorant in this area........

> latest NCSA report showed that 80% of virus infections result from
> internet-borne viruses. As people concentrate on floppies, they are
> ignoring the largest point of entry for viruses..the firewall. Think about
> it,...where are your virus infections coming from?

You're on very dangerous ground. If you mean the 1997 survey (or the
previous two, come to that), you're relying on a very flawed piece of
research. And I'm not sure you're quoting it correctly. Furthermore,
there's a logical fallacy here. Even if we accept for the sake of 
argument that the 80% figure is correct, it doesn't follow irrefutably
that it's the firewall server's job to block the hole. Viruswalls and
desktop scanners are just as capable of doing that.

> Right, and some of these are known to then send documents by email to third
> parties without the user's knowledge, format the hard drive, etc...Macro
> viruses are not the most destructive to data files, but are the most
> destructive to data security and business. 
> 
Clarify, please.

> >Of course, more insidious viruses could
> >be used to infect attachments which yielded binary executables,
> >but empirical evidence bears out that the former case is far
> >more pervasive than the latter.
> 
> Right, because the rate of document sharing is far higher than that of
> binary executable sharing...

True in the context of e-mail. Not necessarily true in the context of
other protocols. 

> >I would suggest that this is an inappropriate combining
> >of functions.
> 
> I disagree..If the firewall's purpose is to protect a network from
> malicious outsiders, and to control internal activity, then virus checking
> is very appropriate. 

In principle, perhaps. The question is whether the effectiveness of
scanning at the firewall justifies the overheads.

> Viruses are the single costliest threat to data
> security. 

So some surveys say. Actually, I have yet to see one I'd trust.

> Viruses are a very easy way for a malicious outsider to cause
> damage to your network, 

Viruses do cause a great deal of damage, but not all of
it is direct damage, and very little of it is direct damage to
the network.

> Someone could very easily write a macro virus that looks for all excel
> spreadsheets on your drive, zips them, and emails them without your
> knowledge to an outside address. All they would have to do is send it to a
> CFO or Marketing director, and the consequences would be horrific.
> 
Fascinating conjecture, but how often do we see such fine-grained
targetting? A virus is a very poor vehicle for this sort of attack,
because (1) it contains an address for the perpetrator (2) it can't
be controlled effectively once it's released: effectively, the 
perpetrator is exposing himself to self-inflicted mailbombing. There
is a threat here, but implementing it effectively is not as easy as
you imply: there's rather more involved than writing yet another 
Concept variant or a clunky Sharefun clone.

> Of course! Checking for viruses at the firewall is by no means a
> replacement for desktop and server virus protection. It is merely a way to
> close a security hole. Checking for viruses at the firewall and not the
> desktop is just as ridiculous as checking for viruses at the desktop and
> Not the firewall.
> 

Another logical fallacy. Checking for viruses at the firewall and not
at the desktop is ridiculous because it ignores several entry points. 
Checking for viruses at the desktop, properly done, blocks all the 
entry points, though there are problems it can't always address: 
heterogeneous virus transmission, for instance.
> 
> With FW-1 and CVP-compliant virus programs, however, only infectable files
> pass through the virus scanning machine. Most traffic (html code, graphics,
> data files) never passes through the virus scanner is remains completely
> unaffected. 
> 
> This is the reason it is important to specify file extensions for scanning
> in the FW-1 rule base. If you don't, then all files will go through the
> scanner- an unnecessary delay for most files.

Bzzzzt!!! You can't rely on file extensions in the rule base. 

* Macintosh filenames
* Windows 95 LFNs
* Non-standard extensions - Word Users can use any extension they like,
  or none.
* Deliberately or inadvertantly misleading filenames. LIAR.TXT might be
  an infected Word template which the originator thought they were
  Saving As text. Or even a binary executable.

You can try to control this on your site, but you can't make assumptions
about what comes in from other sites. B-(

> 
> >   - Too many new, or modified, viruses are introduced
> >     every day/week/month. By the time you have implemented
> >     a particular virus detection mechanism, it is already
> >     obsolete.
> Partially right, but this is a bit like saying that since there is no cure
> for Ebola, you might as well not vaccinate your children from most other
> diseases.
> 
> Also, modern virus scanners include heuristic capabilities and polymorphic
> detection engines that help combat this threat. 
> 
All true. But these are arguments for virus scanning, not for scanning
at the firewall.

> 
> >   - Simply too may encoding/compression/encryption/pick one
> >     schemes for a virus detection mechanism to be compatible
> >     with.
> Yes, but the vast majority are UUencoded, MIME- encoded, and/or ZIPed. When
> was the last time you got a BIN-HEX encoded Word document compressed with
> lha as an attachment?

Now you're arguing for a mostly-good-enough solution. But many of us up
here are looking to address boundary conditions too, where we can. That's
what anti-virus precautions have always been about. People rarely go out
of business because a virus trashed all their hard disks: most viruses
have unspectacular effects, even now. The trouble is, we -can't- ignore
the possibility of infection by something seriously malicious.

> Any comments?
> 
Always happy to share my prejudices. B-)

-- 
David Harley                  |              alt.comp.virus FAQ
D.Harley@icrf.icnet.uk        |           & Anti-Virus Web Page
Support & Security Analyst    |    Folk London On-Line gig-list
Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/

[prev in list] [next in list] [prev in thread] [next in thread]