Slashdot Mirror
Cisco Working to Block Viruses at the Router
macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."
...expect 3 second delays per packet with this new ill-conceived plan. Routers would now have be be stateful and learn to distinguish files (and compressed files) over TCP connections. This is doomed to fail either because of its slow speed or due to the numebr of false virus matches it will find.
Of course, the reason Linux and Mac users don't have to use AV software is because Windows presents a much larger and more inviting target. Maybe they deserve thanks?
There are only 6,863,795,529 types of people in the world.
how does the fact that the router uses a packet shaper require the end user to have AV software? at my university, they use a packet shaper, and clients on the on-campus network do not have to have such software installed. this sounds like a great idea, tho...
xao
xao
http://TheHillforum.hopto.org
If it finds issues then it will drop you from the network or block that port / problem.
Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?
Does this mean that I can't talk about viruses using code-samples over the internet? I can't download and study exploits anymore? If there is any possibility to encode the virus-code to circumvent the filter, then the virus can possibly do the same...
so basically cisco is doing in routers today what microsoft should have done in the os 10 years ago. how many billions of dollars do viruses cost every year?
Will it check that every computer connected to an internal network, probably hidden behind an internal NATing router, has the appropriate protection installed?
This interface would become mandatory?
This sounds to me like a possibly feature...not something that will change the world as we know it.
Blogzine.net
Fortress Of Insanity: Unix Dude
clifgriffin > blog
The router is the new favorite device for censorship. It's the last single-point-of-diversion before the network spreads out again, into the home or office department.
How long before libraries are forced to use scary, sealed products with cuddly names like RouterNanny or RightRoute or PopCop? Where librarians can't adjust or override those kill lists?
[
Damnit... first 3 comments are all trolls. Anyway, what will this mean as far as licensing issues? Right now you get a corp edition of virus software and that covers X amount of desktops. What about the guy that doesn't want the virus software, can it be disabled/purchased without? How would this work? Also, if I get a simple mail sending virus, how does my cisco KNOW that the email to my wife, and the viral email to my wife are different? I guess I don't need to worry about this, Cisco seems to be able to do it all.
Maybe it's just a cover up for carniv*res and other traffic - spy tools...
How to Destroy Angels II
If enough users install router-based virus blocking, then everyone will receive protection. This protection will be especially strong if routers at ISPs and in the backbone contain the filters. At the very least, a virus-hostile infrastructure will slow the spread of viruses - the doubling time for infected machines will be inversely proportional to the fraction of unfiltered virus messages.
Mac users and *nix users need not worry as long as enough routers are configured and maintained to filter viruses.
Two wrongs don't make a right, but three lefts do.
We sort of do this at Rutgers University This summer was absolutely crazy for the network, due to all the worms and such. A new policy was instituted which requires users to visit a website which checks their operating system. If they're running Windows, they are *required* to download a scanner that checks for the relevant worms and installs Anti-Virus software. Users running alternative operating systems are completely exempt. It just says "There are currently no additional requirements for running Linux on the residential network." We've just begun shutting people off who fail to comply with the policy. I, for one, like it. However, the routers start to get overloaded if they have too many access control lists because they have trouble running them on the ASICs. So, they have to run in software mode, which starts to slow things down.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
The article doesn't say that client software is required at all... it says that after some checks the user may be prompted to download some software (presumably from an internal source) before it can connec to the internet.
However, if this original check is just done by some network secutiry checking (ie. looking to see if there is a vulnerable version of SSH or a misconfigured IIS etc) then all that would needed to be done would be to fix the potential exploit rather than install a piece of client software.
Potentially, this would just be like running nmap and other similar tools against the machine in question to test it out fot net-worthiness.
It could also check for open mail relays, which could help in the Fight Against Spam (tm).
D.
This makes me wonder how hard it would be for ISP's to block DOS attacks at the router level. I've been studying my Cisco lately, and it does readily doable, especially if the source of a ping flood or the like is known.
End systems are not affected by routers dropping IP packets with harmful content. All what end systems see are IP packets. They may see less of them, if filtering is enabled on the router, but the packets have nothing special about them that would need AV software on the clients.
But, a router doesn't always have to drop packets. It could tag them with a special marker, and clients could then react accordingly, e.g. by dropping them in their TCP/IP stack.
This could be somewhat similar to what SpamAssassin does, when tagging spam mail with an X-Spam header. It's up to the mail user agent to decide what to do with mails tagged that way.
cpghost at Cordula's Web.
Hopefully, this is not going to happen.
WHAT?!?
I'll give someone a few bucks to help rid the entire planet of the crap that's out there. I don't know about you, but I'm sick and tired of ridding my clients (and freinds, family, etc.) of all the bugs they get. If the ISP's can stop this crap at the routing level, man, I'm there. I'll happily pay the extra few bucks a month/year to make EVERYONE'S life easier.
Yes, I use Linux (Gentoo represent!), but what's your point? I got a great OS for 100% free (ok, ok, I bought the CD's for 1.4, but not the point), why would I not plunk down some cash to make not only *MY* "computing" experience prettier, but also all of those people that are fabled to exist on the other side of the window next to me?
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
The system under development will allow a computer network to check the safety of incoming traffic. Any device trying to connect to the network will be checked to see whether it has security measures already in place. Those that don't can be denied access, shunted off into a quarantined segment of the network or forced to download a security program.
Forced to download who's program? Hate to seem paranoid, but anyone else think you will be forced to download from Symantec, McAfee etc.? Guess we don't get a choice of AV programs anymore.
The opinions expressed here are not mine, but those of these dang voices in my head.
Maybe Cisco could work to block packets from insecure, unpatched Windows machines for currently known exploits? That would pretty much kill the cause of the problem at it's root, although I'm sure it would introduce a whole bunch of other problems that I haven't thought of yet! (Here's just one problem - how would you get to windowsupdate.com if all your packets were being blocked?)
Organic free-range music... yum!
The name of the game is not to lock ISP customers out, the name of the game is to provide security for corporate lans/wans. Way too often, you have contractors connecting their infected laptops on corporate lans/wans and spreading viruses. A tool to block those unprotected computers before they can do anything is an old dream, maybe Cisco will fullfill it now.
Naturally, I wouldn't like to see it at ISP level, it would be against individual freedom.
... and got my CCNA in June. We have a saying... "Let routers route and servers serve." Anti-virus is clearly a IT problem, but it's also a server responsibility. Not a router responsibility. I can't imagine supporting this. Every once in a while, we get someone (customer, whomever) who says "Oh! This new virus works on port 7654! Please block port 7654!" ... then I say "What happens if I run my website on port 7654? You can't get to it?". Limiting the function of a routing device because it might carry malicious code on an application level is a bad idea. This isn't a solution to the problem, this is another band-aid.
FLR
Does this spell the end of free (as in beer) AV programs such as AVG from www.grisoft.cz or http://www.grisoft.com
Okay, first of all, this won't require anyone to install any client application anywhere. That's the point. The filters would steer away malware at the router, before it even reaches the user.
Secondly, this is a good idea, so long as it's implemented only at gateways to private networks. Signature based filtering is bound to block some legit traffic, and network admins need to keep that in mind when implementing this kind of functionality.
Third, Cisco routers already do this to some extent. You can block some malware using NBAR (network based application recognition) and ACL's. (It's a good thing. It helped me make Code Red go away on my network back in the day.) This feature is a logical next step.
And finally, does anyone actually read these things before they post them (michael)? Even if you overlooked the grammatical errors, the factual inconsistencies alone should have kept this thing from ever hitting the front page.
