Packet Level Virus Scanning Network Appliances? 23
Tiber asks: "I had the pleasure of locking down the servers for a large company against the Slapper/Sapphire worm over the weekend. It wasn't enjoyable, less so because I knew I'd have to face it again come Monday when all our users brought their business laptops in. Sure enough, Monday morning, all hell broke loose on our networks. It got me thinking, instead of routers 'dumb' routers, does someone make a network appliance that does worm scanning inside the packets and log attacks? Perhaps someone has a project they know of that does this?"
slammer coming in from laptops? (Score:2)
Re:slammer coming in from laptops? (Score:1)
Re:slammer coming in from laptops? (Score:2)
Re:slammer coming in from laptops? (Score:5, Informative)
Therefor, it is possible that a business user plugging in his laptopt could release slammer.
When thinking about security, do not think "ohh, that can't happen, that's so unlikely". Think "what could make that possible, no matter how remote" and then "how can I eliminate that risk".
small problem (Score:4, Insightful)
So do you delete ALL word attachments or scan them all for known virus? Or do you attempt some sort of AI that figures out virus / worm from none virus / worm?
In the case of using AI, I just don't think it is quite there yet. Yes it may be possible, but not cheap enough for the general public. I wish!
In the case of deleteing all attachements, you could set up a quarentine place for them. I think Norton utilities has a virus scanner that does this for email. My dad once mentioned something about this. He loves it. I no longer get MS virus email from him ;-). Of course I run Linux at home so even when I did get them they did not work cause the binaries just would not run under Linux without wine and me manually running them, and even then I don't think they could have done anything without enough permissions.
Depending on how many servers you have, one thing would be to setup some of the servers as read only. Not sure if you can do that with windows. I.E. Create an account for the mail system and give it access to only certain things on the system and then lock down the rest of the system. Using permsissions restict the mail from screwing up the rest of the server. I don't know enough about windows to know if this can be done? I know you can restrict accounts from accessing data, but can you restict the email admin account? Can windows run entirely off a cdrom? Can windows run in a memory filesystem? Maybe embedded windows can do this, and you may be able to make an embedded windows mail server. Or search the internet for embedded devices and windows servers or somehting.
In unix I know I can run my whole filesystem off a cdrom ( I am doing this with my freebsd home based router). Worst case senerio I have to reboot the router. There are a few problems in my current approach (swap errors in FreeBSD), but it works. Turn it on and it boots up in less than 2 minutes. To shut down just hit the power button, no shudwown required.
My suggestion is to look for embedded devices and make an embedded mail server of your own. You may try using http://www.intrinsyc.com/products/cerfcube/ to create an embeded window mail server. The OS should hopefully be protected in flash ROM, but since I have not tried I cannot say. It may be possible to use this and create a device that you just have to reboot to fix the problem.
Best thing to do NOW if you have not already, is to install Anti virus utilities like Norton and Mcafee stuff on your laptops and servers and use them if they are windows machine which I suspect they are. KEEP THEM UP TO DATE. Our sys-admins send out emails at LEAST once a week with new virus updates.
Lastly educate the people in the company, with weekly emails on the latest virus. If they are aware that they could get a virus that could f*** up their project and screw their deadline they may be more cautious about their email. Not everyone will, but it may be just enough people that it would make your life a little easier.
Re:small problem (Score:2)
IDS (Score:3, Informative)
OK, off my rant. They do make appliances that detect and log attacks. They are called Intrusion Detection systems. That's the whole idea of network IDS. Cisco makes them... You can make one on any linux box with Snort. ISS makes software that runs on NT/2K.... The list goes on.
A virus scanning appliance is harder. What if the virus is in a zip file or other archive? Lots of problems with that. It's best just to get good AV out on the network with central management to make SURE they are updated and functioning.
For anyone wanting good Exchange Server AV I can't recommend Antigen by Sybari enough. It makes everything else look really bad. For the desktops/servers we've used Norton w/ their central manager and it is performing great. Much better than any of the McAfee installations I've ever seen.
Re:IDS (Score:3, Interesting)
It's true that a wire level virus scanner would have to be 'encoding aware'. We would never want to assume that a packet sniffer would eliminate all possible infections on our network.
But let's think about what it *could* do.
Well, the most common infection vector is email attachments. Since there's only a couple encodings, and your mail server likely only accepts on a couple ports, you could scan at the packet level. Most likely a checker on the mail server itself would be better.
What's the 2nd most common infection vector? downloaded
What does that leave: well, probibly the most important infection vector for us to deal with at the packet level: worms that use various exploits in daemons and protocols. And here, a packet level sniffer can be extremely effective. Things like code red, sql slammer, etc are very easily recognized at the protocol level. Even better is for us to plug our box in upstream at our circut providers so that we can save our pipes from being clogged with infection packets. And with some sort of administration functions, we could use them to block some forms of DoS as well.
What's the point: with security, don't trust a single fence: build several to overlapp eachother, and a packet level sniffer could be a valuable tool in this context.
Re:IDS (Score:1)
Re:IDS (Score:2)
IDS produces lots of alerts if you don't filter it properly. There is no reason to have every signature loaded if your systems wouldn't be affected. If you are being targeted by a DDoS then call your ISP and have them filter up stream, but don't do me any favors and do it without me asking.
It's called your switch (Score:3, Interesting)
The reason why "dumb" routers will never do this (Score:2)
Hogwash (Score:3, Informative)
--
eSafe Gateway (Score:3, Informative)
While it's not true packet level, it's pretty fast and gives you a bit more protection and configurability that I think a raw router might be able to do. Granted, this won't help much if you've got internal laptops or something bringing the bug with you...though it would prevent you from attacking others with it.
Not a sales pitch, just a satisfied customer...
www.esafe.com
-----------------
IDS like snort w/serial or SNMP to router (Score:2)
-1 Flamebait (Score:1, Flamebait)
Sorry. I'm sorry, but I have 0 sympathy for you. You--or your bosses, or their bosses--have chosen Microsoft homogenuity. Losing your weekends to patching their crap is the price you pay for making that recommendation.
More constructively--instead of figuring out how to do Microsoft's work for them, how about getting an open source solution working on, say, OS X or Linux? Then at least the whole problem is yours--and you're not trying to fix someone else's crap, which you paid a dear price for, afterall.
Or you can spend your weekends that way, and your Mondays, too. I prefer doing other things with my time off, so I recommend other solutions.
Inline IDS is the answer (Score:2)
Some important things to consider when looking at an inline IDS are:
Now for the shameless plug, NetScreen sells a kickass inline IDS which I, as an employee/developer highly suggest you check out:
http://www.netscreen.com/products/idp.html [netscreen.com]