RE: Should webservers, eg. IIS 6 have anti--virus installed on them?
From: Wozny, Scott (US - New York) (swozny_at_deloitte.com)
Date: 07/22/05
- Previous message: Marc Fossi: "Administrivia: IIS/AV thread"
- Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Jul 2005 23:35:09 -0400 To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
And that's what the defense in depth concept is about. Like I said in
another branch of this thread, if you exclusively control the server,
the patches, the code, the firewall, it's configuration and patches and
all internetworking gear in between (both logically and physically as,
if I had a nickel for every time troubleshooting an intrusion I found an
unauthorized piece of hardware was plugged into the mix for the sake of
the desires of the business, I'd be a rich man) then the value-add of
that additional layer of 'skin' becomes negligible. But as Thor said,
in the real world, that's rarely the case and if you're the person
management is going to bring onto the carpet to explain how this
happened I can't help but think that a tool used that couldn't prevent
the incident is going to be much less scrutinized than a tool not used
that _might_ have made a difference.
To suggest an answer to the original poster of this thread (that seems
to have developed a life of it's own) you need to consider all the pros
and cons of AV on any type of device as it relates to _your_ environment
before deciding whether or not to use it. YMMV seems like a gross
understatement here. :)
Personally, I'd like to thank all the folks who've contributed to this
discussion (who, I can tell, represent a staggering amount of aggregate
time in the trenches) for teaching me quite a lot.
Be careful out there (and I swear, that's my last word on this topic),
:)
Scott
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Thursday, July 21, 2005 6:42 PM
To: Wozny, Scott (US - New York)
Cc: Harlan Carvey; focus-ms@securityfocus.com; jeff@shawgo.com
Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
them?
Do I want A/V as another onion layer skin? You betcha.
Will I have a heart attack if I see the tale tell sign of Trend's red
'you have a virus' on a server or workstation? Oh you bet. Why?
Because the goal is that the bad stuff never makes it in that far. If I
see anything other than an Eicar test virus up there it means my onion
layers are broken and I need to trace back what happened and beef up my
defenses.
The goal is that a/v never kicks in because the bad stuff is all out
there.
What's the saying ..... "know thy systems"?
Wozny, Scott (US - New York) wrote:
>You're absolutely right. It's part risk analysis, part cost/benefit
>analysis. You either choose to accept the risk of pushing out defs
>blind because it costs too much in manpower and lost time OR you vet
the
>sigs and accept the cost of doing so in manpower and that you'll be
>exposed for longer but reduce the chance of a repeat of that fateful
>Friday, as rare an occurrence as it is, OR you do something in between
>that fits for you.
>
>However, _all_ the blame is not on the vendor (though it was a massive
>screw-up on their part). There's nothing in that software suite that
>_requires_ all defs be pushed immediately, and it used to be that
no-one
>did. Most of us have just gotten too comfortable with def updates
>because problems with sigs so rarely happens. If "other vendors"
>patches didn't have so many unforeseen side effects, more people would
>push them without testing as well because we're all over worked and we
>make those cost / benefit decisions every day.
>
>The concern I had which I wanted to address was with a perceived
>implication that it's best to leave AV off IIS boxes (the question this
>thread is addressing) because it regularly contains new, possibly
>untested code and IMHO that, by itself, does not present a sufficient
>risk offset the numerous other benefits AV provides (no matter how
>_sure_ you're IIS server is locked down). The event in question had,
at
>best, a tenuous cause / effect relationship with mitigating factors
>which could have prevented it that organizations _chose_ to ignore. It
>doesn't matter that everybody does it. Everybody got busted. So we
>dust ourselves off and figure out the best way to deal with it. In
some
>situations, that's to make a conscious choice that enough controls are
>in place that AV adds more hassle than it's worth and in _some_
>situations that's to take at the servers that are administered by
>professionals and put an additional line of defense on them in case
>these administrators turn out to be human and make a mistake that AV
>might be able to catch. If the term "defense in depth" is unappealing
>and too fuzzily defined for you, think of it as "infosec redundancy".
>:)
>
>Scott
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpa@pacbell.net]
>Sent: Wednesday, July 20, 2005 7:57 PM
>To: Wozny, Scott (US - New York)
>Cc: Harlan Carvey; focus-ms@securityfocus.com; jeff@shawgo.com
>Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
>them?