This is an interesting approach that may prove to be effective. The problem in the past in fighting viruses is that you have to have each individual computer updated. Most computers just were not updated regularly, despite the development of automatic systems. But by placing stragic routers across the internet and having them filter through these you could effectively fight viruses as effectively as any AV software could. I know my university scans all incoming e-mails and cleanses them, i think i have only once in my career here then recieved an infected e-mail. You do get into some ethical dilemas if you implement this on a global scale though. is it ok for the backbone of the internet to filter content? Its one thing for an ISP to do this, but what if a country like china wants to deam certain traffic dangerous and have them cleansed by the routers as well. (maybe not the best example since they do have the great china firewall, but you get the picture)
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
This would just never work. I do not think people would be overjoyed at the prospect of needing "yet more security" to be purchased on top of their hardware and software. Why would running AV software be necessary if it gets stopped at the GW/ISP? Make it transparent to the user, in the end that is your customer, it should not be your job to make your customer jump through hoops in order to get the most out of their computer/internet connection, regardless of OS. Where would this leave the specialty operating systems? Screwed? Having to wait for Cisco to make AV software for their platform? There would be hell to pay from Universities/Businesses/Etc. The Internet is not something that one company should be able to control, it is not a quantifiable object like say, a diamond, a car, or a house. It is more of an abstract idea for how things interconnect. That would be like making a device for the brain, and if you didn't run the correct software, your feet would stop working correctly.
I hate sigs.
Luckily, there will be no such requirement to use proper spelling when submitting /. stories...
In Soviet Rush, today's Tom Sawyer gets high on you.
After reading the article, it seems like the router probes the source of 'suspect traffic' for known vulnerabilities, and if the source appears compromised, the router then quarantines/drops/whatevers the traffic until it can verify the source has been patched.
Not a well written article though. Quite short on technical details; my interpretation could be wrong too.
Cleetus
This sounds like a promising idea to me, if the implementation stays on the router itself. It sounds like the router will look for packet sessions identical to those used by worms/viruses, and move those clients to a null-routed subnet. If it works, then by all means go for it. As long as moving customers from a live routed to null routed interface is simple, then I fully support any ISP implementing it.
We use Trend on our mail servers which is WONDERFUL. McAfee updates would crash our mail servers occasionally, Trend never has. Also it seems to have far better identification and irradication compared to McAfee. Though this partnership seems odd. It seems that you could achive similar results with an ids hooked into cisco ids ios that is already out there. I think the biggest problem is junk not getting blocked at the core. I don't have this problem with my provider they just wrote some rules that has really relieved Nachi congestion on my router. I know that some of the other provider REFUSE to do any traffic shapping for my other locations. I also do egress filtering to make sure I am not the source of the problem. Personally I think all the cable / dsl modems should BLOCK some of these ports, or at least slow the amount of traffic that is generated on these ports. Honestly why in the world should a home user need to send icmp traffic to more than a few addresses within seconds.
It's bad enough that I have to suffer with the net being slow due to MS's newest bug/worm/exploit that by right should have no effect on me as a *Nixite and now I have to deal with shunted traffic.
While it's great that some of the bigger companies are going to clean up the mess for them, they need to realize that by the nature of the internet this is not going to happen.
"In a conference call Tuesday, the chief executives of all four firms said virulent programs like Blaster and Slammer demanded a more coordinated defense, with security programs and hardware working together off a shared set of standards."
Great another internet proprietary standard at the top level. Seems like Verisign started a trend of "How to drive business in segement of intra-commerce". I don't want to be forced to download program from someone who's business model I don't trust or depend on to do my business. More so in arenas where I never needed their products.
How about instead we just start using ssh/https the way it was meant to be used? How about those companies work on what they are good at and let me worry about the network part of it?
Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep
If the virus is blocked at the router, why would you need anti-virus software?
.. it's the wrong solution to the problem. Client-side virus scanners and better operating-systems are the best solution. Packet filtering can only go so far and may often have unintended side effects.
Still
I just gotta wonder if this is going to look for any response on certain ports like 135-139, or if Cisco is specificly going to check for a proprietary response from the products of Network Asc, Symantec and Trend Micro?
What it ought to do is a TCP fingerprint and look for any Microsoft Windows operating system.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Virus is already plural.
-- ladies and gentlemen we are floating in space!
Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software.
Holy weasel words Batman. How you got that from the article to begin with totally escapes me. It says if you're scanned and found to be infected you may be required to download stuff. It doesn't say you're required to have anything installed to access the internet. Just chill out. This looks like a sane enough idea to me. Just look at the problem: A user with an infected computer connects to a LAN. Their computer then immediately begins infecting other computers on the LAN. The solution is exactly what Cisco is doing here. Check for infection first, then allow them on if they're clean. Where else are you going to do this but at the router?
Router-based virus filtering is unlikely to work if too much traffic is over VPNs or in encrypted e-mails. Viruses in encrypted transmissions would pass unfiltered through all the intermediate routers. Overlapping VPNs (such as when multiple companies interconnect in a supply chain) create a potentially unfiltered path for viruses to spread far and wide.
VPN and encryption users could protect themselves with other virus filters (or virus filtering on internal routers that handle plaintext). But, we all know about the low rate of patch adoption.
Ironic that one type of security measure, VPNs, makes another security measure, filtering routers, less effective.
Two wrongs don't make a right, but three lefts do.
...checked to see whether it has security measures already in place. Those that don't can be denied access, shunted off into a quarantined segment of the network...
Is it just me, or does this sound like the re-birth of the internet, where vulnerable OS-es are quarantined into a kind of proprietary subnet?
Lots of complaints, nobody looking on the bright side...cutting down the bandwidth used on your network, the internet and everywhere by silly viruses. I work for an ISP, this would be a Godsend in terms of saving on bandwidth both for us and for our customers.
.02
If we stop the viri at the router before it gets out, then it doesn't waste precious cycles and bandwidth elsewhere. Just my
Any device trying to connect to the network will be checked to see whether it has security measures already in place.
Wich security measures?
Isn't it the problem that the traffic containing the virus might be legitimate traffic? It won't help against hole n+1 in Outlook. You get an e-mail from your friend who is also using Windows XP extra secure. You receive it, virus installs itself and starts sending copies of itself through the net. Nothing to halt is because all traffic is comming from secure machines and networks.
Only when the new virus definition is uploaded to all amchines the virus will be stopped. But a new virus needs only a few hourd to infect the whole world.
It will only stop the exploid on known security holes.
Nyh
...sounds like moving graphics code to the kernel for speed. Yeah, it might work, but it's a bad idea for MANY reasons.
I'm sure a open source product will allow Mac/Nix users to access such networks (at no cost).
Would make computing much more secure.
It's still annoying for Mac/nix users to get thousands of annoying virus emails from their windows friends (if you can call them friends).
Every product normally starts out with 1 company producing it... if it's good, normally clones come about.
That is way veeery different. Stations will be ENFORCED to have installed this software in networks with this scheme. WTF???
I am not sure if this is the right move.Even if viruses take a big toll on our mental peace by wreaking havoc i think that a small price to pay for what might follow.
I dont think that the router should be doing anything else than routing the data.if today it scans the packets for viruses tomorrow it will be looking at subversive or unwanted content.we dont want a censor on the internet.
Remember these words:Those who sacrifice liberty for safety deserve neither.
Wanted : A Signature.
It's entirely possible this article and the security program is directed at Windows users only. Neither Cisco or the Anti-virus vendors are malicious enough (IMHO) to block Unix/Mac boxes because they don't need the anti-virus software the companies sell. The wild internet frontier of email-address-confirming porn and Gatorware is probably here to stay.
It's also possible they might figure out a way to block certain version of programs, say WuFTPd, from having an unsecured link to the outside world. This could help prevent a university network being used as a DDOS tool because a student didn't upgrade his ftp server. Or a mail server which doesn't smart-relay through an authenticating server to stop student PC's spamming.
It's not always a virus that brings a network down. But when a university is forced to print 10,000 CDs with anti-virus and windows worm-removing tools to give to new students (who aren't allowed access to the university network if their box looks active on port 137) this might look like an alternative.
The evil that it does bring is in the form of anti-Free networking, where Linux boxes are used to form cheap routers and gateways, without a Cisco(R)-Symantec(R) licensed monitoring system, your access to the larger internet may be limited by your upstream provider, ala Verisign certs.
