Slashdot Mirror
Cisco Working to Block Viruses at the Router
macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."
...expect 3 second delays per packet with this new ill-conceived plan. Routers would now have be be stateful and learn to distinguish files (and compressed files) over TCP connections. This is doomed to fail either because of its slow speed or due to the numebr of false virus matches it will find.
how does the fact that the router uses a packet shaper require the end user to have AV software? at my university, they use a packet shaper, and clients on the on-campus network do not have to have such software installed. this sounds like a great idea, tho...
xao
xao
http://TheHillforum.hopto.org
Damnit... first 3 comments are all trolls. Anyway, what will this mean as far as licensing issues? Right now you get a corp edition of virus software and that covers X amount of desktops. What about the guy that doesn't want the virus software, can it be disabled/purchased without? How would this work? Also, if I get a simple mail sending virus, how does my cisco KNOW that the email to my wife, and the viral email to my wife are different? I guess I don't need to worry about this, Cisco seems to be able to do it all.
The article doesn't say that client software is required at all... it says that after some checks the user may be prompted to download some software (presumably from an internal source) before it can connec to the internet.
However, if this original check is just done by some network secutiry checking (ie. looking to see if there is a vulnerable version of SSH or a misconfigured IIS etc) then all that would needed to be done would be to fix the potential exploit rather than install a piece of client software.
Potentially, this would just be like running nmap and other similar tools against the machine in question to test it out fot net-worthiness.
It could also check for open mail relays, which could help in the Fight Against Spam (tm).
D.
... and got my CCNA in June. We have a saying... "Let routers route and servers serve." Anti-virus is clearly a IT problem, but it's also a server responsibility. Not a router responsibility. I can't imagine supporting this. Every once in a while, we get someone (customer, whomever) who says "Oh! This new virus works on port 7654! Please block port 7654!" ... then I say "What happens if I run my website on port 7654? You can't get to it?". Limiting the function of a routing device because it might carry malicious code on an application level is a bad idea. This isn't a solution to the problem, this is another band-aid.
FLR
To me the suprising thing are all the antivirus companies chipping in to this project. They have a huge industry based on Microsoft's poor coding and won't give it up. This will (may?) slow down current viruses but there will be new types appearing. These companies have shareholders to appease.
Trolling is a art,
Lots of complaints, nobody looking on the bright side...cutting down the bandwidth used on your network, the internet and everywhere by silly viruses. I work for an ISP, this would be a Godsend in terms of saving on bandwidth both for us and for our customers.
.02
If we stop the viri at the router before it gets out, then it doesn't waste precious cycles and bandwidth elsewhere. Just my
Also, how will the router check the security of devices where desktop security doesn't apply, like routers, printers, proxy servers, PDAs, or heck, even a promiscuous traffic logger?
"Access to 'HP LaserJet 8000' on 10.16.2.88 denied. The Cisco DRM system has determined that this host listens to ports (80/tcp, 135/tcp, 515/tcp), but does not run approved virus protection software." Yes, I can imagine explaining that to a vice president at 7am...
Regards,
--
*Art
That is way veeery different. Stations will be ENFORCED to have installed this software in networks with this scheme. WTF???
It's entirely possible this article and the security program is directed at Windows users only. Neither Cisco or the Anti-virus vendors are malicious enough (IMHO) to block Unix/Mac boxes because they don't need the anti-virus software the companies sell. The wild internet frontier of email-address-confirming porn and Gatorware is probably here to stay.
It's also possible they might figure out a way to block certain version of programs, say WuFTPd, from having an unsecured link to the outside world. This could help prevent a university network being used as a DDOS tool because a student didn't upgrade his ftp server. Or a mail server which doesn't smart-relay through an authenticating server to stop student PC's spamming.
It's not always a virus that brings a network down. But when a university is forced to print 10,000 CDs with anti-virus and windows worm-removing tools to give to new students (who aren't allowed access to the university network if their box looks active on port 137) this might look like an alternative.
