Slashdot Mirror
Cisco Working to Block Viruses at the Router
macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."
how does the fact that the router uses a packet shaper require the end user to have AV software? at my university, they use a packet shaper, and clients on the on-campus network do not have to have such software installed. this sounds like a great idea, tho...
xao
xao
http://TheHillforum.hopto.org
If it finds issues then it will drop you from the network or block that port / problem.
Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?
Does this mean that I can't talk about viruses using code-samples over the internet? I can't download and study exploits anymore? If there is any possibility to encode the virus-code to circumvent the filter, then the virus can possibly do the same...
Will it check that every computer connected to an internal network, probably hidden behind an internal NATing router, has the appropriate protection installed?
We sort of do this at Rutgers University This summer was absolutely crazy for the network, due to all the worms and such. A new policy was instituted which requires users to visit a website which checks their operating system. If they're running Windows, they are *required* to download a scanner that checks for the relevant worms and installs Anti-Virus software. Users running alternative operating systems are completely exempt. It just says "There are currently no additional requirements for running Linux on the residential network." We've just begun shutting people off who fail to comply with the policy. I, for one, like it. However, the routers start to get overloaded if they have too many access control lists because they have trouble running them on the ASICs. So, they have to run in software mode, which starts to slow things down.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
The article doesn't say that client software is required at all... it says that after some checks the user may be prompted to download some software (presumably from an internal source) before it can connec to the internet.
However, if this original check is just done by some network secutiry checking (ie. looking to see if there is a vulnerable version of SSH or a misconfigured IIS etc) then all that would needed to be done would be to fix the potential exploit rather than install a piece of client software.
Potentially, this would just be like running nmap and other similar tools against the machine in question to test it out fot net-worthiness.
It could also check for open mail relays, which could help in the Fight Against Spam (tm).
D.
You'll probably see this as a combination of the AV vendors products generating warningsand classifying new virii, and Cisco's Network Based Application Recognition extensions to IOS then filtering the same. See this link about Code Red
d er ed.shtml
:-)
http://www.cisco.com/warp/public/63/nbar_acl_co
Of course, given enough traffic you could become CPU bound. Then you'll have to buy a Juniper
End systems are not affected by routers dropping IP packets with harmful content. All what end systems see are IP packets. They may see less of them, if filtering is enabled on the router, but the packets have nothing special about them that would need AV software on the clients.
But, a router doesn't always have to drop packets. It could tag them with a special marker, and clients could then react accordingly, e.g. by dropping them in their TCP/IP stack.
This could be somewhat similar to what SpamAssassin does, when tagging spam mail with an X-Spam header. It's up to the mail user agent to decide what to do with mails tagged that way.
cpghost at Cordula's Web.
... and got my CCNA in June. We have a saying... "Let routers route and servers serve." Anti-virus is clearly a IT problem, but it's also a server responsibility. Not a router responsibility. I can't imagine supporting this. Every once in a while, we get someone (customer, whomever) who says "Oh! This new virus works on port 7654! Please block port 7654!" ... then I say "What happens if I run my website on port 7654? You can't get to it?". Limiting the function of a routing device because it might carry malicious code on an application level is a bad idea. This isn't a solution to the problem, this is another band-aid.
FLR
Did you read the article? The software doing the intelligent part will reside on the user's computer. The router will determine if the host attempting to make a connection has the relevant software installed. If not, it will be ACL'd. There's little the router is doing except creating the access control lists on the fly. Even if there was intelligence in the router, it would have to be done in a big box like a 6509 with a Content Switch card. FYI, the Content Switch card has a separate processor FOR EACH OSI LAYER. So, it can analyze each separately and do traffic shaping like that.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
I just gotta wonder if this is going to look for any response on certain ports like 135-139, or if Cisco is specificly going to check for a proprietary response from the products of Network Asc, Symantec and Trend Micro?
What it ought to do is a TCP fingerprint and look for any Microsoft Windows operating system.
PJRC: Electronic Projects, 8051 Microcontroller Tools
NBAR Restrictions
When using NBAR with the methods in this document, note that the following features are not supported by NBAR:
More than 24 concurrent URLs, HOSTs or MIME type matches
Matching beyond the first 400 bytes in a URL
Non-IP traffic
Multicast and other non-CEF switching modes
Fragmented packets
Pipelined persistent HTTP requests
URL/HOST/MIME/ classification with secure HTTP
Asymmetric flows with stateful protocols
Packets originating from or destined to the router running NBAR
I'm sure a open source product will allow Mac/Nix users to access such networks (at no cost).