This system is probably for the intranet users to stop an OE/ IE virus bringing down their system before the poor tech guy patches the boxes.
Now M$ need not be in such a hurry to fix code. They should love this!
Perhaps CISCO should concentrate on fixing the HOLES in IOS as opposed to the Fixing the HOLES in MS products? Either Way, if they enable said features, it will be the first thing I disable during installation. :)
Doesn't this fall in the same category as MS patching up they're OS to avoid hacker exploits? Isn't somebody going to find a way to exploit this? It seems that computer viruses(sp?) are going to behave, in a lot of ways, like bacteria. If you throw a lot of anti-bacteria out there, they'll just evolve and overcome and become a stronger nastier bacteria. Isn't some networking evil genius going to find a way to exploit this solution as well? Actually causing/stimulating the creation of an even nastier virus that is a lot harder to detect/destroy?
I only mod up parents of "mod parent up" posts...
The way I read it, their marketing department has just found out that LinkSys (now Cisco's subsidiary) has had this functionality for years now, where the cheapo firewall routers can be configured to not give access to the outside unless certain AV software is installed on the host. So it's marketed as a new innovation -- there's probably half a dozen patents filed for it already, plus a bunch of different names under which this can be marketed.
Problem is, it doesn't work except in very specific and small homogenous installations.
Regards,
--
*Art
My school requires anti-virus software (Symantec) to be installed on every machine of the network or else your connection gets cut off. Has anyone here even USED the Mac OS X version? Apparently, all it does is throw up error messages on startup. "Live Update could not be found..." "Kernel Extention not loaded" blah blah blah! Ugh! Why would anone make a program that doesn't actually do anything but throw up errors?! I don't think I've ever seen it do anything but. Here's my $40, now give me that antivirus program that doesn't actually check for viruses that could hurt me because there aren't any! Another case of boneheaded IT... I wonder how much the site license set them back...
How is this any diffent than using iptables to block network viruses?
# Block Code Red Virus
iptables -t filter -A INPUT -i eth0 -p tcp --dport http -m string --string "/default.ida?" -j DROP
---------
This space for rent. Call 1-800-SIGADVT to place your ad.
Of all the things I have seen flying back and forth about this and that, this has got to be one of the worse ideas I have seen yet for the Internet community. Should this go through, we finally give up the internet as it was designed to be - a global network of open systems. Just because some software manufacturers cannot design a system that is open to one expoit after the next, do we start modifying our infrastructure to compensate? I think that is ludicrous! I can see the need to deal with ping floods and brodcast storms, but viruses at the router level? Some day, somebody's streaming video is going to fail because the router detected an anomaly in the bitstream - or worse yet, what if some SSL encrypted data gets trapped? Let the servers deal with their data. If they cannot handle it, well, that's just their problem. So much for a free, open internet... I have seen this concept getting buried more and more every day, but at least it was just being overshadowed by those who seek to exploit it's nature for the most part - but now we are placing such restrictions into the infrastructure.
If you look at the evolution of Cisco's products, you will see that they are heading towards one-in-all products.
The routers now feature routing, limited switching (a switch module in the 3600), firewall (CBAC), IDS, VPN, VoIP, Limited IP telephony, caching (including HDDs) and streaming. So its no surprise that they are building in layer-7 awareness check into it also.
Look at firewall vendors. They are also building in layer-7 awareness into the products rather than depend on an external IDS. Consolidation is the name of the game. IMHO, I don't think the one-in-all product is a good thing but I think its a hit with IT *managers* and bean counters. They can't seem to understand the plethora of boxes required to run a network safely.
Nah, they're going to solve the packet shaping :)
issue by appending the "Evil bit" to the
virus packets
------
"And may your days be long upon the earth."
From the article :
Cisco, Network Associates, Symantec and Trend Micro will develop a new system for protecting networks against infection. The system, which the four firms hope to start selling early next year, will be able to block network access to any computer or device that doesn't have its own security measures in place.
Isn't this sort of DRM related ? "it's own security measures in place". Don't like the sound of that...
Before 1995 we didn't have such a mess on Internet like nowadays.
In 8 years there is a lot of things happened with this medium, Microsoft has exploited it and we are getting the garbage, it's like a mining company who is poluting the surface where they mine.
The question is:
Why should we (the users, etc...) make the Internet to the standards of Miscrosoft's interpretation of using it.
Let Microsoft get a kinda "certificate" before a Microsoft machine can connect to it.
Better it is, give a router the "rule" to deny a Microsoft machine to connect to Internet without proper identification.
What about that, instead of exploiting the Internet by a mining company from Redmond.
They are just trying to grab a strong hold on the Intrusion Prevention market. Cisco can barely handle routing with a complex ACL in place. The Pix throughput is horrible. Not sure how they plan to do this with any level of success, especially at high bandwidth points.
I'd be much happier if they would come out with a blade to insert into layer 2 devices that would block the problem(s) at the port level. They would likely have a better chance of sucess there too.
I guess since they bought out Okena they see themselves as security experts in the IDS/IPS realm.
Anti-virus software cuts the speed and responsiveness of your system when starting processes in HALF. As a person who is always starting and stopping tools and utilities and apps, putting in AV would be a big no-go for me.
I have a real firewall and a DSL Router, I don't use Outlook nor IE, my systems are patched, and I know how recognize the trust level to place in places I visit on the web and to scan every single thing I download from the net and save to my HDD before I toy with them.
I've been on the net since 92, I've never had a virus and I probably never will - and if I do I know I have the capability to recognize it (bandwidth monitors, activity lights, etc etc) and clean it.
I'll abandon any ISP who forces ALL of their users to run AV software. I will agree it would be a great idea for the unwashed masses. But I am clean and sharp
I like Bell Sympatico High Speed's approach here in Ontario. They're giving a 3-12 month trials of and then selling cheap subscription firewall/anti-virus/anti-spam software. They're efforts to "market" this stuff keeps their "unwashed masses" quite well informed about the dangers of the internet.
And everyone knows the first step to enlightenment is education.
Antivirus software slows down your machine to a third of its original speed. Disable it and see for yourself. You'll never use that junk again.
I have a much more comprehensive scheme for identifying viruses anyway. I have modified my OS to pop a dialog for each incoming letter and verify if I want to accept it or not:
You have received the letter "G" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "G".
Would you like to accept it?
Yes No
You have received the letter "r" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "r".
Would you like to accept it?
Yes No
You have received the letter "e" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "e".
Would you like to accept it?
Yes No
..that every time a new virus comes out that now we have to patch our routers with new virus definitions too? Sounds like this in itself could potentially be exploited...
At one time I was getting 50 virii/day, all small variants of a few types. It would have been so much better for everyone to have them filtered at ISP level. Seems like an easy fix at router level.
And no reason I can see why every one should have AV software because of this..
"You lied to me! There is a Swansea!"
I hust happened to be at a Cisco / Synstar presentation on security and products yesterday. Some engineer from Cisco talked about that.
:
It seems more like
- It is targeted at corporations who need to deal with more than just one entry point to their network, some of which are currently hard to deal with (VPNs from badly-secured home PCs, legacy dial-up access, laptops that have connected to other corporate networks and/or the Internet).
- The idea seems more like having some sort of automated verification system that will check if you're remote computer / laptop is up to date with the current policy (patches, anti-virus...) before opening the firewall ports and allowing acces.
My first thoughts were "OK, what verifies the verification system for compliance, attacks or tampering ?" and "What if some malicious software somehow manages to disrupt the communication and makes the system believe that the infected host is actually clean ?".
OK, we don't really know yet what is the intented architecture behind the marketing linguo, but we soon will. Then we can start pondering if it's secure or not.
Ceci n'est pas une signature
What is it, reverse-endian mod day? If the post isn't tragically insightful, at least run it by your humor neurons.
Hehe..."RightRoute"..is that taken yet?
it might mean that your required to have anti-virus software installed in order to use the internet.
