Packet Level Virus Scanning Network Appliances?

Tiber asks: "I had the pleasure of locking down the servers for a large company against the Slapper/Sapphire worm over the weekend. It wasn't enjoyable, less so because I knew I'd have to face it again come Monday when all our users brought their business laptops in. Sure enough, Monday morning, all hell broke loose on our networks. It got me thinking, instead of routers 'dumb' routers, does someone make a network appliance that does worm scanning inside the packets and log attacks? Perhaps someone has a project they know of that does this?"

slammer coming in from laptops?

[aderusha]

how did your users laptops bring SQL slammer in the building? first off, it only infects MS SQL servers, which isn't very typical for an average laptop install. secondly, the virus is memory resident only, which means that when they turned off their laptops to bring them into work, they also removed the worm from their systems. and did you try patching your companies sql servers, or did you just reboot them all at once to get rid of the worm for a few minutes?

Re:slammer coming in from laptops?

[Filik]

You only need one user using suspend, and all is lost...

Re:slammer coming in from laptops?

[Directrix1]

Packet level filtering on a router would be a bad thing. Unless you just like very decreased bandwidth.

Re:slammer coming in from laptops?

[jason_watkins]

Sales guys may use a SFA solution that uses the MS data engine (ie, "diet" mssql) installed locally on their laptop for persistance. Sales guys also may hit the hibernate button instead of a full powerdown and powerup.

Therefor, it is possible that a business user plugging in his laptopt could release slammer.

When thinking about security, do not think "ohh, that can't happen, that's so unlikely". Think "what could make that possible, no matter how remote" and then "how can I eliminate that risk".

small problem

[josepha48]

Even if you have a network appliance that 'scrubs' email and data as it come in, it has to know what is good and what it bad. In the case of a new virus there is no way it is going to know that the virus is a virus and not a real attachment.

So do you delete ALL word attachments or scan them all for known virus? Or do you attempt some sort of AI that figures out virus / worm from none virus / worm?

In the case of using AI, I just don't think it is quite there yet. Yes it may be possible, but not cheap enough for the general public. I wish!

In the case of deleteing all attachements, you could set up a quarentine place for them. I think Norton utilities has a virus scanner that does this for email. My dad once mentioned something about this. He loves it. I no longer get MS virus email from him ;-). Of course I run Linux at home so even when I did get them they did not work cause the binaries just would not run under Linux without wine and me manually running them, and even then I don't think they could have done anything without enough permissions.

Depending on how many servers you have, one thing would be to setup some of the servers as read only. Not sure if you can do that with windows. I.E. Create an account for the mail system and give it access to only certain things on the system and then lock down the rest of the system. Using permsissions restict the mail from screwing up the rest of the server. I don't know enough about windows to know if this can be done? I know you can restrict accounts from accessing data, but can you restict the email admin account? Can windows run entirely off a cdrom? Can windows run in a memory filesystem? Maybe embedded windows can do this, and you may be able to make an embedded windows mail server. Or search the internet for embedded devices and windows servers or somehting.

In unix I know I can run my whole filesystem off a cdrom ( I am doing this with my freebsd home based router). Worst case senerio I have to reboot the router. There are a few problems in my current approach (swap errors in FreeBSD), but it works. Turn it on and it boots up in less than 2 minutes. To shut down just hit the power button, no shudwown required.

My suggestion is to look for embedded devices and make an embedded mail server of your own. You may try using http://www.intrinsyc.com/products/cerfcube/ to create an embeded window mail server. The OS should hopefully be protected in flash ROM, but since I have not tried I cannot say. It may be possible to use this and create a device that you just have to reboot to fix the problem.

Best thing to do NOW if you have not already, is to install Anti virus utilities like Norton and Mcafee stuff on your laptops and servers and use them if they are windows machine which I suspect they are. KEEP THEM UP TO DATE. Our sys-admins send out emails at LEAST once a week with new virus updates.

Lastly educate the people in the company, with weekly emails on the latest virus. If they are aware that they could get a virus that could f*** up their project and screw their deadline they may be more cautious about their email. Not everyone will, but it may be just enough people that it would make your life a little easier.

Re:small problem

[GiMP]

This worm does not transfer by email.

IDS

[NetJunkie]

First, why do notebooks have SQL server running? Why weren't the "real" servers patched and protected in the first place?

OK, off my rant. They do make appliances that detect and log attacks. They are called Intrusion Detection systems. That's the whole idea of network IDS. Cisco makes them... You can make one on any linux box with Snort. ISS makes software that runs on NT/2K.... The list goes on.

A virus scanning appliance is harder. What if the virus is in a zip file or other archive? Lots of problems with that. It's best just to get good AV out on the network with central management to make SURE they are updated and functioning.

For anyone wanting good Exchange Server AV I can't recommend Antigen by Sybari enough. It makes everything else look really bad. For the desktops/servers we've used Norton w/ their central manager and it is performing great. Much better than any of the McAfee installations I've ever seen.

Re:IDS

[jason_watkins]

See my earlier post for why laptops might be running mssql.

It's true that a wire level virus scanner would have to be 'encoding aware'. We would never want to assume that a packet sniffer would eliminate all possible infections on our network.

But let's think about what it *could* do.

Well, the most common infection vector is email attachments. Since there's only a couple encodings, and your mail server likely only accepts on a couple ports, you could scan at the packet level. Most likely a checker on the mail server itself would be better.

What's the 2nd most common infection vector? downloaded .exe's and the like. Again, a packet level sniffer is only of limited use here, and it will be harder to deal with all possible ports, encodings and protocols. But, you could sill get reasonable results by say, scanning anything on an inbound http response that is encoded in a format you recognize.