Would make computing much more secure.
It's still annoying for Mac/nix users to get thousands of annoying virus emails from their windows friends (if you can call them friends).
Every product normally starts out with 1 company producing it... if it's good, normally clones come about.
That is way veeery different. Stations will be ENFORCED to have installed this software in networks with this scheme. WTF???
It's entirely possible this article and the security program is directed at Windows users only. Neither Cisco or the Anti-virus vendors are malicious enough (IMHO) to block Unix/Mac boxes because they don't need the anti-virus software the companies sell. The wild internet frontier of email-address-confirming porn and Gatorware is probably here to stay.
It's also possible they might figure out a way to block certain version of programs, say WuFTPd, from having an unsecured link to the outside world. This could help prevent a university network being used as a DDOS tool because a student didn't upgrade his ftp server. Or a mail server which doesn't smart-relay through an authenticating server to stop student PC's spamming.
It's not always a virus that brings a network down. But when a university is forced to print 10,000 CDs with anti-virus and windows worm-removing tools to give to new students (who aren't allowed access to the university network if their box looks active on port 137) this might look like an alternative.
The evil that it does bring is in the form of anti-Free networking, where Linux boxes are used to form cheap routers and gateways, without a Cisco(R)-Symantec(R) licensed monitoring system, your access to the larger internet may be limited by your upstream provider, ala Verisign certs.
This system is probably for the intranet users to stop an OE/ IE virus bringing down their system before the poor tech guy patches the boxes.
The way I read it, their marketing department has just found out that LinkSys (now Cisco's subsidiary) has had this functionality for years now, where the cheapo firewall routers can be configured to not give access to the outside unless certain AV software is installed on the host. So it's marketed as a new innovation -- there's probably half a dozen patents filed for it already, plus a bunch of different names under which this can be marketed.
Problem is, it doesn't work except in very specific and small homogenous installations.
Regards,
--
*Art
Antivirus software slows down your machine to a third of its original speed. Disable it and see for yourself. You'll never use that junk again.
I have a much more comprehensive scheme for identifying viruses anyway. I have modified my OS to pop a dialog for each incoming letter and verify if I want to accept it or not:
You have received the letter "G" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "G".
Would you like to accept it?
Yes No
You have received the letter "r" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "r".
Would you like to accept it?
Yes No
You have received the letter "e" from IP address 192.132.54.99 on port 492.
Some viruses are known to have the letter "e".
Would you like to accept it?
Yes No
In conclusion, don't be so smug with your Linux machine during the next round of Welchia or Klez, because if Linux had the desktop market share of Windows, then YOU'D be feeling the pain.
Bullshit. Could you describe how this would be possible? Is Pine or Balsa or [your email application here] integrated into the OS and have full access and scripting ability on your machine? Does it automatically run code and have the ability to add services to your computer that run automatically on startup? If this is possible I'd like to know how.
Bad boys rape our young girls but Violet gives willingly.
Why the hell is this classical moronic Windows-astroturfer-tripe moderated as insightful?
Let me tell you something: we don't have to speak in what-if's; we can look at an actual situation: Web server market.
According to netcraft, the most widely used Webserver is Apache. Now, do you see any Code Red worms on Apache? No.
Do you see any Nimda worms on Apache? No.
Do you see any other kind of worm on Apache? No
So there goes this nice theory. Next time a windows user trots out the old line of "windows is the primary target of viruses because of market penetration", smack him right into the face!
"Traffic shaping" is a fucking joke right now. It's just a half-ass measure to get the low hanging fruit only. You don't know anything about protocols. Each OSI LAYER, eh? Who cares. How are you going to distinguish the individual files infected with viruses being transmitted if they use a proprietary protocol or compression or encryption of any kind.
Simple. According to the article, and the post you replied to, they are not even going to try something as incredibly stupid as that. Instead, they will require authentication according to their own protocol which will allow them to determine whether you have antivirus software. Traffic from hosts without virus protection can then be treated differently than traffic from host which have it.
As to Michael's comment about this requiring people to use Windows on every host, that's just silly. Cisco themselves use BSD and their customers are heavy into real OSs like Solaris, etc. They are not going to stop traffic from such hosts, even by default. I would be willing to bet that they are going to work in some way of identifying the type of host that they are getting the traffic from, and therefore allowing the administrator of the firewall to give Linux, Solaris, et al a pass in such cases.