If only one would be required to know the difference between "your" and "you're" to use the internet...
I am Sartre of the Borg. Existence is futile.
If a site is so MS-centric that they require I use MS software to send them E-mail, then I don't want to send them E-mail. It's that simple. There is a well-established process (RFC's) for Internet standards. If someone chooses to ignore them, they're the ones going off into fantasy land.
Instead of building all that complexity into the switch/router, how about an option that allows the switch to send a snmp trap event to a "gatekeeper" machine on the network whenever a port comes live.
... however feel free to slap me around if a similar feature already exists in Cisco switches.
The gatekeeper can run all the checks/tests it wants, then allow/disallow the device network access, signifying access allowed/denied via an snmp put to the switch (or some other simple protocol).
During the time between link up and the gatekeeper machine allowing/disallowing access, the switch/router would be configured to only allow comms to certain devices, eg a dhcp server and perhaps (for MS clients) a domain controller etc.
Of course for every complex problem there is one answer that is simple, clear and wrong. This post probably proves that there may be more than one wrong answer to a problem. What happens when a hub is cascaded off a switch for example ?
I am not across the feature set of Cisco switches (my site is managed by EDS - no playing with switches for me), but I would like even the simple functionality of approving/denying access based on MAC address from a central machine. The gatekeeper concept would be the extension to that wish
Malicious packets should be blocked on a case by case basis. If my host is infected with Slammer, for instance, I should be able to talk to your MS-SQL server, but have my Slammer packets blocked.
It's called intrusion prevention (IPS). There are companies that offer this technology today, even in switches, but Cisco is not one of them.
Use a blackhole routing system instead of ACLs. easier to manage and because it uses uRPF to do the drops, it's very hardware friendly. I posted a summary on NANOG about two weeks ago how I did this at the University of Wisconsin.
You just need an IDS product that will dynamically build ACL's if it detects a problem. Cisco sells a product and I think other IDS vendors have some support for doing this.
If the software detects an intrusion, trojan, wirus, whatever, it can be configured to update routers ACL's to block the traffic.
According to the white paper on CCO this relies more on port based authentication and policy settings than on stateful inspection of the traffic flows across the router.
This systems used a piece of code called the "Cisco Security Agent", in standalone, or as part of certain AV software, to check the configuration of the pc, prior to authenticating to the switch, for access to the network. Port authentication is already available today, so this is a natural extension of the 802.1X technology.
Once the 802.1X negotiation is started, credentials are exchanged (username/password, certificates, et al) and a AAA server is queried for authentication, and authorization as well as security policies to determine if the client machine has an organization approved config - i.e proper patch levels, current AV asoftware, etc.
Depending on the outcome of this negotiation, the port access can be denied, put into an unsecure vlan, put into a remediation vlan, or put into a 'secure' vlan.
This is more of a technology to allow enterprises to ensure security via better control of desktop system configs than anything else.
Sig??? I don't need no stinkin Sig!
by making clever rulesets for the thousands of new viruses every month. The virus would have already infected your network by the time you handcraft one rule. Look at the shortcomings of the Cisco router rulesets. It's a joke. They only catch the low hanging fruit at best.
As soon as that model is compromised, you have a new source of uncertainty every time you have to debug a network problem. When packets don't make it to their destination, is the problem a firewall at this end? Or at that end? OR - new possibility - funky anti-virus software on ANY ONE of the routers between here and there. You just can't tell.
This is a nightmare in the making.
--
What short sigs we have -
One hundred and twenty chars!
Too short for haiku.
I disagree... Why not just have the firmware inside the router programmed to read all incoming bits. Instead of just passing them, it would physically read the data coming through and just use the ISP as a relay to see if in fact this code is viral or not? The latency wouldn't be much of a big deal so long as the ISP puts up nice "big block" machines to handle the request loads...
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
All this "ideas" that are appearing day after day as "innovative", shows very well the war they are fighting to get over The Internet / Free Software / The Hole Fucking World.
Some companys, that had a role in the NET at some point, and now are allmost dead, 'cause the function they was playing, is no more needed, are now doing desperated efforts to gain some new importance, to show that their "glorious past" that has "Forged The History of the Internet", makes them important to the future of the net / software / t-shirts / Universe. While those fight to continue alive, some other little companys, fight to kill the first ones, to take their place.
All of Them Think They have some kind of "Legitim Right" over the others. They feel they are "Special", and so they have the moral right to decide over other's Freedom.
SCO is a good example from the first Group, VeriSign is a good example from the second Group.
Diferent History, Diferent Size, but the same methods, ideas, objetives and moral. (in other words, just the same shit)
WTF am I doing replying to an AC at 5 A.M on a Friday night?
If this is so, all the wailing and gnashing of teeth may be premature, although, should ISPs adopt it, it would probably not be good.
Great minds think alike; fools seldom differ.
And how, exactly, are they going to decide if my equipment is "secure"? I'll wager that if I hook my C64 up to the internet, it won't be susceptible to many viruses. I imagine the same is true of my vt340 terminal... but they probably aren't going to respond to some random probe that asks if they're secure.
I'll say it again. A router's job is to ROUTE PACKETS. Nothing more, nothing less. If you want a firewall to keep virii out, get one. If your ISP wants a firewall to keep your virii off the net, THEY can get one and have IT filter traffic. That holds true all the way to the backbone. It doesn't belong in a router. It doesn't belong in a piece of consumer-end equipment that will be talking to whatever random equipment gets connected to it.
Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet.
Ummm... no. YOU won't have to have any installed, your ROUTER will. And, of course, that is IF somehow they make it manditory for routers to contain some sort of an anti-virus protocol, which in my opinion and probably many others will never be manditory.
This is a bad idea all the way around. Content filtering should happen at the endpoints of the network. Not by the network itself. What's to stop Cisco from deciding that cool-new-feature-of-the-internet is not a new and upcoming technologiy, but a virus? And what if they decide this because the new feature undercuts one of their businesses?
Sonicwalls have available AV functionality that requires the client have a Mcafee install on it or be in a list of computers that are exempt to access the internet. In my experience it doesn't slow them client machine badly and it does keep your AV definitions current.
This meens no more students making and testing software and/or protocols...
Another step of corperate america to snatch away the net...
I still think most virusses are writen by anti-virus companies...
This all stinks, and no i do not and never will trust Cisco...
Does anyone know if this has anything to do with the "Shield" technology Microsoft has recently been promoting (without saying what it is)?
If so, I think there is reason to be worried about being shut off "The Secure Net (TM)" as a *nix, Mac or whatever user. Anyone remember the Microsoft Network?
It also means the government is looking for a cooler way to monitor traffic. i.e. carnivore Cisco wouldn't do this on their own. It only adds more cost and complexity to their systems, and more chance for breakage. They could care less if you get a virus. It doesn't affect their equipment other than increase usage when worms hit.
Let me put it to you this way. If it can look for viruses, it can look for your signature too. Things as simple as words can be monitored. But you could hook this into all types of monitoring systems quite easily just by mirroring the ports at the router level.
Granted you can do that already. Cisco is just providing a "cool solution" for the government to provide seamless integration with carnivore 2.
That's not quite what I meant though. I was talking more about detecting exploitable machines as soon as they attempt to connect to the network, rather than blocking machines that are already sending out "evil" packets.
For example, running a series of tests against a machine to see if it is susceptable to the RPC exploit (and so on) before allowing it to connect to your network, and then disallowing it access until it's security is tightened.
This way, each machine would be forced to have a sensible security policy in place before being allowed to connect to the Internet - a kind of "internet roadworthiness" test to make sure that you can't just connect any old piece of crap to a public network and expect it not to get exploited.
I'm sure there's a way of doing this without going the Palladium ("trusted" / proprietary) route. It wouldn't need to be built in at the hardware level or anything, just a series of tests to ensure that machines connecting to the Internet have at least some semblence of a security policy in place.
If anything, it could at least alert users of unpatched Windows boxes that they are totally open to exploits, or alert people running open relays and so on.
