Slashdot Mirror

← Back to Stories (view on slashdot.org)

Packet Level Virus Scanning Network Appliances?

Posted by Cliff on from the we-hoped-it-wouldn't-get-this-bad dept.

Tiber asks: "I had the pleasure of locking down the servers for a large company against the Slapper/Sapphire worm over the weekend. It wasn't enjoyable, less so because I knew I'd have to face it again come Monday when all our users brought their business laptops in. Sure enough, Monday morning, all hell broke loose on our networks. It got me thinking, instead of routers 'dumb' routers, does someone make a network appliance that does worm scanning inside the packets and log attacks? Perhaps someone has a project they know of that does this?"

2 of 23 comments (clear)

  1. It's called your switch by Gothmolly · · Score: 2, Interesting

    Easy. Put packet filters in your switch. How often do SQL servers make outgoing connections to other SQL servers?

    --
    I want to delete my account but Slashdot doesn't allow it.
  2. Re:IDS by jason_watkins · · Score: 2, Interesting

    See my earlier post for why laptops might be running mssql.

    It's true that a wire level virus scanner would have to be 'encoding aware'. We would never want to assume that a packet sniffer would eliminate all possible infections on our network.

    But let's think about what it *could* do.

    Well, the most common infection vector is email attachments. Since there's only a couple encodings, and your mail server likely only accepts on a couple ports, you could scan at the packet level. Most likely a checker on the mail server itself would be better.

    What's the 2nd most common infection vector? downloaded .exe's and the like. Again, a packet level sniffer is only of limited use here, and it will be harder to deal with all possible ports, encodings and protocols. But, you could sill get reasonable results by say, scanning anything on an inbound http response that is encoded in a format you recognize.

    What does that leave: well, probibly the most important infection vector for us to deal with at the packet level: worms that use various exploits in daemons and protocols. And here, a packet level sniffer can be extremely effective. Things like code red, sql slammer, etc are very easily recognized at the protocol level. Even better is for us to plug our box in upstream at our circut providers so that we can save our pipes from being clogged with infection packets. And with some sort of administration functions, we could use them to block some forms of DoS as well.

    What's the point: with security, don't trust a single fence: build several to overlapp eachother, and a packet level sniffer could be a valuable tool in this context.