Re: AntiVirus Software

["Josh Robb" <joshuar () fujitsu co nz>]

My experience with this is using the Trend Micro Product (Interscan
Viruswall - CVP version) and Checkpoint Firewall-1 (all on NT). I have
implemented this combo for several customers utilizing scanning on SMTP,
HTTP and FTP. There are several things to be aware of.

1.    Hardware - You need to make sure that the hardware platform running
the firewall is powerful enough for this not to have a negitive performance
impact. I tend to run firewalls on Hardware Mirrored SCSI disks, single
Pentium II 450 with 256 Mb ram. On hardware like this it has not been a
problem. However I got involved in an implementation on a seriously under
powered box and it badly affected the performance of that box.

2.   SMTP Proxies - Firewall-1 implements several security servers (i.e.
application level proxies) which can be configured to intercept connections
and silently proxy them at the same time ensuring that the transactions meet
the rules specified in the rule base . (e.g. Mail size limits, sender &
recipient restrictions, content security via CVP). Imagine this scenario - I
have an exchange server behind my firewall, my firewall is configured to
receive inbound SMTP connections from the internet and after ensuring that
they match the rule base (virus scan them etc) forward messages to an
internal mail server. This works pretty well however outgoing mail is a
little different. The internal mail server is configured like it is
delivering mail directly to the destination.
    1.    Mail server looks up the MX records for the destination domain.
    2.    It chooses the mail server with the lowest priority.
    3.    It then attempts to connect to the destination.
    4.    At this point the Firewall silently intercepts the message and
spools it locally. Run's it through the rule base. and the if the message
matches the rules it then attempts to deliver the message to it's original
destination.

Most of the time this is not a problem because the Firewall just delivers
the mail and that's it. However problems arise when the lowest priority mail
server is never available or down. Normally what would happen in this
situation is the sending mail server would attempt connection to another
higher priority mail server. But the mail server thinks it has already
delivered the message to it's destination and has deleted it from it's
outgoing queue.

The Firewall being a firewall does not trust DNS and blindly retries
delivery to the destination host picked by the mail server until the message
times out (5 days by default) and then returns it to the mail server as
undeliverable. For hosts which are just down this is not a major problem.
When they come up the message is delivered, maybe just slower than it could
have been. For sites which have DNS setups where the lowest priority mx
record is the backup server (and there are several of these that I have come
across with .nz) this is a major problem.

The only real solution to this is put a SMTP server in your DMZ and allow
this to deliver mail without being interfered with on the firewall and force
the Firewall to scan all messages going to the SMTP server but not from it.

3.    HTTP/FTP - Because the whole file has to be downloaded before it can
be scaned by the CVP server and approved/denied clients can timeout before
they start reciving the file. The later versions of Interscan have a setting
on the HTTP/FTP scanners which allow you to stream down part of the file
before the whole thing arrives on the CVP server. i.e. For every X k receved
forward Y bytes to the client. Turning this setting on (like for every 1 k
receved forward 4 bytes to the client) means that you get really slow
downloads initally with everything coming in a big rush at the end.

Josh

----
Some mornings it's not worth chewing through the leather straps.


----- Original Message -----
From: Robert Driscoll <driscoll_r () primesource com>
To: <firewall-wizards () nfr net>
Sent: Wednesday, September 08, 1999 10:11 AM
Subject: AntiVirus Software


> Firewall Wizards,
>
> Hopefully this message is not an inappropriate for this list, if
> so, please discard.
>
> This question revolves more around Virus Scanning than firewalling.
> But since the scanner will talk directly to the firewall, I would like any
> input you may wish to elicit.
>
> Our firewall is the AltaVista Firewall, running on DEC UNIX. Its a
> NAT, Proxy firewall that provides hidden DNS. It also has an option called
> Content Vectoring Support that allows the different proxies to pass data
> to an Antivirus software. In this case it would pass the data to another
> box running some antiviral software on the internal network.
>
> Currently we are reviewing 3 firewall scanners TrendMicros VirusWall,
> Sophos, and Norton Antivirus for Firewalls. Most of the scanners I got
from
> the
> CERT webpage run on NT so it seems thats where we will be looking. (Of
> course now we're stuck with NT on Intel, not Alpha, thanks COMPAQ)
>
> My question is does anyone have experience configuring firewalls to
> pass traffic to an virus scanner? It does seem to add a bit of complexity
> to the situation. I'm interested in hearing about possible pitfalls and
> traps
> that maybe lurking. We are looking at configuring SMTP first and then if
> that
> works, FTP and HTTP.
>
> Any comments on scanning products would be appreciated as well.