Slashdot Mirror

← Back to Stories (view on slashdot.org)

Packet Level Virus Scanning Network Appliances?

Posted by Cliff on from the we-hoped-it-wouldn't-get-this-bad dept.

Tiber asks: "I had the pleasure of locking down the servers for a large company against the Slapper/Sapphire worm over the weekend. It wasn't enjoyable, less so because I knew I'd have to face it again come Monday when all our users brought their business laptops in. Sure enough, Monday morning, all hell broke loose on our networks. It got me thinking, instead of routers 'dumb' routers, does someone make a network appliance that does worm scanning inside the packets and log attacks? Perhaps someone has a project they know of that does this?"

4 of 23 comments (clear)

  1. IDS by NetJunkie · · Score: 2, Informative

    First, why do notebooks have SQL server running? Why weren't the "real" servers patched and protected in the first place?

    OK, off my rant. They do make appliances that detect and log attacks. They are called Intrusion Detection systems. That's the whole idea of network IDS. Cisco makes them... You can make one on any linux box with Snort. ISS makes software that runs on NT/2K.... The list goes on.

    A virus scanning appliance is harder. What if the virus is in a zip file or other archive? Lots of problems with that. It's best just to get good AV out on the network with central management to make SURE they are updated and functioning.

    For anyone wanting good Exchange Server AV I can't recommend Antigen by Sybari enough. It makes everything else look really bad. For the desktops/servers we've used Norton w/ their central manager and it is performing great. Much better than any of the McAfee installations I've ever seen.

  2. Re:slammer coming in from laptops? by jason_watkins · · Score: 4, Informative

    Sales guys may use a SFA solution that uses the MS data engine (ie, "diet" mssql) installed locally on their laptop for persistance. Sales guys also may hit the hibernate button instead of a full powerdown and powerup.

    Therefor, it is possible that a business user plugging in his laptopt could release slammer.

    When thinking about security, do not think "ohh, that can't happen, that's so unlikely". Think "what could make that possible, no matter how remote" and then "how can I eliminate that risk".

  3. Hogwash by cowbutt · · Score: 2, Informative
    Sounds like you want Hogwash - it's based on the Snort Network IDS, but instead of just reporting suspicious traffic, it drops it. Note that this differs from just coupling a NIDS with a firewall, as most of those solutions are susceptible to DoS attacks by spoofing attacks from the upstream router, or key DNS servers (they usually block *all* traffic from "attacking" hosts, not just the offending packets).

    --

  4. eSafe Gateway by TexTex · · Score: 2, Informative

    For packet level filtering, there's one box I've found and like quite a bit. eAladdin makes eSafe Gateway, which can act as a bridge or router tossed in front of your network (directly after the firewall). It scans all http, ftp, and smtp traffic...but they had a fix out to also look for slammer a few hours into the mess.

    While it's not true packet level, it's pretty fast and gives you a bit more protection and configurability that I think a raw router might be able to do. Granted, this won't help much if you've got internal laptops or something bringing the bug with you...though it would prevent you from attacking others with it.

    Not a sales pitch, just a satisfied customer...
    www.esafe.com
    -----------------

    --
    -Barkeep, a draft of your most hazardous brew, for the world is slowly stepping into focus, and I don't like what I see.