Organic free-range music... yum!
So I used with my once in a lifetime mod points. Taco, I wish you'd let us report this now, so that the assclown that moderated it overrated could be banned outright, or at least never allowed a mod point again.
Is there no way to do a decent moderation system, or is the world too full of idiots who try to participate in communities when they shouldn't ?
Mod parent up,
That's funny!
It sounds like they are just checking to see if the machine is exploitable. All that means is that Linux and Mac users are going to have to keep up with pathces too (and yes, there *are* occasional holse for those systems, just not worms)
autopr0n is like, down and stuff.
What Cisco is developing is a Host Integrity System, something it lacks in its current offerings. A good example to use would be Sygate's Secure Enterprise.
Cisco's new offering serves as a checkpoint at the router or L3 switch level. Hosts incoming must pass a certain set of criteria (MD5 hash of approved AV running, sig file at certain level, hotfix X installed) before they are allowed to pass. While previously used to protoct remote users (Aventail and Checkpoint are good examples), Cisco is moving to market the technology as an endpoint solution for all enterprise users.
This is also a consolidation play. The new version of Cisco's Secure Agent will tie into the new gateway system as a required host integrity piece. If you add that to the new WebVPN SSL VPN code that is currently in beta 3 and will be out over the holidays as v4.1 of the 3000 series concentrator software, you get a pretty clear indication of where Cisco's going with this.
All I can say is our Fortune clients dig the whole shebang. Keep in mind that once you start talking about enterprise security, the more authoritarian, the better.
trustedworlds.net - gaming, security, and the gunk that lives in between
- 139 out of 338 discarded mails
- 188 out of 423
- 169 out of 397
- 113 out of 267
- 143 out of 238
- 179 out of 347
- 228 out of 424
The remaining rejected/discared mails are mainly due to unrouteable addresses and high spam scores (exiscan+spamassassin).Hell, that's just irresponsible. Sure, mac/*nix have a dramatically decreased chance of virus infection ( argue why until you're blue in the face ), but that is no reason to be careless about it.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
First, speaking from a Corporate perspective, something like this would be a godsend. If you are a huge company (think 20,000+) desktops, that already uses Cisco and Symantec, and you can prevent machines with outdated virus defs or missing M$ patches from even getting on the network, this would be an answer to my prayers.
Second, why is everyone such an alarmist? Do you honestly think Cisco wants to exclude any customers from using their equipment? This will be policy based, and certainly he-who-controls-the-routers will have the ability to turn off these security policies on or off a per-MAC or per-port basis. To take it a step further, what if they offered agents for your choice of *nix flavor, and these policies could check for patches, and disallow network access for machines missing vital security patches? How can that not be useful?!
As far as ISPs go, sure, there might be ISPs that turn this on and require you to run client software, and that client software might not be available for your platform, but then guess what - change ISPs. Someone will always be there to fill the void.
I think that this is an excellent development in Internet security, and I hope it comes to fruition as quickly as possible.
In the future, ISPs will no longer sell "Internet connections", they will instead sell AOL'esque access to the web and email. The access will be filtered against viruses, SPAM and will include parental controls and complete usage monitoring (which will deter kids from circumventing parental controls).
People will pay money not to be SPAM'ed and not to have to worry about protecting their machine all the time. This will protect the net from most unprotected Windows machines.
For home-workers, Cisco and similar big companies will offer proprietary VPN software which will interface with their proprietary 'almost the internet' software.
However, because of the limited market in unfiltered connections, geeks will pay extra for an unfiltered connection, or will use a technology akin to SLIRP, only to have it blocked time and time again as virus/worm authors try to install such software on unsuspecting Windows machines, and ISP's try to block them.
> This can be a *big* problem for *nix/mac users which normally don't need or use AV software.
I don't think most major ISP would leave Mac users out in the cold, but I could easily see where they would give two rips about Lunix users (or require they upgrade to a "business" account which support such operating systems that were design to be used as "servers"). What I am more concerned with is freedom of choice:
> In an unusual alliance among staunch competitors, Cisco Systems will collaborate with three of the largest computer security firms to fight virus and worm attacks.
Ok, I see how it is. Your router creates more AV sales for us, so we give you a kickback. We both make more money! Meanwhile, the likes of AVG and Avast are left out in the cold, as are their users. Soon you will require a "Cisco license" to release Anti Virus software if you want it to work for the masses, for a fee of course.
And what about personal routers/firewalls? Will we all have to upgrade to Cisco-AV(tm)-compliant home routers that report correctly to the ISP? Although this would be an extra expense (and I happen to like my SOHO router, thank you) I suppose it would allow you to run any sort of OS behind the firewall, include *nix.
I'll pass, and I hope my ISP does too.
1) Router checks machine for known exploits.
Anyway, how would the AV company even know if the machine was running the "real" software in your scenario? It wouldn't anymore then the router. The entire concept of checking for AV software is rediculous. They only mentioned "security mesures", they probably consider running Linux or MacOS a security mesure in and of itself like most people do. Only the most deranged person in the world would consider restricting a network to windows machines would be a good way to make it more secure!
By the way, you can get AV software for the mac, and, linux and even OpenBSD . There are exploits and even viruses for Linux.
autopr0n is like, down and stuff.
But if the other 98% of internet users followed the "rules" and installed anti-virus software, as the "rules might require", any viruses getting around this system would have a potentially more difficult time getting a foot hold world wide.
For the simple reason that the average Joe would be forced to at least consider security or not get online, this is helpful.
Reading the article over on ZDNet indicates that this technology is targeted on Corporations. Corporate desktops would have a SW agent installed that talked to the Cisco devices (Switches more likely than routers). This SW agent would be designed to communicate with various AntiVirus software out there to ensure it is up to date. If it is not the Agent would tell the Switch not to talk to this PC (or, I imagine, put it on a special VLAN that had an update server for the AV software as well as a patch server for Windows).
Here is the Zdnet link:
http://zdnet.com.com/2100-1105_2-5108883.html
The system under development will allow a computer network to check the safety of incoming traffic. Any device trying to connect to the network will be checked to see whether it has security measures already in place.
The way I read this is that it only checks computers trying to connect to the hub/router (on a LAN) but what does it do to traffic that is already on the network? Does it assume that the other router has aready cleared it? or does it block all non-authenticated traffic? In either case, it is useless outside of a homogenous environement (Like a corperate Intranet) If Cisco thinks everyone on the Internet will suddenly replace all their routers with Cisco stuff, they are mistaken. Also, what is the authentication method? If it isn't heavy duty crypto, then it can be broken and spoofed far to easily. If it is using strong Encryption, then US law prevents its export. Mind you, there are people who would love to see a US controlled internet, even if it cuts off the rest of the world. What these people don't understand is the the Internet is too important, so that attempts to control it will be circuvented.
Why do the pampered students need to be able to use their own PCs on the campus network anyway? Let them go to a computer centre where the
machines have been set up correctly. Computers are not (yet) such a vital tool at uni that students need to be online 24/7, in fact I did a comp sci degree and didn't even OWN a computer
much less have one plugged into the internet in my friggin room!
If this is taken to its end conclusion, the HSD will get involved, and then mandate that you only use things that is on the 'approved' list.
Be it hardware, OS, App software, tools.. your TV....
And if you even TRY to run something else, your connection is severed, and the proper authorities are notified of the then illegal act...
Yes, you will call me paranoid, just remember this in 5 years when it takes place... 10 Years ago people scoffed when I suggested 'data police'.. Now look, people are jailed for reverse engineering something they OWN.. courtesy of the DMCA..
---- Booth was a patriot ----
This poster of the previous comment needs to put their tin foil hat back on and STFU. I'm assuming this is a troll, as the poster has no idea what enterprise customers want. This sounds like the BEST way to deal with problems like infected hosts that are not supported by any given support group, yet still need to be tracked down and disabled.
