Slashdot Mirror
Cisco Working to Block Viruses at the Router
macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."
...expect 3 second delays per packet with this new ill-conceived plan. Routers would now have be be stateful and learn to distinguish files (and compressed files) over TCP connections. This is doomed to fail either because of its slow speed or due to the numebr of false virus matches it will find.
how does the fact that the router uses a packet shaper require the end user to have AV software? at my university, they use a packet shaper, and clients on the on-campus network do not have to have such software installed. this sounds like a great idea, tho...
xao
xao
http://TheHillforum.hopto.org
If it finds issues then it will drop you from the network or block that port / problem.
Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?
Does this mean that I can't talk about viruses using code-samples over the internet? I can't download and study exploits anymore? If there is any possibility to encode the virus-code to circumvent the filter, then the virus can possibly do the same...
Will it check that every computer connected to an internal network, probably hidden behind an internal NATing router, has the appropriate protection installed?
Damnit... first 3 comments are all trolls. Anyway, what will this mean as far as licensing issues? Right now you get a corp edition of virus software and that covers X amount of desktops. What about the guy that doesn't want the virus software, can it be disabled/purchased without? How would this work? Also, if I get a simple mail sending virus, how does my cisco KNOW that the email to my wife, and the viral email to my wife are different? I guess I don't need to worry about this, Cisco seems to be able to do it all.
We sort of do this at Rutgers University This summer was absolutely crazy for the network, due to all the worms and such. A new policy was instituted which requires users to visit a website which checks their operating system. If they're running Windows, they are *required* to download a scanner that checks for the relevant worms and installs Anti-Virus software. Users running alternative operating systems are completely exempt. It just says "There are currently no additional requirements for running Linux on the residential network." We've just begun shutting people off who fail to comply with the policy. I, for one, like it. However, the routers start to get overloaded if they have too many access control lists because they have trouble running them on the ASICs. So, they have to run in software mode, which starts to slow things down.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
The article doesn't say that client software is required at all... it says that after some checks the user may be prompted to download some software (presumably from an internal source) before it can connec to the internet.
However, if this original check is just done by some network secutiry checking (ie. looking to see if there is a vulnerable version of SSH or a misconfigured IIS etc) then all that would needed to be done would be to fix the potential exploit rather than install a piece of client software.
Potentially, this would just be like running nmap and other similar tools against the machine in question to test it out fot net-worthiness.
It could also check for open mail relays, which could help in the Fight Against Spam (tm).
D.
End systems are not affected by routers dropping IP packets with harmful content. All what end systems see are IP packets. They may see less of them, if filtering is enabled on the router, but the packets have nothing special about them that would need AV software on the clients.
But, a router doesn't always have to drop packets. It could tag them with a special marker, and clients could then react accordingly, e.g. by dropping them in their TCP/IP stack.
This could be somewhat similar to what SpamAssassin does, when tagging spam mail with an X-Spam header. It's up to the mail user agent to decide what to do with mails tagged that way.
cpghost at Cordula's Web.
... and got my CCNA in June. We have a saying... "Let routers route and servers serve." Anti-virus is clearly a IT problem, but it's also a server responsibility. Not a router responsibility. I can't imagine supporting this. Every once in a while, we get someone (customer, whomever) who says "Oh! This new virus works on port 7654! Please block port 7654!" ... then I say "What happens if I run my website on port 7654? You can't get to it?". Limiting the function of a routing device because it might carry malicious code on an application level is a bad idea. This isn't a solution to the problem, this is another band-aid.
FLR
Okay, first of all, this won't require anyone to install any client application anywhere. That's the point. The filters would steer away malware at the router, before it even reaches the user.
Secondly, this is a good idea, so long as it's implemented only at gateways to private networks. Signature based filtering is bound to block some legit traffic, and network admins need to keep that in mind when implementing this kind of functionality.
Third, Cisco routers already do this to some extent. You can block some malware using NBAR (network based application recognition) and ACL's. (It's a good thing. It helped me make Code Red go away on my network back in the day.) This feature is a logical next step.
And finally, does anyone actually read these things before they post them (michael)? Even if you overlooked the grammatical errors, the factual inconsistencies alone should have kept this thing from ever hitting the front page.
