Re: Network Based Anti-Spyware Solution

["Pace, Guy" <gpace () CIS CTC EDU>]

An in-line device will track known spyware and other traffic
"signatures" and attempt to block them, and possibly even block the
download and install of certain kinds of spyware. It is a good addition
to a "defense in depth" approach to the problem, but cannot provide a
complete spectrum of protection. The problem with spyware is it looks
like standard system-type tools and applications, or stealth techniques
provide it a slippery path through your protections. Those may be missed
by an in-line system. Once one workstation is infected inside your
network, the in-line system can't protect you from further infection.
And, how is your in-line system going to protect you from the user who
puts a Sony (or other rootkit containing) CD in one of your
workstations? Not only would you now have the potential for sensitive
information leaving your organization, but the rootkit may open the
system to further infection or exploitation from other vectors.
 
What about systems that may already have a keylogger or rootkit
installed that you can't find, or may be in your production image? Are
you testing your images for rootkits or stealth methods before putting
them into production? Rootkit finding tools and other methods should be
used on images to insure that they are "clean" first, and a client-side
enterprise anti-spyware tool should be installed to help mitigate the
misses by the in-line system.
 
Avoid using one vendor for all your anti-spyware needs. One vendor may
classify a particular spyware as legitimate (or worse, not even detect
it), while another will include that in the blacklist. There is still no
broad standardization for just what constitutes spyware and vendors are
free to make their own decisions. Also, some tools are better against a
particular class of spyware than others. 
 
Solid system build practices for images, a client-side anti-spyware
agent (from one vendor), and an inline anti-spyware system (from a
different vendor), will go a long way toward keeping your internal
network yours and keep it from leaking sensitive information.

Guy L. Pace, CISSP 
Security Administrator 
Center for Information Services (CIS) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 

gpace () cis ctc edu 

 

________________________________

From: CAROLE CARMODY [mailto:Carole_Carmody () BLOOMFIELD EDU] 
Sent: Monday, April 10, 2006 9:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Network Based Anti-Spyware Solution



We have been using the Barracuda device for over a year and we are very
happy with its performance.

 

Carole Carmody

Assoc. VP for IT

Bloomfield College

(973)748-9000, Ext. 391

 

________________________________

From: Andy Rivers [mailto:arivers () UTM EDU] 
Sent: Monday, April 10, 2006 12:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Network Based Anti-Spyware Solution

 

Hey,

 

I was wondering if anyone had any experience with a network based
anti-spyware solution.  We are currently evaluating an appliance and
we're not having much luck with it, so I'm not sure if we got a lemon or
if it's an indication of all their products.  We're basically looking
from something that that we can put inline within our network and have
it block spyware without having to install a piece of software on all of
clients.

 

So I'm just looking for some feedback about some possible appliances
that people are using or even units that you might have evaluated that
didn't work out.  Thanks.

 

 

Andy Rivers

Security Administrator

University of Tennessee at Martin

(731) 881-7882