There are other ways to track a user, if your paranoia leads you to believe this is what it's all about.
someone should really read the actual docs on the technology. This is not a router system. It is a modification or use of 802.1x authentication at the switch level. The system uses an agent (currently only a Cisco agent, but soon to be included in most AV software packages) which verifies that the system is running current patches and antivirus software/signatures before it is allowed to connect to a switchport. This is not a home application, but is designed for enterprises that have deployed 802.1x capable switches across their networks, and have to deal with users who use mobile systems.
The current implementation of the cisco agent runs under windows, and I believe it is also available for some *nix variants. It will be available for mac and the rest of the *nix world eventually.
> *nix/mac users which normally don't need or use AV
> software.
Before we start the usual self-congratulatory circle jerk for not running Windows, wouldn't the router block requests that might crash or cause a DOS for *nix/Mac-based web servers? FTP servers? SSH?
"This can be a *big* problem for *nix/mac users which normally don't need or use AV software. "
I think a big problem is the PEOPLE who think they don't need AV software, regardless of the OS.
I am always surprised anew by wild assumptions made not only by posters but "editors".
8 03d.html
;)
;)
Short search on the Web reveals a much more informative article:
http://newsroom.cisco.com/dlls/prod_111
1) it is NOT at all about traffic shaping or examining packets or running AV software on routers. Do not assume, you only make an ASS of U and ME.
2) routers will be able to contact with enduser PC running Cisco Trust Agent. This piece of software checks against presence of AV, firewall or simply OS patchlevel:
"A key component of the Cisco Network Admission Control program is innovative software developed by Cisco called the Cisco Trust Agent which resides on an endpoint system and communicates with the Cisco network. The Cisco Trust Agent collects security state information from multiple security software clients, such as anti-virus clients, and communicates this information to the connected Cisco network where access control decisions are made and enforced. Cisco has licensed its Cisco Trust Agent technology to Network Associates, Symantec and Trend Micro so it can be integrated with their security software client products."
3) that ability is an OPTION that can be turned on and off by network administrator (who already decides what we can do in the network).
4) it has been anounced for mid-2004, initially supporting only Windows.
5) why don't we complain about "your rights" when it comes to filters and other traffic blocking methods that have been available for a long time in most router packages, including cheerished Linux?
6) speculative comments "it will certainly be insecure" are better saved till the implementation is here to be tested and analysed.
It certainly will be (when/if it works) an interesting and promising feature for companies where IT personel had (and still has) to live through nightmares of virus outbreaks. Unfortunately it seems that people writing here are in majority some trigger-happy geeks who think only about their huge self-made home-grown two-box networks
Yes, the announcement is about selling (we live in a superextracommercial world after all), but nevertheless it is interesting and useful from the technical point of view.
The minimum requirements for replying to the article directly or to post in this article are:
CCNA (Bare minimum)
3 years working experience with Cisco routers
A clue
Having read the article.
Thanks and have a nice day.
" it might mean that your required to [...]"
It might mean my what?
with this. The latest and greatest cisco switches and routers have an internal speed switching fabric that runs at 222GB/s. Fast, yes, but this is bare switching. There was another article here a day or so ago (must comment and run, no time to find link) that was talking about using field programable gate arrays to process packets in parallel. It had a top speed of a couple of Gigabits per second. As net traffic increaces this sort of system will be nessary, but untill it can compete with 222GB/s there is no way to implement this, exept on the 'last mile'. For any corporation that deploys a lot of computers, they have HUGE switching stations every so many thousands of computers to get a decent speed. A high latency would mean they would need more of these, and they are expensive to start with. That is not even the word for it. 5" pipes going out in 8 directions full of cat 5. Oh yeah, this tech needs to be cheap enough or fast enough to be deployed on the last mile, or a a higher level. Till then this is a bit to slow and expensive. PS forgive any horrible errors in spelling or grammer, must go now.
md5sum
d41d8cd98f00b204e9800998ecf8427e
To bad the router is going to need a million processors to scan the packets in near real time. Hell sounds like a good deal for cisco they can sell more expensive routers.
Got Code?
companies would figure out how to stream line this and make it viable for consumers, because no one is going to buy into it when you still have old routers available. The only way it would catch on is if it these routers where better then old ones at the same price. No one is going to pay more for a router just to have to pay *even more* for software and such. pure BS
I'd rather filter spam at the router. Viri typically only target Microsoft platforms, which I don't use and won't allow on my networks. However spam affects almost everyone with an email address and wastes far far more bandwidth overall, so why not build in configurable RBL controls to the routers?
I get almost no spam through a combination of RBL, access file, procmail, and blocking spammer countries. But those measures do not prevent spam from wasting my bandwidth and taxing my mail server. If my ISP used spam filtering on their routers the amount of spam actually hitting my systems would drop by 70-80%.
If my ISP did something like this I'd buy everyone in their IT department donuts on Friday.
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" - BF
it is intirely possible to make an OS virus-proof with out having to install 3rd party software.. anti-virus software today sucks anyway cause it can't catch new viruses, the only ones that really count.
companies would figure out how to stream line this and make it viable for consumers, because no one is going to buy into it when you still have old routers available. The only way it would catch on is if it these routers where better then old ones at the same price. No one is going to pay more for a router just to have to pay *even more* for software and such. pure BS
the poster of that article is a paranoid freak. No one is goign to buy a router in the senerio he is talking about. It just wouldn't happen.
If you run a security scan against our server, you would get blocked instantly, thus no mail would be delivered, and you would loose the client confirmation we just sent you... I don't see corporations buying a router that would cut of their sales as well as the bad guys... I mean - I am not running the only server that ban security scans from unauthorized people and equipment.
The only way you could check if a virus scanner had been used on the emails using our servers would be using header information inside the e-mail. A plain text header as is most common would be faked quickly, thus it would need to be a encrypted X-AV header or something that represent one of the latest AV definitions as well as the program. Now the routers would have to do all these lookups against the Antivirus vendors to verify it is valid - this is as easy as we currently look up spammer ip addresses on foreign servers today, thus makes business sence.
The problem is that most businesses depends in some degree on e-mails for closing contracts etc. To loose out all clients that are not running selected brands of antivirus software and operating systems, would not make much business sence.
the problem is windows is so much junk compaired to the up-to-date alternatives. It is entirley possible to make an OS that is virus-proof from the internet. it just has to not execute every bit of code it recieves with out permission. virus software dosn't block *new* viruses, the only ones that count. I don't use virus software and I use windows 98. I just don't run executables and net side code that is questionable.
I don't use virus software and I use windows 98. I just don't run executables and net side code that is questionable.
So all viruses require user interaction do they?
This is just some paranoid rambling.
companies would figure out how to stream line this and make it viable for consumers, because no one is going to buy into it when you still have old routers available. The only way it would catch on is if it these routers where better then old ones at the same price. No one is going to pay more for a router just to have to pay *even more* for software and such. pure BS
besides this would be a pain in the ass to use because the software would slow down the router and have to be updated all the time and wouldn't even stop viruses!!! virus software doesn't stop new viruses! the only ones that matter! damn, I can't even express how stupid this is.
You have misunderstood what this is about. You have a bit of sw on your PC that is responsible for doing an inventory of your AV dat files and potentially other bits of security related info. It sends a summary of this info to the router. If the router agrees with your configuration, it allows access beyond it's own port. If it doesn't you don't get access anywhere, except maybe to update your security related files.
When talking about port blocking in this context it's not ports as in port 80, but rather port as in ethernet port.
the software would slow down the router and have to be updated all the time and wouldn't even stop viruses!!! virus software doesn't stop new viruses! the only ones that matter! damn, I can't even express how stupid this is.
Can you tell me how to get to seseme street?
.
This virus brought to you by the letters G, r, and e... and the numbers 0 and 1
Dammit. This is just like when my windows 3.1 machine had perfectly good netbios built into it and the ISP went and required something called a TC/PPI stack or soemthing. It just added CPU overhead to my machine, decreased throughput by adding all these headers and crap, and didn't solve 100% of my networking problems like it should have. Tehy can't force me to install some stupid standards software. What if I want to use SNA to access The Internet? I should have that right.
This reminds me of a product that Recourse Technologies (since defunct, I think) proposed a few years back to push IDS out to the ISPs. Stopping DoS attacks further out sounded like a good idea at the time, but I think they never got past the huge number of technical hurdles either.
Look ma, no tpyos^H^H^H^H^H^H . . . oh crap.
This is just a plan to implement RFC 3514.
--
Benjamin Coates
Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet.
What part of blocking at the router implies that you need AV software on your pc/mac? Besides, it's becoming typical to have this sort of stuff on proxies, mail gateways, etc. Considering the liability of thousands of unpatched home systems, this sounds like a good thing if it is done well.
Hecubas
in my expirence, yes. prove me wrong
Okay... This setup is usually called "client compliancy" and is starting to become common amongst VPN solutions. The VPN server will check your machine upon connection for antivirus software, virus definition version / dates, and possibly client firewall software.
Saying that ISPs will start requiring it is purely speculation and sensationalism.. Oh wait, I am on Slashdot.
Anyhow, just because a Mac doesn't get targetted for viruses much doesn't mean you shouldn't run antivirus software. What happens the day a Mac virus DOES get out in the wild? The same goes for *NIX systems.
And, umm, yes, a Linux machine can be susceptible to Windows viruses. Think about a MS Word macro virus if you're using CrossOver Office and happen to have an infected file...
Disclaimer: I work for a major antivirus company. If you don't use our product, you should atleast have some sort of protection on your machine. There are some free alternatives, too.
This is yet another mafia subscription boondoggle that corporate america wants to foist on the public. It's also another security/business model that only is of value if worms and other undesireable traffic continues to propagate. The tech community should not buy into these schemes becuase they do not really cure the problem, merely promise a slightly-effective treatment (at best) that will require an ongoing investment of time, money and resources to even function.
I keep saying, the best way to reduce worm propagation is through a sanctioned smtp whitelist since most compromised systems use smtp as the transmission vehicle, and most originate from spontaneous, unauthorized mail relays that the worms themselves introduce.
As for other means of worm propagation, a compromised server would easily generate a typical DOS profile that a well-configured network should already identify and deal with, regardless of this client-server-extra-software provision Cisco is trying to impose, which would require constant updating and more money to maintain.
I personally have a lot of respect for Cisco. They don't cater specifically to Microsoft and there is no way Cisco would stoop to that level. Even if it does require proprietary software to use their virus protection, they'll produce versions for every large OS, I'm sure.
I think this may be an amazing, revolutionary technology Cisco is working on, especially if it doesn't require any proprietary software. Every backbone in the world will be using these, if that's the case - and it may rid the world of computer virus's transmitted over the internet, for good.
How long will it be before this "feature" will be used to disallow any non-Windows machine from connecting to the network?
How long will it be before non-DRM enabled hardware is disallowed from network access.
I don't believe that this would solve anything. What will happen is that viruses will be written to mimic the signature of a secure machine, thereby giving themselves unrestricted access to the network. Why would any CIO PHB purchase anti-virus software for his internal network if he believes viruses are being stopped at the router?
Sorry, but I don't see any good coming from this...
The society for a thought-free internet welcomes you.
So the Cisco tries to check if the computer trying to connect has approved AV software running. The Cisco itself isn't running the software, it's forcing the connecting system to. If the system connecting is a *nix router doing NAT, with a bunch of Windows boxes behind it, what's the Cisco's behavior? If it goes back to the IP it sees a *nix box, but the traffic is from a Windows box which just might have a virus, unless good AV software is running on it (despite the firewall - your travelling staff just plugged in their laptop in the office).
The only way this does any good is if the Cisco has the *nix box prove that it is running AV software doing content analysis on the stream from the Windows box, or else software that relays to the Windows box the demand to show credentials. Either way this means that there will likely be a necessary licensing fee for AV or credentials checking software for whatever router you want to have talk to a Cisco.
Very clever. Cisco doesn't take the load on their hardware (except for the trivial task of demanding your licensed credentials), and forces you to license software from one of its partners, and to take the load on your hardware.
This is sort of like the police responding to a burglary epidemic by requiring all homeowners to install lead shielding on their doors and windows, with a kickback to the police atheletic fund for each shielding installation.
"with their freedom lost all virtue lose" - Milton
If Cisco were merely promoting a standard that anyone could implement, a scheme such as this would be reasonable. But if it requires that "approved" software be used, and that the vendor of the software buy a license from Cisco, it's anti-competitive and probably illegal.
The word router isn't mentioned anywhere in the article. Cisco makes more than routing equipment. This is more than likely a product in their security portfolio.
It is called Digital Rights Management and censorship - and be in no doubt that this is what it will be used for. Say goodbye to the control you have over your routers.
Cisco's Network Admission Control program would enable companies to install on every PC and mobile device a client, called the Cisco Trust Agent, which could attest to certain levels of security...
However, the technology won't work unless security software can tell the Trusted Agent application the current state of security on the computer or mobile device.
"This important problem can't be addressed individually," said John Thompson, CEO of Symantec. "Collaboration is a must."
The technology might also spur sales of PCs and devices that use trusted-computing hardware--controversial technology that uses encryption, special memory and security software to lock away secrets on a PC from prying eyes.
To lock away secrets on a PC from the OWNERS eyes! &%^#@! Trusted Computing!
Symantec Corp. (Nasdaq:SYMC), today announced that it has joined forces with Cisco Systems to provide solutions that restrict network access to only compliant and trusted client machines including personal computers and PDAs.... Out-of-compliance machines may be denied access, quarantined, or sent to a separate location for remediation, while machines in compliance with the organizations' set policies will be granted access to the network.
Trend Micro, Inc. (TSE:4704) (Nasdaq:TMIC), a leader in network antivirus and Internet content security software and services, today announced its support of the new Cisco(R) Network Admission Control Program
THREE major router companies, Cisco, Symantec, and Trend Micro, are ALL supporting this inititave to lock non-TCPA computers out of the internet! #@%^$!
If you are running Microsoft Windows you will be locked out of the internet unless you are running Palladium. If you are running Mac or Linux or anything else, you will be locked out of the internet unless you are running a Mac or Linux version of Palladium.
I have repeatedly said in Trusted Computing discussions that sooner or later people not using it would start getting locked out of parts of the internet. Silly me, I thought that more and more websites would start using it and simply not serve you a page unless it was encrypted. I never considered that the basic internet hardware itself would deny you any connection at all! This is INSANE!
The problem with Turusted Computing is easy to fix. There is absolutely nothing wrong with new hardware, but the owner has to have actual control over his machine. The owner MUST have his key. He could receive that key on a printed peice of paper, or he could get it somehow during the Take_Ownership command. There is no POSSIBLE justification to deny the owner this information. There is no POSSIBLE way that the owner could lose any protection. The hardware could be identical, therefore the hardware can do everything it could before. The only difference is that the computer can no longer be hijacked as a weapon against it's owner.
This trivial difference preserves EVERY claimed benefit of Trusted Computing and eliminates EVERY possible abuse of TCPA. Those backing Trusted Computing will NEVER permit such a change in the system because the very purpose of Trusted Computing is to enforce DRM and other abuses.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
W32.Welchia. Do a search for it.
Oh, wait. Don't bother searching. If you're running a broadband connection without a firewall, you already have it.
I dunno about you, but I've used bandaids on minor cuts and abrasions in the past, and found them very helpful. That doesn't mean I didn't kick the ass of whatever was cutting me ...
I think this would definetely be a good solution for Universities to manage the traffic on their network and in terms of preventing infections. There are too many students that come in with infected machines and are too ignorant to install antivirus software. I dont know how much more load it is going to place on routers but i hope it works better then writing ACLs.
How exactly would that help? It means that universities would have to have hundreds of times as many public computers, and hire IT staff to maintain all of them, plus pay to keep them relatively up-to-date.
Besides, I would strongly disagree that they are not a vital tool for universities (by 'vital' I mean extremely useful, not 'can't live without'--if the latter is what you meant, then we should ban pencils, erasers, and bookbags too, among other things). Just because you can't think of any real uses for networked computer in your room doesn't mean the rest of us can't think of hundreds. My education was vastly enriched by having convenient internet access. That's not even getting into the uses that don't exist yet, but will never be developed if people have to go to a computer lab, thus eliminating the on-demand convenience that makes so many things possible and popular on the net.
But of course, you are just trolling, so what do you care about logic?
It's my understanding that it would be a worm if it didn't require user interaction. Or an inside job.
One catch: if I have proper security measures in place, any attempt by the router to connect to a server on my computer (eg. the AV software) will be blocked by the firewall on the client computer. What will the admins do if policy prohibits opening up client computers to incoming connections?
Actually, he's lucky on that one. IIRC Welchia/MSBlast only infect Win2k/xp. Since he's running 98, he's immune.
The ONLY WAY Win9x has any advantage, EVER over NT is not being vulnerable to those stupid worms.
It is important that people understand what this system is actually designed to do. As far as I understand, this press release has to do with a Cisco Security architecture that is designed to operate at the level of the Local Area Network.
The system is designed as follows:
Any time that a new host becomes active on a LAN, the switch will query the host and determine whether that host is running an "approved" image. If the image is approved - the host is running a secure operating system with the "correct" set of patches and security systems - then the host is granted full access privileges to the network. If the image is NOT approved then the host is isolated onto a VLAN until the appropriate set of patches can be applied.
This proposal has nothing to do with "stateful" inspection of traffic that is traveling across the network.
I'm the sysadmin for a small ISP. Some of our customers (namely, the corporate ones with lots of cash) already have this on a smaller scale. Their firewall/router checks to see if VirusScan is running on the end-users' computer, and if it's not, it installs it. At least, if you've bought enough licenses to cover all the workstations you have. Excess workstations don't get antivirus, and they also don't get online - at least until you shut that feature off for that IP. Of course, it's desirable to upgrade the number of licenses. It's pretty scary to be running a corporate network with only one computer not virus scanning when you see headlines like this one.
So that's our corporate customers. We also have qmailscanner filtering all our mail using F-prot (they have per-server licenses for decent rates, not the retarded per-client ones that would quickly bankrupt any ISP), which cuts problems on our ADSL network by about 75% or more. It's worth noting however that even with a 2.3 Ghz CPU, the server load is typically about 2.5 or 3.0 at any given time. This kind of scanning for the 150,000 messages a day we get would have been impossible only three years ago.
Would we start using a router like the one Cisco came out with? Hell no. 10% of our customers actually have a clue, and they usually pay for a more expensive internet account. To lose hundreds of our best customers over something like this would be stupid. As well, if we used a router that required a specific virus scanner (like our corporate customers have), it could alienate as much as 60% of the people who have already bought a virus scanner that *isn't* the virus scanner the router requires.
No. This is not something you subject the general public to.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
That's nonsense. Of course I can.
How do guests visiting your office get access to the internet if the need it for a presentation? Here there are places they can connect to the office network and be comfortably in a DMZ where they can see the external network and part of our intranet with some demos of our product. Of course accounting and R&D are on different subnets.
I guess some employers are just more up-tight than others.
Perhaps the university has trade secrets so special they need to lock down the whole place?!?
well, I dont think it will be a default option, I think it'll be in there for you to use (I hope, I'm in the training program)
personally, I dont think many cisco techs would even know how to usei t properly in the first place, taht is, if half of them are cisco certified.
I know some networks with cisco have microsoft certified people working on the routers,
one australia isp I checked once had a elnet port open and it was to their main cisco router (isnt that supposed to be open to the internal network only?)
personally, I'd never enable the option. if I had to, I'd prolly only enable it for a windows-based segment of the network (mainly the office)
and maybe that's what it's for, you can use it for certain segments of the network, and there are some anti-viruses that dont lag your machine down to the point of crashing.
I also suggest that corporate offices use deep freeze, which is used at my school, it doesnt allow any modifications to be down to the system, and you can only save to your network drive.
so far, no viruses have infected any of the machines at school (except the ones with misconfigured deep freeze setups, and of course, the main server itself. which they COULD replace with linux and samba.)
+5 trusted computing is bad.
Browse at -1, because trolls are often the most creative part of
We run some propetary hardware where I work that only currently has driver support for Windows NT. Thus, we have one box that runs NT. When we did a re-install on it, we installed NT, then immediately patched up everything. Before the patches had even finished installing, it had already caught blaster and a variety of other things. It was like leaving a gaping wound open in a cespool. I agree, virus software can only really work well as a reactive measure. In order to protect your machine, your OS needs a strict set of acces and execution permissions so, say, your mp3 player or web browser can't format your hard drive or add bizzare crap to your configuration files. That being said, there are plenty of viruses that infect you without having you run an unknown executable at all. They're called buffer overrun exploits, and if you think Windows 98 is free of them, then you're pretty deluded.
The implication for a scheme like this, if it is implemented correctly (or incorrectly, depending on your position), is that it might effectively establish a widespread standard that could be used to block non-compliant communication of any sort. Suppose, for example, that rather than the certifying software being AV software, it could be a key to certify anything about you: your operating system, your political beliefs, your religion, your mail client, that you've paid your annual router per-user license, etc.
Broadly speaking, it could be used by the router companies, or anyone with enough influence over them, to deny internet access (increasing this means "access to information & communication") to anyone for any reason, and certify compliance.
It takes DRM to the next level. This is power over you -- not necessarily a feature to empower you.
I think there are probably better more specific means to minimize virus transmission, if that alone were the narrowly construed goal.
This is a horrible idea and I can't believe any proponent of freedom without control on the internet would ever think this is good.
The nature of the internet that makes it so scalable to new innovations is its end-to-end nature meaning the infrastructure of routers does the most basic thing possible, route packets. The end hosts are required to do all the rest. If we start adding "security authentication" and other crap on the routers this breaks the end-to-end nature and basicly puts a system of control into the very heart of the internet.
If microsoft came up with this idea, everyone would be screaming bloody murder, but Cisco and the Security companies are ok to trust with the control of the entire internet??! These are companies just like microsoft, part of the same capital system with agendas to profit the same as microsoft and don't think for a second this doesn't have ulterior motive written all over it.
We do need to do something about the escalating security risks on the internet, but this is the wrong direction.
> How long will it be before this "feature" will be used to disallow any
> non-Windows machine from connecting to the network?
The same day non-windows friendly ISPs start advertising that as a 'feature'
> How long will it be before non-DRM enabled hardware is disallowed from network
> access.
The day that every last single network admin in the world agrees with and fully loves DRM. This will be never.
Replace the backbone with people to enforce this type of restriction to not let ANYONE resell service without being authorized, and the current internet will simply die with noone to run it.
A new network will form and be free of this restriction and either take the now unused name of Internet, or make some new name.
These viruses aren't Linux viruses though, I'm betting.
Karma: It's all a bunch of tree-huggin' hippy crap!
Here you go, folks... I've been using this for years and it's found every virus I've ever had on my Linux systems.
#!/bin/sh
echo No viruses found!
Karma: It's all a bunch of tree-huggin' hippy crap!
Knowing Cisco and their current IOS settings, they usually have it to where you can turn something like this off if you do not want it/like it. They are also good at making it to where you can turn such features off for certain ports. It could also be used to the effect that if you know the user on the computer is a complete n00b, you can turn on this service for their computer because you know they'll probably get a virus from opening one of those emails from people they don't even know.
get off my internet
That my favorite porn sites update their virus definitions.
You lose, fagmo.
Minor correction, I shouldn't have reffered to Symantec and Trend Micro as router companies. I hope no one dissmissed this Trusted Computing alert based on that error.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.