This is an interesting approach that may prove to be effective. The problem in the past in fighting viruses is that you have to have each individual computer updated. Most computers just were not updated regularly, despite the development of automatic systems. But by placing stragic routers across the internet and having them filter through these you could effectively fight viruses as effectively as any AV software could. I know my university scans all incoming e-mails and cleanses them, i think i have only once in my career here then recieved an infected e-mail. You do get into some ethical dilemas if you implement this on a global scale though. is it ok for the backbone of the internet to filter content? Its one thing for an ISP to do this, but what if a country like china wants to deam certain traffic dangerous and have them cleansed by the routers as well. (maybe not the best example since they do have the great china firewall, but you get the picture)
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
I just gotta wonder if this is going to look for any response on certain ports like 135-139, or if Cisco is specificly going to check for a proprietary response from the products of Network Asc, Symantec and Trend Micro?
What it ought to do is a TCP fingerprint and look for any Microsoft Windows operating system.
PJRC: Electronic Projects, 8051 Microcontroller Tools
To me the suprising thing are all the antivirus companies chipping in to this project. They have a huge industry based on Microsoft's poor coding and won't give it up. This will (may?) slow down current viruses but there will be new types appearing. These companies have shareholders to appease.
Trolling is a art,
I'm sure a open source product will allow Mac/Nix users to access such networks (at no cost).
Would make computing much more secure.
It's still annoying for Mac/nix users to get thousands of annoying virus emails from their windows friends (if you can call them friends).
Every product normally starts out with 1 company producing it... if it's good, normally clones come about.
That is way veeery different. Stations will be ENFORCED to have installed this software in networks with this scheme. WTF???
It's entirely possible this article and the security program is directed at Windows users only. Neither Cisco or the Anti-virus vendors are malicious enough (IMHO) to block Unix/Mac boxes because they don't need the anti-virus software the companies sell. The wild internet frontier of email-address-confirming porn and Gatorware is probably here to stay.
It's also possible they might figure out a way to block certain version of programs, say WuFTPd, from having an unsecured link to the outside world. This could help prevent a university network being used as a DDOS tool because a student didn't upgrade his ftp server. Or a mail server which doesn't smart-relay through an authenticating server to stop student PC's spamming.
It's not always a virus that brings a network down. But when a university is forced to print 10,000 CDs with anti-virus and windows worm-removing tools to give to new students (who aren't allowed access to the university network if their box looks active on port 137) this might look like an alternative.
The evil that it does bring is in the form of anti-Free networking, where Linux boxes are used to form cheap routers and gateways, without a Cisco(R)-Symantec(R) licensed monitoring system, your access to the larger internet may be limited by your upstream provider, ala Verisign certs.
This system is probably for the intranet users to stop an OE/ IE virus bringing down their system before the poor tech guy patches the boxes.
Perhaps CISCO should concentrate on fixing the HOLES in IOS as opposed to the Fixing the HOLES in MS products? Either Way, if they enable said features, it will be the first thing I disable during installation. :)
The way I read it, their marketing department has just found out that LinkSys (now Cisco's subsidiary) has had this functionality for years now, where the cheapo firewall routers can be configured to not give access to the outside unless certain AV software is installed on the host. So it's marketed as a new innovation -- there's probably half a dozen patents filed for it already, plus a bunch of different names under which this can be marketed.
Problem is, it doesn't work except in very specific and small homogenous installations.
Regards,
--
*Art
Antivirus software slows down your machine to a third of its original speed. Disable it and see for yourself. You'll never use that junk again.
I have a much more comprehensive scheme for identifying viruses anyway. I have modified my OS to pop a dialog for each incoming letter and verify if I want to accept it or not:
You have received the letter "G" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "G".
Would you like to accept it?
Yes No
You have received the letter "r" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "r".
Would you like to accept it?
Yes No
You have received the letter "e" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "e".
Would you like to accept it?
Yes No
If a site is so MS-centric that they require I use MS software to send them E-mail, then I don't want to send them E-mail. It's that simple. There is a well-established process (RFC's) for Internet standards. If someone chooses to ignore them, they're the ones going off into fantasy land.
In conclusion, don't be so smug with your Linux machine during the next round of Welchia or Klez, because if Linux had the desktop market share of Windows, then YOU'D be feeling the pain.
