Security Basics mailing list archives
Re: about viruswall?
From: Sebastian Schneider <ses () straightliners de>
Date: Wed, 10 Sep 2003 03:35:09 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Gabriel, depending on your budget as well as system setup the solution will be quite different . At first, the behavior of a so-called viruswall is similar to a firewall. If your front-end smtp server is based on linux running sendmail, exim or postfix it's quite easy to plug in an AV software scanning mail traffic and blocking e-mails with infected attachments or malicious code. There some solutions available as commercial products. There might be some being free. I set up Kaspersky Anti Virus for Mail Servers some time ago and it works out just fine and really fast killing malware before that e-mail is getting to anyone. Updates are available shortly after new virii have been analyzed (we were updating hourly). In sendmail it's really kind of easy as just adding the AV software as a new mailer and adding some rewriting rules. If your front-end mailer is Win based, it could become an issue as Brian pointed out. Depending on the software implemented it can be less serious. Additionaly, as you might already do, you should deploy av software on host basis. Sebastian On Tuesday 02 September 2003 18:08, Gabriel Orozco wrote:
Well, certainly I'm wrong when I think about all A-V solutions work like mine, in Linux+QMail+qmailscan, where the message simply will not transverse the smtp if it is not first scanned.... I was not aware about it can be a problem in a NT/2K platform. What can I say? at best, I would say anybody that there are other solutions different than Microsoft, and simply more secure. Regards ----- Original Message ----- From: "chort" <chort () amaunetsgothique com> To: <security-basics () securityfocus com> Sent: Friday, August 29, 2003 6:45 PM Subject: Re: about viruswall?On Fri, 2003-08-29 at 09:28, Gabriel Orozco wrote:With an antivitus running in your SMTP server is more than enough.WHOA! This kind of attitude is simplistic at best, and extremely careless. Anti-Virus for your enterprise mail system can be very flakey (due to the complexity of interfacing with modern enterprise mail and groupware systems). Some times there is a delay between when the message arrives and when it gets scanned, and it may be opened in that interval (a race condition). Some times the service fails (particularly on NT/2K) and you may not realize that you're unprotected. Besides those grave dangers, this is by default accepting that viruses will penetrate your network and will for a fact be on your internal servers (even if they do end up getting cleaned). Are you so sure you want to guarantee that your Windows server will have viruses? Anti-Virus should be a multi-tiered defense. One layer at the e-mail gateway, peeling away the dangerous stuff before it even makes it inside your inner firewall. One layer on the mail/groupware server (preferably a different vendor than the gateway A-V) to catch anything that gets through, and to take care of things sent locally. The last ditch should be on the desktop (possibly a third vendor) for a last chance to catch anything that the other two missed, and as a FIRST chance at smoking out infections that your users contract from websites or outside e-mail accounts. Just having A-V on your mail server is most certainly NOT "more than enough." Why let things into your network if you know you can stop them in the DMZ and mitigate the risk? That's why the "virus wall" concept was started years ago, and within the last couple of years it has grown to include anti-spam, content policy enforcement, Internet message encryption, etc and is now known as a secure e-mail gateway (not to be confused with INsecure e-mail gateways, which is what sendmail is). -- Brian Keefer ------------------------------------------------------------------------- --Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September6.Visit us: www.blackhat.com------------------------------------------------------------------------- --- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com --------------------------------------------------------------------------- -
- -- Sebastian Schneider straightLiners IT Consulting & Services Metzer Str. 12 13595 Berlin Germany Fon: +49-30-3510-6168 Fax: +49-30-3510-6169 www.straightliners.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Xn/OQ7mOWZBxbPcRAtT4AJoDDkOQ+mKpyKoU4kCrKtymNC8nAACfQROS RQXXobSuVBpKHB61i68e9Kw= =CnOh -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Re: about viruswall? chort (Sep 02)
- Re: about viruswall? Gabriel Orozco (Sep 02)
- Re: about viruswall? Sebastian Schneider (Sep 10)
- Re: about viruswall? Gabriel Orozco (Sep 10)
- Re: about viruswall? chort (Sep 22)
- Re: about viruswall? Sebastian Schneider (Sep 10)
- Re: about viruswall? Sebastian Schneider (Sep 10)
- Re: about viruswall? Gabriel Orozco (Sep 02)
- <Possible follow-ups>
- RE: about viruswall? Renato_Joves (Sep 02)