[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: Re: Virus Scanner
From:       Russ <Russ.Cooper () RC ! on ! ca>
Date:       1997-07-28 15:02:35
[Download RAW message or body]

If we're to accept the reasoning that known and trusted
people/sites/channels have less chance of being infection bearers, then
why are they treated equally with unknown sources when it comes to
Firewall virus scanners. Seems to me I should only have to check for
virus' released in the last two weeks, for example, on sites whom I know
and deal with, which would considerably speed up communications with
those sources, no?

I'm being facetious, obviously, since the purpose of a virus scanner is
to find *all* known virii, regardless of where it comes from. Therefore,
this can only be done effectively at the desktop.

Besides, if I have roving sales reps using laptops on the road and in
the office, they are just as likely to infect my internal LAN as any
internet-borne virus if they rely on a Firewall virus scanner to find
the virii. While their on the road they are left to the designs of the
wily virii infector without the protection of my all-powerful Firewall
virus scanner, and upon their return to the office proceed to infect
everything/everywhere when they plug back into my LAN.

Now if I use a strong virus scanner on the desktop, this possibility
doesn't exist (or is at the very least far less likely). Since its so
good at its job on the desktop, there is absolutely no need for a
Firewall implementation (leaving my communications to travel at the
speed I purchased, rather than some sub-speed due to virus scanning).

Further, if I find a site with a virus scanning Firewall product
installed, I could perform a Denial of Service against it by sending
repetitive messages to invalid SMTP accounts at the site, causing the
virus scanner to do whatever it does with virus containing messages
before the SMTP server even says the account doesn't exist. Hmm, wonder
if that would even get logged on many systems?

Then there's the legal issues of virus scanning at a Firewall. What do
you do with the stuff that's infected? Suppose you could decrypt/encrypt
stuff and check it for virii, do you send a copy of the unencrypted
transmission around your alert list (say its a Word document with the
upcoming salary increases on it)? Assume its time sensitive? or mission
critical? What if its for a department within your company that you
don't directly have authority for?

Once again, you could come up with a policy that would allow Firewall
Virus Scanners to be used effectively, but nothing that I can think of
would ever be better than a similar policy covering the use of Virus
Scanners at the desktop.

So why would anyone choose to use a Firewall Virus Scanner?

Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
http://ntbugtraq.rc.on.ca/index.html

[prev in list] [next in list] [prev in thread] [next in thread]