The evil that it does bring is in the form of anti-Free networking, where Linux boxes are used to form cheap routers and gateways, without a Cisco(R)-Symantec(R) licensed monitoring system, your access to the larger internet may be limited by your upstream provider, ala Verisign certs.
This system is probably for the intranet users to stop an OE/ IE virus bringing down their system before the poor tech guy patches the boxes.
Perhaps CISCO should concentrate on fixing the HOLES in IOS as opposed to the Fixing the HOLES in MS products? Either Way, if they enable said features, it will be the first thing I disable during installation. :)
The article doesn't say much in the technical sense, but I would guess you could still swap source code etc. No antivirus software I've ever used has stopped me from downloading and / or sending source code. .exe file over to my friends for testing/debugging.
As for already compiled files ? We'll need a bit more information about what this AV will do, but I rarely send just one simple
From what I've heard from Cisco (yesterday), it sounds like it is probably a proprietary response from the specific applications-- including Cisco's Security Agent, too, so you can't let the unprotected users get on (and infect) your internal network.
I don't think Cisco's dumb enough to set it up so the response could be so easily faked. So it will take time to figure out how to, er, emulate those proprietary responses (*grin*).
The OS fingerprinting is coming, too, a little further down the roadmap-- and then can prevent users from getting on the network unless they have the latest Windows patches et cetera.
Don't know what this means for us BSD/*nix users...
When did the future switch from being a promise to a threat? -C. Palahniuk
If a site is so MS-centric that they require I use MS software to send them E-mail, then I don't want to send them E-mail. It's that simple. There is a well-established process (RFC's) for Internet standards. If someone chooses to ignore them, they're the ones going off into fantasy land.
In conclusion, don't be so smug with your Linux machine during the next round of Welchia or Klez, because if Linux had the desktop market share of Windows, then YOU'D be feeling the pain.
Bullshit. Could you describe how this would be possible? Is Pine or Balsa or [your email application here] integrated into the OS and have full access and scripting ability on your machine? Does it automatically run code and have the ability to add services to your computer that run automatically on startup? If this is possible I'd like to know how.
Bad boys rape our young girls but Violet gives willingly.
If you couldn't send code-samples, or study exploits anymore, you probably also couldn't download virus definition updates. I don't think that the anti-virus companies would agree to that since the updates are where they make their money.
Why the hell is this classical moronic Windows-astroturfer-tripe moderated as insightful?
Let me tell you something: we don't have to speak in what-if's; we can look at an actual situation: Web server market.
According to netcraft, the most widely used Webserver is Apache. Now, do you see any Code Red worms on Apache? No.
Do you see any Nimda worms on Apache? No.
Do you see any other kind of worm on Apache? No
So there goes this nice theory. Next time a windows user trots out the old line of "windows is the primary target of viruses because of market penetration", smack him right into the face!
As soon as that model is compromised, you have a new source of uncertainty every time you have to debug a network problem. When packets don't make it to their destination, is the problem a firewall at this end? Or at that end? OR - new possibility - funky anti-virus software on ANY ONE of the routers between here and there. You just can't tell.
This is a nightmare in the making.
--
What short sigs we have -
One hundred and twenty chars!
Too short for haiku.
The reason is NOT because Windows is more insecure, or easier to write viruses for, even if that is the case.
No, Windows(r) truely is less secure. Not for the reason many people think, though.
Windows is insecure because the OS developer is also the #1 applications developer. Most Windows exploits are from apps like IIS, Word, IE, and especially Outlook. But since Microsoft(tm) blends the applications into the OS, application exploits become equivalent to OS exploits.
If you run a security scan against our server, you would get blocked instantly, thus no mail would be delivered, and you would loose the client confirmation we just sent you... I don't see corporations buying a router that would cut of their sales as well as the bad guys... I mean - I am not running the only server that ban security scans from unauthorized people and equipment.
