[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: Re: Virus Scanner
From:       Russ <Russ.Cooper () RC ! on ! ca>
Date:       1997-07-28 16:44:57
[Download RAW message or body]

>firewall should NEVER replace desktop protection. It is just much safer
and
>more efficient to clean a virus at the point of entry than to wait
until it
>has infected 50 workstations (as in an infected attachment emailed to
50
>people)

I don't see how its safer, assuming you are using desktop virus
scanning.

As for efficiency, I'd question that. Assuming that I've got 50 internal
recipients to a message originating from the Internet that contains an
infected file is, imo, highly unlikely. What's more likely is that one
internal recipient receives a message from someone on the Internet that
contains a virus. I'd argue that the 1-1 type infection is by far the
most likely scenario. If you are claiming efficiency because it can
handle a case where there are 50 internal recipients, I'd challenge you
to produce any third-party statistics that show this type of email
behavior.

Efficiency is only gained if the there are a statistically significant
number of Internet originating messages containing attachments of
possible virus-bearing file types that are destined for more than one
internal recipient. Then you have to compare the time it would take to
scan such messages individually at the desktop versus the additional
latency all such messages (including the far greater one to one
messages) incur as a result of the Firewall Virus Scanning. Then accept
that this won't be complete so they'll likely scan again at the desktop
(do your products somehow know when a file type has been scanned at the
Firewall so the desktop scanning doesn't need to be performed again, or
will a desktop scanner just treat it like any other new file and scan it
again anyway?) If it scans it again, then any efficiency from the
Firewall has to be seriously questioned.

IMO, since I'm assuming its going to be scanned anyway at the desktop,
I'd say the efficiencies gained at the Firewall are done so at the cost
of Internet network bandwidth (regardless of how small a footprint your
Virus Scanner may or may not occupy).

>Of course, when did anyone suggest this? Nobody is stupid enough to
make
>the suggestion that Firewall scanning is enough. It merely saves time
and
>resources, and makes the firewall more powerful.

I don't see where it saves time, resources, or makes the Firewall more
powerful. If I'm checking twice (once at the Firewall and once at the
desktop) then it sounds like I'm wasting some resources, and time. As
for the Firewall being more powerful, since there are so many ways it
can't stop virii, I'd say any additional perception of power is purely
marketing.

>Obviously firewall companies see the importance, ALL of the major
firewall
>companies are planning adding virus scanning capabilities in the next
year.

Sorry to burst this bubble, but if a Firewall company cannot come up
with new ways to leverage their customers into buying new products, then
their IPO is going to be very short lived.

>described above would not work with an integrated product. I will be
happy
>to email you a white paper if you like.

Yeah, I'll take a white paper.

>There are no legal issues..

What? None? Me thinks you haven't thought out who all might be using
Firewalls.

>The software cleans it and send it into the network to its appropriate
>location (as long as it passes the other firewall rules.)

And if this cleaning destroys the contents? or the contents can't be
cleaned?

>This is getting worse...Of course you cannot decrypt messages to check
for
>virii, or your encryption method would be worthless!! That is why you
need
>desktop AV also.

Actually, this isn't true, is it? Maybe I can't with PGP, but I could
with a site to site connector within MS Exchange Server. I could encrypt
between the sites but have it decrypted at the servers (i.e. not the
clients). So putting a virus scanner on an Exchange Server would allow
for scanning of traffic which the Firewall would deem encrypted. Same is
true with a tunnel product that doesn't tunnel to the desktop.

My point is that it makes more sense to do virus checking at an end
point than to try and do it at some choke point.

>>Assume its time sensitive? or mission
>>critical? 
>>
>I don't see a problem with this. Maybe you could enlighten me.

The problem is the time it might take to disinfect, or notify someone
that a particular file is infected beyond recovery. If I do it at the
desktop, the person waiting for the information knows right away of the
problem. How your product works is not known to me, so I was asking what
happens when an attachment cannot be processed?

>If you don't have authority on securing internet traffic for that
>department, you should not be setting the firewall policies for that
>department. Am I missing something?

Definitely. Connectivity is one thing, content can be an entirely
different thing altogether. I may have a central authority for
connectivity, but allow (or demand) departments dictate their own
policies for content. Again, this is where the attachment, that's been
deemed to be infected, cannot be cleaned. If that attachment goes to
anyone other than the original recipient, its possible that content is
being disclosed which should not be disclosed.

If you simply pass suspect attachments on to the original recipient,
then your product is not doing its job, right? So assuming it can't be
cleaned, where do you send it and what do you do with it?

>added virus protection at the desktop. Now the major source of entry is
the
>Internet gateway, so why not add virus protection there? You still need
>virus protection on the desktop for floppy-transmitted viruses, and for
>boot-sector viruses which are almost never transmitted via the
internet.

Because if I'm already doing it downstream of the Firewall, doing it at
the Firewall as well seems like a duplication of effort, resources,
time, and administrivia. As I said earlier, the desktop checker is going
to check the attachment as well as the Firewall checker, isn't it?

Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
http://ntbugtraq.rc.on.ca/index.html

[prev in list] [next in list] [prev in thread] [next in thread]