Re: about viruswall?

From: Sebastian Schneider (ses_at_straightliners.de)
Date: 09/10/03

  • Next message: Sebastian Schneider: "Re: firewall on the same segment" 
    To: "Gabriel Orozco" <gabriel_orozco@mx.sumida.com>, "chort" <chort@amaunetsgothique.com>, <security-basics@securityfocus.com>
Date: Wed, 10 Sep 2003 19:51:26 +0200

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Just forgot some big point. In some countries it's required to have the
    permission from the users to drop e-mails at all since you're not the
    intended recipient and therefore having not the right to block these very
    mails.

    Sebastian

    On Wednesday 10 September 2003 03:35, Sebastian Schneider wrote:
    > Hey Gabriel,
    >
    > depending on your budget as well as system setup the solution will be quite
    > different .
    >
    > At first, the behavior of a so-called viruswall is similar to a firewall.
    > If your front-end smtp server is based on linux running sendmail, exim or
    > postfix it's quite easy to plug in an AV software scanning mail traffic and
    > blocking e-mails with infected attachments or malicious code.
    > There some solutions available as commercial products. There might be some
    > being free. I set up Kaspersky Anti Virus for Mail Servers some time ago
    > and it works out just fine and really fast killing malware before that
    > e-mail is getting to anyone. Updates are available shortly after new virii
    > have been analyzed (we were updating hourly).
    > In sendmail it's really kind of easy as just adding the AV software as a
    > new mailer and adding some rewriting rules.
    >
    > If your front-end mailer is Win based, it could become an issue as Brian
    > pointed out. Depending on the software implemented it can be less serious.
    >
    > Additionaly, as you might already do, you should deploy av software on host
    > basis.
    >
    > Sebastian
    >
    > On Tuesday 02 September 2003 18:08, Gabriel Orozco wrote:
    > > Well, certainly I'm wrong when I think about all A-V solutions work like
    > > mine, in Linux+QMail+qmailscan, where the message simply will not
    > > transverse the smtp if it is not first scanned....
    > >
    > > I was not aware about it can be a problem in a NT/2K platform.
    > >
    > > What can I say? at best, I would say anybody that there are other
    > > solutions different than Microsoft, and simply more secure.
    > >
    > > Regards
    > > ----- Original Message -----
    > > From: "chort" <chort@amaunetsgothique.com>
    > > To: <security-basics@securityfocus.com>
    > > Sent: Friday, August 29, 2003 6:45 PM
    > > Subject: Re: about viruswall?
    > >
    > > > On Fri, 2003-08-29 at 09:28, Gabriel Orozco wrote:
    > > > > With an antivitus running in your SMTP server is more than enough.
    > > >
    > > > WHOA! This kind of attitude is simplistic at best, and extremely
    > > > careless.
    > > >
    > > > Anti-Virus for your enterprise mail system can be very flakey (due to
    > > > the complexity of interfacing with modern enterprise mail and groupware
    > > > systems). Some times there is a delay between when the message arrives
    > > > and when it gets scanned, and it may be opened in that interval (a race
    > > > condition). Some times the service fails (particularly on NT/2K) and
    > > > you may not realize that you're unprotected. Besides those grave
    > > > dangers, this is by default accepting that viruses will penetrate your
    > > > network and will for a fact be on your internal servers (even if they
    > > > do end up getting cleaned). Are you so sure you want to guarantee that
    > > > your Windows server will have viruses?
    > > >
    > > > Anti-Virus should be a multi-tiered defense. One layer at the e-mail
    > > > gateway, peeling away the dangerous stuff before it even makes it
    > > > inside your inner firewall. One layer on the mail/groupware server
    > > > (preferably a different vendor than the gateway A-V) to catch anything
    > > > that gets through, and to take care of things sent locally. The last
    > > > ditch should be on the desktop (possibly a third vendor) for a last
    > > > chance to catch anything that the other two missed, and as a FIRST
    > > > chance at smoking out infections that your users contract from websites
    > > > or outside e-mail accounts.
    > > >
    > > > Just having A-V on your mail server is most certainly NOT "more than
    > > > enough." Why let things into your network if you know you can stop
    > > > them in the DMZ and mitigate the risk? That's why the "virus wall"
    > > > concept was started years ago, and within the last couple of years it
    > > > has grown to include anti-spam, content policy enforcement, Internet
    > > > message encryption, etc and is now known as a secure e-mail gateway
    > > > (not to be confused with INsecure e-mail gateways, which is what
    > > > sendmail is).
    > > >
    > > > --
    > > > Brian Keefer
    > > >
    > > >
    > > > -----------------------------------------------------------------------
    > > >-- -
    > >
    > > -
    > >
    > > > Attend Black Hat Briefings & Training Federal, September 29-30
    > > > (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's
    > > > premier technical IT security event. Modeled after the famous Black
    > > > Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers
    > > > and sponsors. Symantec is the Diamond sponsor. Early-bird registration
    > > > ends September
    > >
    > > 6.Visit us: www.blackhat.com
    > >
    > > > -----------------------------------------------------------------------
    > > >-- -
    > >
    > > --
    > >
    > >
    > >
    > >
    > > -------------------------------------------------------------------------
    > >-- Attend Black Hat Briefings & Training Federal, September 29-30
    > > (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's
    > > premier technical IT security event. Modeled after the famous Black Hat
    > > event in Las Vegas! 6 tracks, 12 training sessions, top speakers and
    > > sponsors. Symantec is the Diamond sponsor. Early-bird registration ends
    > > September 6.Visit us: www.blackhat.com
    > > -------------------------------------------------------------------------
    > >-- -

    - --

    Sebastian Schneider
    straightLiners IT Consulting & Services
    Metzer Str. 12
    13595 Berlin
    Germany

    Fon: +49-30-3510-6168
    Fax: +49-30-3510-6169
    www.straightliners.de
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQE/X2SeQ7mOWZBxbPcRAoP7AJ44YOpXZgyzJHyZEIh5xVG8E/MPXwCcDNrq
    V1lJCPTmffaxe0t21LEjVTo=
    =6rY4
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

  • Next message: Sebastian Schneider: "Re: firewall on the same segment"