Slashdot Mirror

← Back to Stories (view on slashdot.org)

Packet Level Virus Scanning Network Appliances?

Posted by Cliff on from the we-hoped-it-wouldn't-get-this-bad dept.

Tiber asks: "I had the pleasure of locking down the servers for a large company against the Slapper/Sapphire worm over the weekend. It wasn't enjoyable, less so because I knew I'd have to face it again come Monday when all our users brought their business laptops in. Sure enough, Monday morning, all hell broke loose on our networks. It got me thinking, instead of routers 'dumb' routers, does someone make a network appliance that does worm scanning inside the packets and log attacks? Perhaps someone has a project they know of that does this?"

7 of 23 comments (clear)

  1. small problem by josepha48 · · Score: 3, Insightful
    Even if you have a network appliance that 'scrubs' email and data as it come in, it has to know what is good and what it bad. In the case of a new virus there is no way it is going to know that the virus is a virus and not a real attachment.

    So do you delete ALL word attachments or scan them all for known virus? Or do you attempt some sort of AI that figures out virus / worm from none virus / worm?

    In the case of using AI, I just don't think it is quite there yet. Yes it may be possible, but not cheap enough for the general public. I wish!

    In the case of deleteing all attachements, you could set up a quarentine place for them. I think Norton utilities has a virus scanner that does this for email. My dad once mentioned something about this. He loves it. I no longer get MS virus email from him ;-). Of course I run Linux at home so even when I did get them they did not work cause the binaries just would not run under Linux without wine and me manually running them, and even then I don't think they could have done anything without enough permissions.

    Depending on how many servers you have, one thing would be to setup some of the servers as read only. Not sure if you can do that with windows. I.E. Create an account for the mail system and give it access to only certain things on the system and then lock down the rest of the system. Using permsissions restict the mail from screwing up the rest of the server. I don't know enough about windows to know if this can be done? I know you can restrict accounts from accessing data, but can you restict the email admin account? Can windows run entirely off a cdrom? Can windows run in a memory filesystem? Maybe embedded windows can do this, and you may be able to make an embedded windows mail server. Or search the internet for embedded devices and windows servers or somehting.

    In unix I know I can run my whole filesystem off a cdrom ( I am doing this with my freebsd home based router). Worst case senerio I have to reboot the router. There are a few problems in my current approach (swap errors in FreeBSD), but it works. Turn it on and it boots up in less than 2 minutes. To shut down just hit the power button, no shudwown required.

    My suggestion is to look for embedded devices and make an embedded mail server of your own. You may try using http://www.intrinsyc.com/products/cerfcube/ to create an embeded window mail server. The OS should hopefully be protected in flash ROM, but since I have not tried I cannot say. It may be possible to use this and create a device that you just have to reboot to fix the problem.

    Best thing to do NOW if you have not already, is to install Anti virus utilities like Norton and Mcafee stuff on your laptops and servers and use them if they are windows machine which I suspect they are. KEEP THEM UP TO DATE. Our sys-admins send out emails at LEAST once a week with new virus updates.

    Lastly educate the people in the company, with weekly emails on the latest virus. If they are aware that they could get a virus that could f*** up their project and screw their deadline they may be more cautious about their email. Not everyone will, but it may be just enough people that it would make your life a little easier.

    --

    Only 'flamers' flame!

  2. IDS by NetJunkie · · Score: 2, Informative

    First, why do notebooks have SQL server running? Why weren't the "real" servers patched and protected in the first place?

    OK, off my rant. They do make appliances that detect and log attacks. They are called Intrusion Detection systems. That's the whole idea of network IDS. Cisco makes them... You can make one on any linux box with Snort. ISS makes software that runs on NT/2K.... The list goes on.

    A virus scanning appliance is harder. What if the virus is in a zip file or other archive? Lots of problems with that. It's best just to get good AV out on the network with central management to make SURE they are updated and functioning.

    For anyone wanting good Exchange Server AV I can't recommend Antigen by Sybari enough. It makes everything else look really bad. For the desktops/servers we've used Norton w/ their central manager and it is performing great. Much better than any of the McAfee installations I've ever seen.

    1. Re:IDS by jason_watkins · · Score: 2, Interesting

      See my earlier post for why laptops might be running mssql.

      It's true that a wire level virus scanner would have to be 'encoding aware'. We would never want to assume that a packet sniffer would eliminate all possible infections on our network.

      But let's think about what it *could* do.

      Well, the most common infection vector is email attachments. Since there's only a couple encodings, and your mail server likely only accepts on a couple ports, you could scan at the packet level. Most likely a checker on the mail server itself would be better.

      What's the 2nd most common infection vector? downloaded .exe's and the like. Again, a packet level sniffer is only of limited use here, and it will be harder to deal with all possible ports, encodings and protocols. But, you could sill get reasonable results by say, scanning anything on an inbound http response that is encoded in a format you recognize.

      What does that leave: well, probibly the most important infection vector for us to deal with at the packet level: worms that use various exploits in daemons and protocols. And here, a packet level sniffer can be extremely effective. Things like code red, sql slammer, etc are very easily recognized at the protocol level. Even better is for us to plug our box in upstream at our circut providers so that we can save our pipes from being clogged with infection packets. And with some sort of administration functions, we could use them to block some forms of DoS as well.

      What's the point: with security, don't trust a single fence: build several to overlapp eachother, and a packet level sniffer could be a valuable tool in this context.

  3. Re:slammer coming in from laptops? by jason_watkins · · Score: 4, Informative

    Sales guys may use a SFA solution that uses the MS data engine (ie, "diet" mssql) installed locally on their laptop for persistance. Sales guys also may hit the hibernate button instead of a full powerdown and powerup.

    Therefor, it is possible that a business user plugging in his laptopt could release slammer.

    When thinking about security, do not think "ohh, that can't happen, that's so unlikely". Think "what could make that possible, no matter how remote" and then "how can I eliminate that risk".

  4. It's called your switch by Gothmolly · · Score: 2, Interesting

    Easy. Put packet filters in your switch. How often do SQL servers make outgoing connections to other SQL servers?

    --
    I want to delete my account but Slashdot doesn't allow it.
  5. Hogwash by cowbutt · · Score: 2, Informative
    Sounds like you want Hogwash - it's based on the Snort Network IDS, but instead of just reporting suspicious traffic, it drops it. Note that this differs from just coupling a NIDS with a firewall, as most of those solutions are susceptible to DoS attacks by spoofing attacks from the upstream router, or key DNS servers (they usually block *all* traffic from "attacking" hosts, not just the offending packets).

    --

  6. eSafe Gateway by TexTex · · Score: 2, Informative

    For packet level filtering, there's one box I've found and like quite a bit. eAladdin makes eSafe Gateway, which can act as a bridge or router tossed in front of your network (directly after the firewall). It scans all http, ftp, and smtp traffic...but they had a fix out to also look for slammer a few hours into the mess.

    While it's not true packet level, it's pretty fast and gives you a bit more protection and configurability that I think a raw router might be able to do. Granted, this won't help much if you've got internal laptops or something bringing the bug with you...though it would prevent you from attacking others with it.

    Not a sales pitch, just a satisfied customer...
    www.esafe.com
    -----------------

    --
    -Barkeep, a draft of your most hazardous brew, for the world is slowly stepping into focus, and I don't like what I see.