>
>
>Can you honestly say that you vet every dat file that comes your way in
>the same manner that your do security patch testing on all of your
>systems? Show of virtual hands on this list... how many honestly have
>the resources to put the same testbed energy into a/v sig updates as
>they do patch deployment? Test it on lab settings/virtual
>system/canaries in the office and then roll it out... for all your
sized
>
>operations? There are some firms that indeed do this. There are many,
>however, that do not. I personally don't have the resources [nor the
>a/v deployment set in such a way] that I can do this. Nor do I feel
>that the few issues that I have had with allowing a/v to immediately
>deploy versus the issues I might have if I don't automate the process
>mean that I'm changing my methods.
>
>But...obviously neither did several railroads in Japan, a few Japanese
>newspapers and other folks that were also affected and obviously didn't
>vet the a/v sigs either.
>
>As often as they are updating these days, the risk of not pushing them
>out as they come in has to be weighed with the potential for issues
when
>
>not testing them. I'm sorry but this was a A/V dat sig update that
>affected the XP sp2 the hardest of all. Trend admitted they screwed
up.
>
>As fast as that nailed and flatlined my entire network... there's no
way
>
>that should have left Trend's doorstep and been pushed to boxes. It
was
>
>an immediate CPU freeze up that had me booting into safe mode to get my
>machines back in working mode.
>
>Even Microsoft has expanded their patch testing process to include
>external more real life testers. Sorry, but I do not accept that this
>dat file freeze up was in any way an acceptable screw up ...and
>obviously and unfortunately neither does Wall Street and analysts
>...etc....
>
>All I'm saying is we've [I've?] grown complacent and many of us forget
>that potentially every hour on the hour new untested code is on our
>boxes. Add that to your risk factors and decide accordingly.
>
>Show me an a/v software and this year few of them haven't had their own
>security issues as well.
>
>It's called a bit of risk analysis... what's the benefit....what's the
>risk. And no matter what size of firm you are... we all play the game,
>we just come to different conclusions. Ergo this thread which asked...
>what's the risk of webservers having a/v on them?
>
>I think the answer is.. it depends. There may not be a best practice
>and instead each one of us needs to perform our own risk analysis and
>decide accordingly [I really don't like 'best practices' as a concept
>anyway - what's best for me... won't be best for the guy down the
>street]
>
>Nah... Dos 5, Wordstar and Lotus 123. Now those were killer apps... I
>still have a Compaq Portable luggable in our museum that boots if you
>want to try it. In the meantime, excuse me while I go update my
>Firefox..again and ensure my Greasemonkey is on whatever version that
>isn't vulnerable.
>
>Wozny, Scott (US - New York) wrote:
>
>
>
>>Are you actually condemning AV because administrators blindly trusted
>>the AV sig updates they received and pushed them to live systems
>>
>>
>without
>
>
>>testing them at all? Who, precisely, wasn't doing their due
diligence?
>>
>>
>>Computing is complicated. If one isn't implementing and following
>>procedures to protect oneself from screw-ups in other organizations
one
>>depends upon, then we all really ought to roll back to DOS 6.22 and
>>
>>
>stay
>
>
>>there.
>>
>>If I misunderstood your implication, please correct me. Otherwise, I
>>intend to keep AV in my bag of tricks.
>>
>>Scott
>>
>>-----Original Message-----
>>From: focus-ms-return-8320-swozny=deloitte.com@securityfocus.com
>>[mailto:focus-ms-return-8320-swozny=deloitte.com@securityfocus.com] On
>>Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Wednesday, July 20, 2005 3:32 AM
>>To: Harlan Carvey
>>Cc: focus-ms@securityfocus.com; jeff@shawgo.com
>>Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed
on
>>them?
>>
>>
>>Not to mention ..if you were anywhere near a live system at 3:45 p.m
>>Pacific time on a certain Friday when someone didn't do their due
>>diligence and flatlined every single one of my workstations and even
>>nailed my server....you might make you look at antivirus in a new
>>light....
>>
>>A/V is just introduction of new... possibly untested code on a machine
>>.... possibly every hour on the hour....
>>
>>http://silverstr.ufies.org/blog/archives/000844.html
>>
>>Harlan Carvey wrote:
>>
>>
>>
>>
>>
>>>So far, this is has been an interesting discussion,
>>>but beneath it all, I'm seeing what I think is a
>>>disturbing trend.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Antivirus needs to be part of the overall security
>>>>plan for all Windows machines - it's just part of
>>>>the cost of doing business - the cost of the
>>>>software, maintenance, and CPU overhead.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>I'm seeing absolutist statements like the one above,
>>>and it bothers me.
>>>
>>>If a web server is just a web server, the content is
>>>served to the client, going outbound...not coming into
>>>the server. If the purpose of the system is to take
>>>known-good pages (from the owner) and make them
>>>available to the public (over ports 80 and 443), then
>>>what is the point of A/V software?
>>>
>>>I'm seeing a lot of people say that A/V software is
>>>necessary, and that it's part of a 'holistic' or
>>>'defense in depth' approach, but this really sounds
>>>more like Dilbert's "buzz word bingo" than anything
>>>else.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Certainly, servers need to be patched, firewalled,
>>>>isolated, and locked down. Additionally, code
>>>>should be audited for vulnerability to XSS and SQL
>>>>injection.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Yes, without a doubt. This is all part of good
>>>administration.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>None of these things are perfect. Not that AV is
>>>>perfect, but it is another layer of defense - making
>>>>it part of that "Defense in Depth" strategy.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>But, defense against what?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>AV has grown into more than just defense against
>>>>viruses. It is often effective against worm code,
>>>>and some AV has identified common hacking tools
>>>>(e.g. - NetCat) as something that doesn't belong on
>>>>most systems. You can argue the viability of this
>>>>move, but most companies - if they have a security
>>>>team - have less that 0.1% of their machines which
>>>>maybe should have it there.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>"something that doesn't belong on most systems"? How
>>>does it get there? If a web server is properly
>>>configured and managed, then perhaps the most likely
>>>means of infection is from the administrator
>>>himself...and in such cases, A/V software is useless.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>AV needs to be part of the cost of running Windows -
>>>>for better or for worse.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Again, I'm seeing this as an approach that's being
>>>parrotted, rather than thought out. I'm not saying
>>>that MS products are perfect...not at all. But what I
>>>am saying is that using proper administration
>>>principles, those that have been espoused for well
>>>beyond the past decade, paying additional money to add
>>>yet another software package to a web server simply
>>>doesn't make good business sense.
>>>
>>>Why pay more money for another application to
>>>maintain, and another set of logs that you're not
>>>reviewing anyway?
>>>
>>>Several years ago, Dave LeBlanc set up an IIS 4.0
>>>server in accordance with simple common sense, and it
>>>was not vulnerable to Code Red...a full year before
>>>Code Red was launched.
>>>
>>>When Code Red was launched, A/V software would not
>>>have helped. However, if the .hta script mapping had
>>>been disabled the day before Code Red came out, then
>>>guess what? No problems.
>>>
>>>Should systems have A/V software in place?
>>>Maybe...depending upon the function and purpose of the
>>>system. Does it make sense? Does it make good
>>>business sense? What's the business
>>>reason/justification for installing another software
>>>package (for $$) over disabling current functionality
>>>(which doesn't cost anything)?
>>>
>>>Harlan
>>>
>>>
>>>
>>>------------------------------------------
>>>Harlan Carvey, CISSP
>>>"Windows Forensics and Incident Recovery"
>>>http://www.windows-ir.com
>>>http://windowsir.blogspot.com
>>>------------------------------------------
>>>
>>>---------------------------------------------------------------------
-
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>----
>>
>>
>>
>>
>>>---------------------------------------------------------------------
-
>>>
>>>
>-
>
>
>>>
>>>
>>>
>>>
>>----
>>
>>
>>
>>
>>>
>>>
>>>
>>>
>>----------------------------------------------------------------------
-
>>
>>
>-
>
>
>>---
>>----------------------------------------------------------------------
-
>>
>>
>-
>
>
>>---
>>
>>
>>This message (including any attachments) contains confidential
>>
>>
>information intended for a specific individual and purpose, and is
>protected by law. If you are not the intended recipient, you should
>delete this message. Any disclosure, copying, or distribution of this
>message, or the taking of any action based on it, is strictly
>prohibited. [v.E.1]
>
>
>>----------------------------------------------------------------------
-
>>
>>
>----
>
>
>>----------------------------------------------------------------------
-
>>
>>
>----
>
>
>>
>>
>>
>>
>
>
>
-- Letting your vendors set your risk analysis these days? http://www.threatcode.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Marc Fossi: "Administrivia: IIS/AV thread"
- Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
