Re: OT: Av and Gartner...

[Gary Flynn <flynngn () jmu edu>]

John Keeton wrote:
> Slightly OT here. 
>
> In corporate land, where does everyone have AV installed? Currently, we
> have desktop, NT servers, and email gateway. I am thinking that we need
> http/ftp scanning via ICAP from our proxy, but Gartner[1] says http/ftp 
> scanning is uneeded. I don't know if I agree.. -OR- Are people installing
> malicious code detection software, like www.finjan.com?? 

We're running on desktops, file servers, and mail gateway. A lot of
server administrators also run it on their servers. We also block
several types of executable attachments from traversing our mail gateway
which has stopped virus spreads before definitions are updated.

There seems to be a shift away from email as the only spreading
mechanism. Netbios shares, kazaa and the like, and instant messaging
applications are being used more and more. Aplore was fairly successful
using a combination of instant messaging and a malicious web sever on
the infected machines. I suspect over the next year we'll see quite a
few exploit RPC/DCOM too.

An inline border device that understands those secondary protocols, possibly
including HTTP sessions, would raise the fence. If it could do signature
analysis and packet dropping for known overflow exploits, protocol anomoly
protection, content management, and DDOS mitigation that would be good too :)


--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards