Re: about viruswall?

[Sebastian Schneider <ses () straightliners de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Gabriel, 

depending on your budget as well as system setup the solution will be quite 
different .

At first, the behavior of a so-called viruswall is similar to a firewall.
If your front-end smtp server is based on linux running sendmail, exim or 
postfix it's quite easy to plug in an AV software scanning mail traffic and 
blocking e-mails with infected attachments or malicious code. 
There some solutions available as commercial products. There might be some 
being free. I set up Kaspersky Anti Virus for Mail Servers some time ago and 
it works out just fine and really fast killing malware before that e-mail is 
getting to anyone. Updates are available shortly after new virii have been 
analyzed (we were updating hourly).
In sendmail it's really kind of easy as just adding the AV software as a new 
mailer and adding some rewriting rules.

If your front-end mailer is Win based, it could become an issue as Brian 
pointed out. Depending on the software implemented it can be less serious.

Additionaly, as you might already do, you should deploy av software on host 
basis.

Sebastian

On Tuesday 02 September 2003 18:08, Gabriel Orozco wrote:
> Well, certainly I'm wrong when I think about all A-V solutions work like
> mine, in Linux+QMail+qmailscan, where the message simply will not
> transverse the smtp if it is not first scanned....
>
> I was not aware about it can be a problem in a NT/2K platform.
>
> What can I say? at best, I would say anybody that there are other solutions
> different than Microsoft, and simply more secure.
>
> Regards
> ----- Original Message -----
> From: "chort" <chort () amaunetsgothique com>
> To: <security-basics () securityfocus com>
> Sent: Friday, August 29, 2003 6:45 PM
> Subject: Re: about viruswall?
>
> > On Fri, 2003-08-29 at 09:28, Gabriel Orozco wrote:
> > > With an antivitus running in your SMTP server is more than enough.
> >
> > WHOA!  This kind of attitude is simplistic at best, and extremely
> > careless.
> >
> > Anti-Virus for your enterprise mail system can be very flakey (due to
> > the complexity of interfacing with modern enterprise mail and groupware
> > systems).  Some times there is a delay between when the message arrives
> > and when it gets scanned, and it may be opened in that interval (a race
> > condition).  Some times the service fails (particularly on NT/2K) and
> > you may not realize that you're unprotected.  Besides those grave
> > dangers, this is by default accepting that viruses will penetrate your
> > network and will for a fact be on your internal servers (even if they do
> > end up getting cleaned).  Are you so sure you want to guarantee that
> > your Windows server will have viruses?
> >
> > Anti-Virus should be a multi-tiered defense.  One layer at the e-mail
> > gateway, peeling away the dangerous stuff before it even makes it inside
> > your inner firewall.  One layer on the mail/groupware server (preferably
> > a different vendor than the gateway A-V) to catch anything that gets
> > through, and to take care of things sent locally.  The last ditch should
> > be on the desktop (possibly a third vendor) for a last chance to catch
> > anything that the other two missed, and as a FIRST chance at smoking out
> > infections that your users contract from websites or outside e-mail
> > accounts.
> >
> > Just having A-V on your mail server is most certainly NOT "more than
> > enough."  Why let things into your network if you know you can stop them
> > in the DMZ and mitigate the risk?  That's why the "virus wall" concept
> > was started years ago, and within the last couple of years it has grown
> > to include anti-spam, content policy enforcement, Internet message
> > encryption, etc and is now known as a secure e-mail gateway (not to be
> > confused with INsecure e-mail gateways, which is what sendmail is).
> >
> > --
> > Brian Keefer
> >
> >
> > -------------------------------------------------------------------------
> > -
>
> -
>
> > Attend Black Hat Briefings & Training Federal, September 29-30
> > (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's
> > premier technical IT security event.  Modeled after the famous Black Hat
> > event in Las Vegas! 6 tracks, 12 training sessions, top speakers and
> > sponsors. Symantec is the Diamond sponsor.  Early-bird registration ends
> > September
>
> 6.Visit us: www.blackhat.com
>
> > -------------------------------------------------------------------------
> > -
>
> --
>
>
>
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> technical IT security event.  Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symantec is the Diamond sponsor.  Early-bird registration ends September
> 6.Visit us: www.blackhat.com
> ---------------------------------------------------------------------------
> -

- -- 

Sebastian Schneider
straightLiners IT Consulting & Services
Metzer Str. 12
13595 Berlin
Germany

Fon: +49-30-3510-6168
Fax: +49-30-3510-6169
www.straightliners.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Xn/OQ7mOWZBxbPcRAtT4AJoDDkOQ+mKpyKoU4kCrKtymNC8nAACfQROS
RQXXobSuVBpKHB61i68e9Kw=
=CnOh
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------