What does that leave: well, probibly the most important infection vector for us to deal with at the packet level: worms that use various exploits in daemons and protocols. And here, a packet level sniffer can be extremely effective. Things like code red, sql slammer, etc are very easily recognized at the protocol level. Even better is for us to plug our box in upstream at our circut providers so that we can save our pipes from being clogged with infection packets. And with some sort of administration functions, we could use them to block some forms of DoS as well.

What's the point: with security, don't trust a single fence: build several to overlapp eachother, and a packet level sniffer could be a valuable tool in this context.

Re:IDS

[caseywoff]

did not want to be a coward!.. The reality is that this is not an Enterprise problem. This is a Carrier problem. We are all buying bandwidth from some one, why are we allowing all this crap to be put on our systems. The carriers should have been able to identify this worm as a majer increase in PORT 1433/1434 traffic, and then deal with it from on their edge/peer routers. If it can't get thru the door.. it can't hurt you. Now I agree that MS is still the biggest problem here.. crappy code.. crappy security.. And we should definatly deal with making sure our systems are fully patched, but the other reality, is that once it hits the enterprise router.. its too late.. And for IDS and other inline devices... IDS still produce on the magnitude of 1000's alerts a day.. What are you going to look at first??? Signature based... I agree with the Netscreen dude.. pretty useless in a DDoS attack. Inline - If you are being targeted.. whats the point.. your link is saturated. So you can ID.. who's problem is it really? The Carries/providers. Here are some companies addressing this issue. www.arbornetworks.com (network based carrier grade) www.mazunetworks.com (Inline for enterprise)

Re:IDS

[NetJunkie]

I don't want my ISP blocking traffic. My security is my problem. I pay them for bandwidth and a connection.

IDS produces lots of alerts if you don't filter it properly. There is no reason to have every signature loaded if your systems wouldn't be affected. If you are being targeted by a DDoS then call your ISP and have them filter up stream, but don't do me any favors and do it without me asking.

It's called your switch

[Gothmolly]

Easy. Put packet filters in your switch. How often do SQL servers make outgoing connections to other SQL servers?

The reason why "dumb" routers will never do this

[Lars T.]

Because it would be slow. And I do mean slooooow. Routers try to do as little as possible in software plus look at the packets as little as possible to get high throughput. Your device would be hard taxed by just normal traffic, the latest worm attack - esp. when coming from several sources within your network - would make it choke in no time, because it would have to check each packet on a saturated network.

Hogwash

[cowbutt]

Sounds like you want Hogwash [sourceforge.net] - it's based on the Snort [snort.org] Network IDS, but instead of just reporting suspicious traffic, it drops it. Note that this differs from just coupling a NIDS with a firewall, as most of those solutions are susceptible to DoS attacks by spoofing attacks from the upstream router, or key DNS servers (they usually block *all* traffic from "attacking" hosts, not just the offending packets).

--

eSafe Gateway

[TexTex]

For packet level filtering, there's one box I've found and like quite a bit. eAladdin makes eSafe Gateway, which can act as a bridge or router tossed in front of your network (directly after the firewall). It scans all http, ftp, and smtp traffic...but they had a fix out to also look for slammer a few hours into the mess.

While it's not true packet level, it's pretty fast and gives you a bit more protection and configurability that I think a raw router might be able to do. Granted, this won't help much if you've got internal laptops or something bringing the bug with you...though it would prevent you from attacking others with it.

Not a sales pitch, just a satisfied customer...
www.esafe.com
-----------------

IDS like snort w/serial or SNMP to router

[runswithd6s]

Not so novel idea: use a dedicated snort box that uses its alerts to add rules to a firewall, switch, and/or router. Check out the snort FAQ and contrib directory for ideas.

-1 Flamebait

[Johnny Mnemonic]

Sorry. I'm sorry, but I have 0 sympathy for you. You--or your bosses, or their bosses--have chosen Microsoft homogenuity. Losing your weekends to patching their crap is the price you pay for making that recommendation.

More constructively--instead of figuring out how to do Microsoft's work for them, how about getting an open source solution working on, say, OS X or Linux? Then at least the whole problem is yours--and you're not trying to fix someone else's crap, which you paid a dear price for, afterall.

Or you can spend your weekends that way, and your Mondays, too. I prefer doing other things with my time off, so I recommend other solutions.

Inline IDS is the answer

[adturner]

What you're basically asking for is an IDS product which sits inline of the data-stream and can make policy decisions based up the content of the packets rather then the protocol (which is what a firewall does). Being inline is important because alternative solutions such as sending TCP resets or modifying a firewall/router rulebase aren't always effective as the Slammer/Sapphire worm illustrates (it was both UDP and contained in a single packet).

Some important things to consider when looking at an inline IDS are:

• Accuracy. Since you're dropping traffic, false positives are much more problematic then with a sniffer based IDS.
• Management. You'll end up wanting to tune the IDS policy more then with a traditional IDS. Look for something which scales for your organization and makes it easy to specify: where to look, what to look for, and what to do about it. Remember, the best technology is worthless if you can't effectively manage it.
• Scalablity. Sensors must be able to scale to your traffic needs and the management system needs to be able to scale to the number of sensors you need.
• HA. If it's inline, you're going to need some kind of failover or high-availabilty option, not to mention make upgrades less stressful.
• Updates. Some vendors update their signatures once a week. Others once every few months. Most fall somewhere in between. Be sure to ask before you buy.
• Stability. Not just the sensor stability, but the company behind it. A lot of the inline IDS's available today aren't sold by the well known IDS players but by smallers startups who may or may not have the $$$ to last.

Now for the shameless plug, NetScreen sells a kickass inline IDS which I, as an employee/developer highly suggest you check out:
http://www.netscreen.com/products/idp.html [netscreen.com]