Educause Security Discussion mailing list archives
Re: Network Based Anti-Spyware Solution
From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Mon, 10 Apr 2006 10:24:24 -0700
An in-line device will track known spyware and other traffic "signatures" and attempt to block them, and possibly even block the download and install of certain kinds of spyware. It is a good addition to a "defense in depth" approach to the problem, but cannot provide a complete spectrum of protection. The problem with spyware is it looks like standard system-type tools and applications, or stealth techniques provide it a slippery path through your protections. Those may be missed by an in-line system. Once one workstation is infected inside your network, the in-line system can't protect you from further infection. And, how is your in-line system going to protect you from the user who puts a Sony (or other rootkit containing) CD in one of your workstations? Not only would you now have the potential for sensitive information leaving your organization, but the rootkit may open the system to further infection or exploitation from other vectors. What about systems that may already have a keylogger or rootkit installed that you can't find, or may be in your production image? Are you testing your images for rootkits or stealth methods before putting them into production? Rootkit finding tools and other methods should be used on images to insure that they are "clean" first, and a client-side enterprise anti-spyware tool should be installed to help mitigate the misses by the in-line system. Avoid using one vendor for all your anti-spyware needs. One vendor may classify a particular spyware as legitimate (or worse, not even detect it), while another will include that in the blacklist. There is still no broad standardization for just what constitutes spyware and vendors are free to make their own decisions. Also, some tools are better against a particular class of spyware than others. Solid system build practices for images, a client-side anti-spyware agent (from one vendor), and an inline anti-spyware system (from a different vendor), will go a long way toward keeping your internal network yours and keep it from leaking sensitive information. Guy L. Pace, CISSP Security Administrator Center for Information Services (CIS) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () cis ctc edu ________________________________ From: CAROLE CARMODY [mailto:Carole_Carmody () BLOOMFIELD EDU] Sent: Monday, April 10, 2006 9:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Network Based Anti-Spyware Solution We have been using the Barracuda device for over a year and we are very happy with its performance. Carole Carmody Assoc. VP for IT Bloomfield College (973)748-9000, Ext. 391 ________________________________ From: Andy Rivers [mailto:arivers () UTM EDU] Sent: Monday, April 10, 2006 12:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Network Based Anti-Spyware Solution Hey, I was wondering if anyone had any experience with a network based anti-spyware solution. We are currently evaluating an appliance and we're not having much luck with it, so I'm not sure if we got a lemon or if it's an indication of all their products. We're basically looking from something that that we can put inline within our network and have it block spyware without having to install a piece of software on all of clients. So I'm just looking for some feedback about some possible appliances that people are using or even units that you might have evaluated that didn't work out. Thanks. Andy Rivers Security Administrator University of Tennessee at Martin (731) 881-7882
Current thread:
- Network Based Anti-Spyware Solution Andy Rivers (Apr 10)
- <Possible follow-ups>
- Re: Network Based Anti-Spyware Solution Fretz, Kerry (Apr 10)
- Re: Network Based Anti-Spyware Solution CAROLE CARMODY (Apr 10)
- Re: Network Based Anti-Spyware Solution Jones, Dan (Apr 10)
- Re: Network Based Anti-Spyware Solution Pace, Guy (Apr 10)