Cisco firewalls are not your little linksys router from Fry's or that 386 running OpenBSD over in the corner. They have pretty powerful hardware and very flexible software. You can construct some pretty neat rulesets and do very clever things, so this kind of thing is honestly not a surprise and certainly not beyond their capabilities.
. All that means is that Linux and Mac users are going to have to keep up with pathces too (and yes, there *are* occasional holse for those systems, just not worms)
/etc/inetd.conf (!)
Speaking as someone who was nearly infected by a Linux worm through a BIND exploit, I can confirm that such things do exist and are in the wild.
The worm in question attempted to install a back door into my machine and was foiled by the greatest security measure ever taken: not having a LF on the end of
Cisco's Network Admission Control program would enable companies to install on every PC and mobile device a client, called the Cisco Trust Agent, which could attest to certain levels of security...
However, the technology won't work unless security software can tell the Trusted Agent application the current state of security on the computer or mobile device.
"This important problem can't be addressed individually," said John Thompson, CEO of Symantec. "Collaboration is a must."
The technology might also spur sales of PCs and devices that use trusted-computing hardware--controversial technology that uses encryption, special memory and security software to lock away secrets on a PC from prying eyes.
To lock away secrets on a PC from the OWNERS eyes! &%^#@! Trusted Computing!
Symantec Corp. (Nasdaq:SYMC), today announced that it has joined forces with Cisco Systems to provide solutions that restrict network access to only compliant and trusted client machines including personal computers and PDAs.... Out-of-compliance machines may be denied access, quarantined, or sent to a separate location for remediation, while machines in compliance with the organizations' set policies will be granted access to the network.
Trend Micro, Inc. (TSE:4704) (Nasdaq:TMIC), a leader in network antivirus and Internet content security software and services, today announced its support of the new Cisco(R) Network Admission Control Program
THREE major router companies, Cisco, Symantec, and Trend Micro, are ALL supporting this inititave to lock non-TCPA computers out of the internet! #@%^$!
If you are running Microsoft Windows you will be locked out of the internet unless you are running Palladium. If you are running Mac or Linux or anything else, you will be locked out of the internet unless you are running a Mac or Linux version of Palladium.
I have repeatedly said in Trusted Computing discussions that sooner or later people not using it would start getting locked out of parts of the internet. Silly me, I thought that more and more websites would start using it and simply not serve you a page unless it was encrypted. I never considered that the basic internet hardware itself would deny you any connection at all! This is INSANE!
The problem with Turusted Computing is easy to fix. There is absolutely nothing wrong with new hardware, but the owner has to have actual control over his machine. The owner MUST have his key. He could receive that key on a printed peice of paper, or he could get it somehow during the Take_Ownership command. There is no POSSIBLE justification to deny the owner this information. There is no POSSIBLE way that the owner could lose any protection. The hardware could be identical, therefore the hardware can do everything it could before. The only difference is that the computer can no longer be hijacked as a weapon against it's owner.
This trivial difference preserves EVERY claimed benefit of Trusted Computing and eliminates EVERY possible abuse of TCPA. Those backing Trusted Computing will NEVER permit such a change in the system because the very purpose of Trusted Computing is to enforce DRM and other abuses.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I'll jump in on this one if I may as well....
.2
Granted there are security flaws in Linux, and they have been exploited, and there are probably vulnerabilities that noone has seen as of yet.
That being said, one of the distinct OS differences is that windows as an operating system that is homogenous by design, allowing a single worm to infect in a pre-determined way so that the likelyhood of mass infection is very high. Linux, on the other hand is heterogenous, I defy you to find identical email clients/servers database clients/servers etc. configurations across a large area that could possibly be effected by any one specific attack.
I've said it before, and I'll say it again; windows is like what would happen if everyone on earth had the same exact immune system, one virus exploits a vulnerability in one host- it then moves on to the next. Linux/Unix is alot closer to what we see now in biology. What may infect one immune system will not neciserrily effect another.
my
....move along....nothing to see here....
We run some propetary hardware where I work that only currently has driver support for Windows NT. Thus, we have one box that runs NT. When we did a re-install on it, we installed NT, then immediately patched up everything. Before the patches had even finished installing, it had already caught blaster and a variety of other things. It was like leaving a gaping wound open in a cespool. I agree, virus software can only really work well as a reactive measure. In order to protect your machine, your OS needs a strict set of acces and execution permissions so, say, your mp3 player or web browser can't format your hard drive or add bizzare crap to your configuration files. That being said, there are plenty of viruses that infect you without having you run an unknown executable at all. They're called buffer overrun exploits, and if you think Windows 98 is free of them, then you're pretty deluded.