Bullshit. Could you describe how this would be possible? Is Pine or Balsa or [your email application here] integrated into the OS and have full access and scripting ability on your machine? Does it automatically run code and have the ability to add services to your computer that run automatically on startup? If this is possible I'd like to know how.
Bad boys rape our young girls but Violet gives willingly.
Why the hell is this classical moronic Windows-astroturfer-tripe moderated as insightful?
Let me tell you something: we don't have to speak in what-if's; we can look at an actual situation: Web server market.
According to netcraft, the most widely used Webserver is Apache. Now, do you see any Code Red worms on Apache? No.
Do you see any Nimda worms on Apache? No.
Do you see any other kind of worm on Apache? No
So there goes this nice theory. Next time a windows user trots out the old line of "windows is the primary target of viruses because of market penetration", smack him right into the face!
Use a blackhole routing system instead of ACLs. easier to manage and because it uses uRPF to do the drops, it's very hardware friendly. I posted a summary on NANOG about two weeks ago how I did this at the University of Wisconsin.
As soon as that model is compromised, you have a new source of uncertainty every time you have to debug a network problem. When packets don't make it to their destination, is the problem a firewall at this end? Or at that end? OR - new possibility - funky anti-virus software on ANY ONE of the routers between here and there. You just can't tell.
This is a nightmare in the making.
--
What short sigs we have -
One hundred and twenty chars!
Too short for haiku.
The reason is NOT because Windows is more insecure, or easier to write viruses for, even if that is the case.
No, Windows(r) truely is less secure. Not for the reason many people think, though.
Windows is insecure because the OS developer is also the #1 applications developer. Most Windows exploits are from apps like IIS, Word, IE, and especially Outlook. But since Microsoft(tm) blends the applications into the OS, application exploits become equivalent to OS exploits.
How long before libraries are forced to use scary, sealed products with cuddly names like RouterNanny or RightRoute or PopCop? Where librarians can't adjust or override those kill lists?
Speare's right because the only way "virus scanning in the router" can work is if the routers have the ability to read the contents of all packets. That means that encrypted connections will be forbidden: the router can't check if there's a virus inside, so to play things safe it must assume the worst and drop the packet.
Thus, government wiretappers, criminal eavesdroppers, and other nasty-types will have their livelihoods secured. Citizens won't be able to avoid surveillance by encrypting their own data, and Big Brother will watch over us all.
If you run a security scan against our server, you would get blocked instantly, thus no mail would be delivered, and you would loose the client confirmation we just sent you... I don't see corporations buying a router that would cut of their sales as well as the bad guys... I mean - I am not running the only server that ban security scans from unauthorized people and equipment.
The only way you could check if a virus scanner had been used on the emails using our servers would be using header information inside the e-mail. A plain text header as is most common would be faked quickly, thus it would need to be a encrypted X-AV header or something that represent one of the latest AV definitions as well as the program. Now the routers would have to do all these lookups against the Antivirus vendors to verify it is valid - this is as easy as we currently look up spammer ip addresses on foreign servers today, thus makes business sence.
The problem is that most businesses depends in some degree on e-mails for closing contracts etc. To loose out all clients that are not running selected brands of antivirus software and operating systems, would not make much business sence.
. All that means is that Linux and Mac users are going to have to keep up with pathces too (and yes, there *are* occasional holse for those systems, just not worms)
/etc/inetd.conf (!)
Speaking as someone who was nearly infected by a Linux worm through a BIND exploit, I can confirm that such things do exist and are in the wild.
The worm in question attempted to install a back door into my machine and was foiled by the greatest security measure ever taken: not having a LF on the end of
Okay... This setup is usually called "client compliancy" and is starting to become common amongst VPN solutions. The VPN server will check your machine upon connection for antivirus software, virus definition version / dates, and possibly client firewall software.
Saying that ISPs will start requiring it is purely speculation and sensationalism.. Oh wait, I am on Slashdot.
Anyhow, just because a Mac doesn't get targetted for viruses much doesn't mean you shouldn't run antivirus software. What happens the day a Mac virus DOES get out in the wild? The same goes for *NIX systems.
