Firewall Wizards mailing list archives
RE: AntiVirus Software
From: "Joe Ippolito" <joe () joesnet com>
Date: Thu, 9 Sep 1999 07:48:42 -0700
I will back up Patrick's take on CVP. Tried it with FW1's and NAV. IT was not pretty although it was a early release of both products. I prefer Mcafee's product on MS Proxy a mail server scanner, desktop software and lots of user education. I cannot see adding the load and uncertainty to my first line of defense. -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Patrick M. Hausen Sent: Wednesday, September 08, 1999 3:39 AM To: Robert Driscoll Cc: firewall-wizards () nfr net Subject: Re: AntiVirus Software Hi!
This question revolves more around Virus Scanning than firewalling. But since the scanner will talk directly to the firewall, I would like any input you may wish to elicit. [...] My question is does anyone have experience configuring firewalls to pass traffic to an virus scanner? It does seem to add a bit of complexity to the situation. I'm interested in hearing about possible pitfalls and traps that maybe lurking. We are looking at configuring SMTP first and then if that works, FTP and HTTP. Any comments on scanning products would be appreciated as well.
Our experiences with CVP based scannning were, well, not that great. Our setup is Gauntlet Firewall for Unix with Datafellows F-Secure for Firewalls. As I got from the gauntlet-users archive, CVP version 1.0 has got serious limitations, like not being able to specify what to scan (i.e. HTML and GIFs are scanned, too, if you want to scan HTTP transfers) and a maximum of 5 concurrent open "sessions" between the firewall and the scanning engine. This has proven a showstopper for FTP and HTTP transmissions. Users experience massive slowdowns, short downloads (i.e. half of a file is transmitted) and the like. If you want to deploy a solution based on CVP, make sure all products support CVP 2.0 which addresses some of the problems. F-Secure does, while Gauntlet doesn't. Even CVP 2.0 has got hard coded limitations, now it's 254 sessions, so in a high bandwith configuration with many users it might still fail. Generally vendors seem to prefer proxy based solutions that don't use CVP. E.g. Trendmicro. NAI announced Gauntlet 5.5 would have a built-in scanning engine for the HTTP proxy. I didn't get my hands on that yet. We're still using CVP 1.0 in the above setup to scan emails. Works flawlessly so far. Nonetheless there are standalone "SMTP proxy" based scanners for email, too. Regards, Patrick
Current thread:
- AntiVirus Software Robert Driscoll (Sep 07)
- Re: AntiVirus Software Patrick M. Hausen (Sep 08)
- RE: AntiVirus Software Joe Ippolito (Sep 09)
- Re: AntiVirus Software Josh Robb (Sep 08)
- Re: AntiVirus Software chuck (Sep 09)
- Re: AntiVirus Software Patrick M. Hausen (Sep 08)