 |
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I would like to challenge and add to the report by Gartner on their assessment of "Why signature-based virus scanning will die." The number one way to scan viruses is at the Web, FTP, and SMTP gateway. There is only one neck to choke here, instead of trying to fight a 10,000-headed dragon -- if you have 10,000 end users. What do I mean by gateway scanning? Look at it this way: When someone sends you an e-mail with a virus attached to it, it must pass through your SMTP gateway before it even touches your machine. Therefore, the gateway will catch the virus for you and everyone else in the company regardless of whether or not they have virus protection. In the case of FTP and Web, this involves multiple solutions: Transparent NAT Proxy and Non-transparent Proxy servers. The first choice is the only way to do it, in my opinion, because no client setup is required. Multiply 15 minutes (to set up a client proxy) by the number of users and by the number of times you have to set it up, and you will quickly come to the same conclusion. Both types of proxies will capture/forward and cache all Web traffic for you. But before the proxy forwards to you, it can forward the traffic to a virus scanner. If a virus is detected at that point, the proxy will redirect you to a rejection page that explains you are trying to download a virus, or it will strip out the virus and forward you the clean file. This is why I challenge Gartner's assessment. In the above scenario, Gap 2 -- the gap between when the new signature is created and when enterprises receive the signature files and implement the update at every desktop -- is reduced to a matter of minutes instead of weeks because the gateway scanners are constantly updating and there are only a few of them to manage. Gap 1 -- the gap between when a new virus is released and when the antivirus vendor creates a new signature -- is only a few hours to begin with. In the 15 months after we implemented this system, we only had a five-minute outbreak that was quickly contained because Gap 1 was too long. But a five-minute lapse in virus security in the course of 15 months is unheard of in most companies. Viruses almost never touch the desktop. Sure, you still need desktop protection, especially if they are portable computers. The new super breed of viruses like Nimda require network sniffer and vulnerability assessment tools. Sniffers can detect Nimda activity; when a machine is infected and it is trying to infect thousands of other machines, you can immediately shut down the infected machine's IP address. Scanners can preemptively tell you which machines are vulnerable by using the same scanning technique as the worms themselves use. This way, you can patch any vulnerable machine before the machine is even infected. To sum up, there are many other things to worry about and implement long before you need to worry about gaps 1 and 2 -- provided you implement the above recommendations. If not, then gaps 1 and 2 can be a big problem. Keep in mind that there are still a lot of infections from viruses like FunLove, written in 1999. You still need a good enterprise virus deployment package that will push out a consistent and updated antivirus solution to the desktops themselves. Security is about the weakest link. The above recommendations cover the largest hole, but that doesn't mean you don't need to cover the desktops too. George Ou
|
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