And, umm, yes, a Linux machine can be susceptible to Windows viruses. Think about a MS Word macro virus if you're using CrossOver Office and happen to have an infected file...
Disclaimer: I work for a major antivirus company. If you don't use our product, you should atleast have some sort of protection on your machine. There are some free alternatives, too.
This is yet another mafia subscription boondoggle that corporate america wants to foist on the public. It's also another security/business model that only is of value if worms and other undesireable traffic continues to propagate. The tech community should not buy into these schemes becuase they do not really cure the problem, merely promise a slightly-effective treatment (at best) that will require an ongoing investment of time, money and resources to even function.
I keep saying, the best way to reduce worm propagation is through a sanctioned smtp whitelist since most compromised systems use smtp as the transmission vehicle, and most originate from spontaneous, unauthorized mail relays that the worms themselves introduce.
As for other means of worm propagation, a compromised server would easily generate a typical DOS profile that a well-configured network should already identify and deal with, regardless of this client-server-extra-software provision Cisco is trying to impose, which would require constant updating and more money to maintain.
So the Cisco tries to check if the computer trying to connect has approved AV software running. The Cisco itself isn't running the software, it's forcing the connecting system to. If the system connecting is a *nix router doing NAT, with a bunch of Windows boxes behind it, what's the Cisco's behavior? If it goes back to the IP it sees a *nix box, but the traffic is from a Windows box which just might have a virus, unless good AV software is running on it (despite the firewall - your travelling staff just plugged in their laptop in the office).
The only way this does any good is if the Cisco has the *nix box prove that it is running AV software doing content analysis on the stream from the Windows box, or else software that relays to the Windows box the demand to show credentials. Either way this means that there will likely be a necessary licensing fee for AV or credentials checking software for whatever router you want to have talk to a Cisco.
Very clever. Cisco doesn't take the load on their hardware (except for the trivial task of demanding your licensed credentials), and forces you to license software from one of its partners, and to take the load on your hardware.
This is sort of like the police responding to a burglary epidemic by requiring all homeowners to install lead shielding on their doors and windows, with a kickback to the police atheletic fund for each shielding installation.
"with their freedom lost all virtue lose" - Milton
Cisco's Network Admission Control program would enable companies to install on every PC and mobile device a client, called the Cisco Trust Agent, which could attest to certain levels of security...
However, the technology won't work unless security software can tell the Trusted Agent application the current state of security on the computer or mobile device.
"This important problem can't be addressed individually," said John Thompson, CEO of Symantec. "Collaboration is a must."
The technology might also spur sales of PCs and devices that use trusted-computing hardware--controversial technology that uses encryption, special memory and security software to lock away secrets on a PC from prying eyes.
To lock away secrets on a PC from the OWNERS eyes! &%^#@! Trusted Computing!
Symantec Corp. (Nasdaq:SYMC), today announced that it has joined forces with Cisco Systems to provide solutions that restrict network access to only compliant and trusted client machines including personal computers and PDAs.... Out-of-compliance machines may be denied access, quarantined, or sent to a separate location for remediation, while machines in compliance with the organizations' set policies will be granted access to the network.
Trend Micro, Inc. (TSE:4704) (Nasdaq:TMIC), a leader in network antivirus and Internet content security software and services, today announced its support of the new Cisco(R) Network Admission Control Program
THREE major router companies, Cisco, Symantec, and Trend Micro, are ALL supporting this inititave to lock non-TCPA computers out of the internet! #@%^$!
If you are running Microsoft Windows you will be locked out of the internet unless you are running Palladium. If you are running Mac or Linux or anything else, you will be locked out of the internet unless you are running a Mac or Linux version of Palladium.
I have repeatedly said in Trusted Computing discussions that sooner or later people not using it would start getting locked out of parts of the internet. Silly me, I thought that more and more websites would start using it and simply not serve you a page unless it was encrypted. I never considered that the basic internet hardware itself would deny you any connection at all! This is INSANE!
The problem with Turusted Computing is easy to fix. There is absolutely nothing wrong with new hardware, but the owner has to have actual control over his machine. The owner MUST have his key. He could receive that key on a printed peice of paper, or he could get it somehow during the Take_Ownership command. There is no POSSIBLE justification to deny the owner this information. There is no POSSIBLE way that the owner could lose any protection. The hardware could be identical, therefore the hardware can do everything it could before. The only difference is that the computer can no longer be hijacked as a weapon against it's owner.
