[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: Re: Virus Scanner
From:       Jerry Huyghe <jerry () eliashim ! com>
Date:       1997-07-28 15:48:27
[Download RAW message or body]


At 03:02 PM 7/28/97 -0400, Russ wrote:
> Seems to me I should only have to check for
>virus' released in the last two weeks, for example, on sites whom I know
>and deal with, which would considerably speed up communications with
>those sources, no?
Actually, this is partially true, Check Point advises users to only check
traffic coming from "untrusted" sites in their demo.

However, this has nothing to do with what I was saying. I was responding to
a concern about encrypted transmissions that cannot be checked by
virus-scanners. As I have said numerous times, Virus protection at the
firewall should NEVER replace desktop protection. It is just much safer and
more efficient to clean a virus at the point of entry than to wait until it
has infected 50 workstations (as in an infected attachment emailed to 50
people)

>Besides, if I have roving sales reps using laptops on the road and in
>the office, they are just as likely to infect my internal LAN as any
>internet-borne virus if they rely on a Firewall virus scanner to find
>the virii. 

Of course you would not rely exclusively on the scanner. If the user is
part of your company, he should not be able to access the network if your
licensed anti-virus software is not in memory upon login. Many anti-virus
packages provide this capability..including our own. If they disable the
software on their local drive, it will be reinstalled/reconfigured upon
login. The threat is from people outside the company, assuming your
anti-virus software gives you control over your users.


>While their on the road they are left to the designs of the
>wily virii infector without the protection of my all-powerful Firewall
>virus scanner, and upon their return to the office proceed to infect
>everything/everywhere when they plug back into my LAN.

Of course, when did anyone suggest this? Nobody is stupid enough to make
the suggestion that Firewall scanning is enough. It merely saves time and
resources, and makes the firewall more powerful.

>
>Now if I use a strong virus scanner on the desktop, this possibility
>doesn't exist (or is at the very least far less likely).
Agreed, as always..

>(leaving my communications to travel at the
>speed I purchased, rather than some sub-speed due to virus scanning).
Performance varies widely based on the product. If only infectable files
pass through the virus scanner, most communications are not affected at all
(such as graphics, data files, html code, etc..). 

Obviously firewall companies see the importance, ALL of the major firewall
companies are planning adding virus scanning capabilities in the next year.

>
>Further, if I find a site with a virus scanning Firewall product
>installed, I could perform a Denial of Service against it by sending
>repetitive messages to invalid SMTP accounts at the site, causing the
>virus scanner to do whatever it does with virus containing messages
>before the SMTP server even says the account doesn't exist. Hmm, wonder
>if that would even get logged on many systems?

You may want to learn about how virus scanning CVP servers work. It looks
like you are used to McAfee WebShield or Interscan VirusWall, which have
nothing to do with integrated firewall anti-virus scanners. The attack you
described above would not work with an integrated product. I will be happy
to email you a white paper if you like.

>
>Then there's the legal issues of virus scanning at a Firewall. 
There are no legal issues..

>What do
>you do with the stuff that's infected? 
The software cleans it and send it into the network to its appropriate
location (as long as it passes the other firewall rules.)

>Suppose you could decrypt/encrypt
>stuff and check it for virii, do you send a copy of the unencrypted
>transmission around your alert list (say its a Word document with the
>upcoming salary increases on it)? 

This is getting worse...Of course you cannot decrypt messages to check for
virii, or your encryption method would be worthless!! That is why you need
desktop AV also.

>Assume its time sensitive? or mission
>critical? 
I don't see a problem with this. Maybe you could enlighten me.

>What if its for a department within your company that you
>don't directly have authority for?

If you don't have authority on securing internet traffic for that
department, you should not be setting the firewall policies for that
department. Am I missing something?

>
>Once again, you could come up with a policy that would allow Firewall
>Virus Scanners to be used effectively, but nothing that I can think of
>would ever be better than a similar policy covering the use of Virus
>Scanners at the desktop.

Right, it's not better, but it will close a security hole. Think of this
analogy..If you were using anti-virus software on file servers a few years
ago, you realized that the major source of entry was floppy drives, so you
added virus protection at the desktop. Now the major source of entry is the
Internet gateway, so why not add virus protection there? You still need
virus protection on the desktop for floppy-transmitted viruses, and for
boot-sector viruses which are almost never transmitted via the internet.

>
>So why would anyone choose to use a Firewall Virus Scanner?

See above.

:-)


Best Regards,

Jerry Huyghe
Product Manager

eSafe Technologies 			http://www.esafe.com
A division of EliaShim Inc        	http://www.eliashim.com
----------------Intelligent Computer Security-----------------
1 SW 129th Ave, Suite 105  		Phone : 800.477.5177 Ext 18
Pembroke Pines, FL  33027  		Fax   : 954.450.9612	
==============================================================

[prev in list] [next in list] [prev in thread] [next in thread]