The only way you could check if a virus scanner had been used on the emails using our servers would be using header information inside the e-mail. A plain text header as is most common would be faked quickly, thus it would need to be a encrypted X-AV header or something that represent one of the latest AV definitions as well as the program. Now the routers would have to do all these lookups against the Antivirus vendors to verify it is valid - this is as easy as we currently look up spammer ip addresses on foreign servers today, thus makes business sence.
The problem is that most businesses depends in some degree on e-mails for closing contracts etc. To loose out all clients that are not running selected brands of antivirus software and operating systems, would not make much business sence.
Cisco's Network Admission Control program would enable companies to install on every PC and mobile device a client, called the Cisco Trust Agent, which could attest to certain levels of security...
However, the technology won't work unless security software can tell the Trusted Agent application the current state of security on the computer or mobile device.
"This important problem can't be addressed individually," said John Thompson, CEO of Symantec. "Collaboration is a must."
The technology might also spur sales of PCs and devices that use trusted-computing hardware--controversial technology that uses encryption, special memory and security software to lock away secrets on a PC from prying eyes.
To lock away secrets on a PC from the OWNERS eyes! &%^#@! Trusted Computing!
Symantec Corp. (Nasdaq:SYMC), today announced that it has joined forces with Cisco Systems to provide solutions that restrict network access to only compliant and trusted client machines including personal computers and PDAs.... Out-of-compliance machines may be denied access, quarantined, or sent to a separate location for remediation, while machines in compliance with the organizations' set policies will be granted access to the network.
Trend Micro, Inc. (TSE:4704) (Nasdaq:TMIC), a leader in network antivirus and Internet content security software and services, today announced its support of the new Cisco(R) Network Admission Control Program
THREE major router companies, Cisco, Symantec, and Trend Micro, are ALL supporting this inititave to lock non-TCPA computers out of the internet! #@%^$!
If you are running Microsoft Windows you will be locked out of the internet unless you are running Palladium. If you are running Mac or Linux or anything else, you will be locked out of the internet unless you are running a Mac or Linux version of Palladium.
I have repeatedly said in Trusted Computing discussions that sooner or later people not using it would start getting locked out of parts of the internet. Silly me, I thought that more and more websites would start using it and simply not serve you a page unless it was encrypted. I never considered that the basic internet hardware itself would deny you any connection at all! This is INSANE!
The problem with Turusted Computing is easy to fix. There is absolutely nothing wrong with new hardware, but the owner has to have actual control over his machine. The owner MUST have his key. He could receive that key on a printed peice of paper, or he could get it somehow during the Take_Ownership command. There is no POSSIBLE justification to deny the owner this information. There is no POSSIBLE way that the owner could lose any protection. The hardware could be identical, therefore the hardware can do everything it could before. The only difference is that the computer can no longer be hijacked as a weapon against it's owner.
This trivial difference preserves EVERY claimed benefit of Trusted Computing and eliminates EVERY possible abuse of TCPA. Those backing Trusted Computing will NEVER permit such a change in the system because the very purpose of Trusted Computing is to enforce DRM and other abuses.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I'll jump in on this one if I may as well....
.2
Granted there are security flaws in Linux, and they have been exploited, and there are probably vulnerabilities that noone has seen as of yet.
That being said, one of the distinct OS differences is that windows as an operating system that is homogenous by design, allowing a single worm to infect in a pre-determined way so that the likelyhood of mass infection is very high. Linux, on the other hand is heterogenous, I defy you to find identical email clients/servers database clients/servers etc. configurations across a large area that could possibly be effected by any one specific attack.
I've said it before, and I'll say it again; windows is like what would happen if everyone on earth had the same exact immune system, one virus exploits a vulnerability in one host- it then moves on to the next. Linux/Unix is alot closer to what we see now in biology. What may infect one immune system will not neciserrily effect another.
my
....move along....nothing to see here....