This trivial difference preserves EVERY claimed benefit of Trusted Computing and eliminates EVERY possible abuse of TCPA. Those backing Trusted Computing will NEVER permit such a change in the system because the very purpose of Trusted Computing is to enforce DRM and other abuses.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I think this would definetely be a good solution for Universities to manage the traffic on their network and in terms of preventing infections. There are too many students that come in with infected machines and are too ignorant to install antivirus software. I dont know how much more load it is going to place on routers but i hope it works better then writing ACLs.
I'll jump in on this one if I may as well....
.2
Granted there are security flaws in Linux, and they have been exploited, and there are probably vulnerabilities that noone has seen as of yet.
That being said, one of the distinct OS differences is that windows as an operating system that is homogenous by design, allowing a single worm to infect in a pre-determined way so that the likelyhood of mass infection is very high. Linux, on the other hand is heterogenous, I defy you to find identical email clients/servers database clients/servers etc. configurations across a large area that could possibly be effected by any one specific attack.
I've said it before, and I'll say it again; windows is like what would happen if everyone on earth had the same exact immune system, one virus exploits a vulnerability in one host- it then moves on to the next. Linux/Unix is alot closer to what we see now in biology. What may infect one immune system will not neciserrily effect another.
my
....move along....nothing to see here....
I'm the sysadmin for a small ISP. Some of our customers (namely, the corporate ones with lots of cash) already have this on a smaller scale. Their firewall/router checks to see if VirusScan is running on the end-users' computer, and if it's not, it installs it. At least, if you've bought enough licenses to cover all the workstations you have. Excess workstations don't get antivirus, and they also don't get online - at least until you shut that feature off for that IP. Of course, it's desirable to upgrade the number of licenses. It's pretty scary to be running a corporate network with only one computer not virus scanning when you see headlines like this one.
So that's our corporate customers. We also have qmailscanner filtering all our mail using F-prot (they have per-server licenses for decent rates, not the retarded per-client ones that would quickly bankrupt any ISP), which cuts problems on our ADSL network by about 75% or more. It's worth noting however that even with a 2.3 Ghz CPU, the server load is typically about 2.5 or 3.0 at any given time. This kind of scanning for the 150,000 messages a day we get would have been impossible only three years ago.
Would we start using a router like the one Cisco came out with? Hell no. 10% of our customers actually have a clue, and they usually pay for a more expensive internet account. To lose hundreds of our best customers over something like this would be stupid. As well, if we used a router that required a specific virus scanner (like our corporate customers have), it could alienate as much as 60% of the people who have already bought a virus scanner that *isn't* the virus scanner the router requires.
No. This is not something you subject the general public to.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
We run some propetary hardware where I work that only currently has driver support for Windows NT. Thus, we have one box that runs NT. When we did a re-install on it, we installed NT, then immediately patched up everything. Before the patches had even finished installing, it had already caught blaster and a variety of other things. It was like leaving a gaping wound open in a cespool. I agree, virus software can only really work well as a reactive measure. In order to protect your machine, your OS needs a strict set of acces and execution permissions so, say, your mp3 player or web browser can't format your hard drive or add bizzare crap to your configuration files. That being said, there are plenty of viruses that infect you without having you run an unknown executable at all. They're called buffer overrun exploits, and if you think Windows 98 is free of them, then you're pretty deluded.
real great solution, what happens when i get that user that has win95 and a version of norton just as old. Your computers says "Hey big boy I have some super spanky AV installed. Let my mail through!"
"Duh! ok boss"
Great that they're tying something new, this just doesn't seem to hard to circumvent.
Win95's old Norton will not be able to authenticate to this system. You will have to buy the brand new sofware that ties into teh validation system. If they do this the smart way, that will include checking version of software and date of virus defs. You did notice that all the big antivirus manufacturers are part of the system, right?
I think it will be circumventable, but not easily if they do this right, and any circumvention of the system will require a significant increase in virus payload. Besides, before the person who can be infected gets infected, they will notice they cannot connect to their ISP (or their work firewall) and get the updated software. It's a pretty elegant solution IMHO.