RE: adding another defence layer against viruses/worms

["Rivest, Philippe" <PRivest () transforce ca>]

I believe your looking for a Heuristic IPS, also called behavioral IPS.
Which will take a look at the activities going on your network segment and
build a DB of normal activities (PLEASE ensure you are virus, worm, hacker
and problem free..). When you decide your DB is big enough, you stop it and
run all day-2-day activities against it. Any deviation will be flagged as
unauthorized and action will be taken.

This will allow you to block new virus/worm while your AV should detect
known threats. 

Understand that these solutions are technical and I would suggest you get
help if you're not familiar with these technologies.


I like the solutions ob Boaz, especially network segregation. Implementing
DMZ will contain (should) attacks.

You can also use 2 levels of AV. IE use TrendMicro for network detection and
Mcafe for host AV. This will reduce the risk that if one can't detect the
threat, maybe the other can.

Id also suggests using network proxies. If you break the client-server
communication, you might be able to scan your packets deeper and detect
attacks before they are sent to the client.

Hope this helps :)

 
Philippe Rivest - CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Verificateur interne - Securite de l'information

8585 Trans-Canada Highway, Suite 300
Saint-Laurent (Quebec) H4S 1Z6
Tel.: 514-331-4417   
Fax: 514-856-7541

http://www.transforce.ca/



-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
la part de boaz.shunami () rsa com
Envoyé : 25 novembre 2009 02:08
À : juanbabi () yahoo com; security-basics () securityfocus com
Objet : RE: adding another defence layer against viruses/worms

Hi Juan,

I would advise your Client to either:

1. Have solid policy as to what sites are accessible/are not accessible
from his branches (can be enforced with bluecoat and the like...)
2. Segregate the network the branches have access to (kind of DMZ) from
his LAN using FW.
3. Give low level permissions to the branches on the core.

My 2c...

Thanks,
 
Boaz

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Juan B
Sent: Tuesday, November 24, 2009 4:04 PM
To: security-basics () securityfocus com
Subject: adding another defence layer against viruses/worms

Hi all,

I'm doing some security consulting for a client. this client have around
30 remote branches connected to his core. the problem is that sometimes
the AV fails to detect new viruses/worms coming from those branches so
those viruses/worms mess up his LAN.another problem is that the the
client doesn't have much of control over the remote PCs in the branches.
so I thought about adding another layer of defence in which we will add
an IPS (which Ips detects also viruses/worms??) which will filter and
scan all traffic coming from the branches.

I just wonder if you guys agree with my suggestion.

any comments will be welcomed.

BTW,

any recomendations for the IPS?

thanks a lot 
juan


      

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------

Attachment: smime.p7s
Description: