Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Working to Block Viruses at the Router

Posted by michael on from the license-to-surf dept.

macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."

6 of 369 comments (clear)

  1. Re:question by LordKronos · · Score: 4, Informative

    RTFA:
    "The system under development will allow a computer network to check the safety of incoming traffic. Any device trying to connect to the network will be checked to see whether it has security measures already in place. Those that don't can be denied access, shunted off into a quarantined segment of the network or forced to download a security program. "

  2. Re:And you though the internet was slow now by Anonymous Coward · · Score: 3, Informative

    You'll probably see this as a combination of the AV vendors products generating warningsand classifying new virii, and Cisco's Network Based Application Recognition extensions to IOS then filtering the same. See this link about Code Red

    http://www.cisco.com/warp/public/63/nbar_acl_cod er ed.shtml

    Of course, given enough traffic you could become CPU bound. Then you'll have to buy a Juniper :-)

  3. Re:And you though the internet was slow now by pyite · · Score: 3, Informative

    Did you read the article? The software doing the intelligent part will reside on the user's computer. The router will determine if the host attempting to make a connection has the relevant software installed. If not, it will be ACL'd. There's little the router is doing except creating the access control lists on the fly. Even if there was intelligence in the router, it would have to be done in a big box like a 6509 with a Content Switch card. FYI, the Content Switch card has a separate processor FOR EACH OSI LAYER. So, it can analyze each separately and do traffic shaping like that.

    --

    "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman

  4. Re:And you though the internet was slow now by Anonymous Coward · · Score: 4, Informative
    Problems with Cisco's approach are numerous. It would be trivial for virus writers to work around these shortcomings. The only real way to block viruses is to be 100% stateful and reconstitute complete files from IP and TCP/IP somehow. This would suck CPU and memory like no tomorrow. It's also a losing proposition given all the protocols out there.

    NBAR Restrictions

    When using NBAR with the methods in this document, note that the following features are not supported by NBAR:

    • More than 24 concurrent URLs, HOSTs or MIME type matches

    • Matching beyond the first 400 bytes in a URL

    • Non-IP traffic

    • Multicast and other non-CEF switching modes

    • Fragmented packets

    • Pipelined persistent HTTP requests

    • URL/HOST/MIME/ classification with secure HTTP

    • Asymmetric flows with stateful protocols

    • Packets originating from or destined to the router running NBAR

  5. This is nothing new by arth1 · · Score: 4, Informative
    Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?

    The way I read it, their marketing department has just found out that LinkSys (now Cisco's subsidiary) has had this functionality for years now, where the cheapo firewall routers can be configured to not give access to the outside unless certain AV software is installed on the host. So it's marketed as a new innovation -- there's probably half a dozen patents filed for it already, plus a bunch of different names under which this can be marketed.
    Problem is, it doesn't work except in very specific and small homogenous installations.

    Regards,
    --
    *Art
  6. Re:And you though the internet was slow now by rifter · · Score: 4, Informative

    "Traffic shaping" is a fucking joke right now. It's just a half-ass measure to get the low hanging fruit only. You don't know anything about protocols. Each OSI LAYER, eh? Who cares. How are you going to distinguish the individual files infected with viruses being transmitted if they use a proprietary protocol or compression or encryption of any kind.

    Simple. According to the article, and the post you replied to, they are not even going to try something as incredibly stupid as that. Instead, they will require authentication according to their own protocol which will allow them to determine whether you have antivirus software. Traffic from hosts without virus protection can then be treated differently than traffic from host which have it.

    As to Michael's comment about this requiring people to use Windows on every host, that's just silly. Cisco themselves use BSD and their customers are heavy into real OSs like Solaris, etc. They are not going to stop traffic from such hosts, even by default. I would be willing to bet that they are going to work in some way of identifying the type of host that they are getting the traffic from, and therefore allowing the administrator of the firewall to give Linux, Solaris, et al a pass in such cases.

    Cisco firewalls are not your little linksys router from Fry's or that 386 running OpenBSD over in the corner. They have pretty powerful hardware and very flexible software. You can construct some pretty neat rulesets and do very clever things, so this kind of thing is honestly not a surprise and certainly not beyond their capabilities.