include much needed antivirus products in FC2

Lamar Owen lowen at pari.edu
Tue Jan 6 00:01:15 UTC 2004 

On Monday 05 January 2004 05:36 pm, seth vidal wrote:
> > Same thing I have found in any large setting. THe costs of putting
> > anti-virus software on over 100 desktops in time, effort, extra
> > sysadmins, and a dozen other things... makes centralizing it better.

> You have to have AV on the clients ANYWAY b/c email is not the only
> vector for viruses.

> So you're not benefited by centralizing, you're just taking care of it
> in two places.

Ah, but you are so wrong.

If I scan at the e-mail gateways, I accomplish at least these seven things:
1.)	I protect outgoing mail for outside people, thus limiting the spread of 
worms if and when the desktop does get compromised;
2.)	Because of 1, I limit my liability exposure if one of my users infects 
someone outside with a bad worm;
3.)	Well over 99.99% of viruses come in via e-mail;
4.)	Scanning and stripping the executable reduces my users' POP/IMAP 
bandwidths; some of these guys are using IPsec over dialup, where every 150K 
windows worm eats time (and those 150K worms add up fast, when over a 
thousand per hour are traversing the incoming e-mail gateway! (which has 
happened a couple of times here)) : the desktop-based scanner still has to 
download the e-mail;
5.)	Stripping ALL executable attachements (using MIMEDefang, MailScanner, 
Sophos MailMonitor (which can just simply delete executable attachments out 
of hand as well as scanning them), or other tool of choice) protects against 
many unknown viruses and Trojans;
6.)	Installing an e-mail gateway scanner is very little effort and very little 
cost;
7.)	E-mail scanning has massive bang-for-the-buck: what viruses are left that 
come in other ways probably (not always) will be isolated incidents; an 
e-mail worm can propagate like wildfire (not always true, but almost always 
true) and quickly swamp response teams, because e-mail worms never come in 
one at a time....

Further, with Sophos Enterprise Manager you can have centralized desktop 
scanner updates and management (as I'm sure NAV Enterprise also allows), 
which gives you the best of both worlds.

Belt and suspenders aren't necessarily expensive.  Lack of either can produce 
embarassment and extreme effort to correct exposure.  But if I had to choose 
between the two, I'd choose to use e-mail scanning and then take draconian 
security policies at the desktop level.  A good NIDS can be trained to 
recognize network viruse propagation, and simple file integrity tools can 
help with the desktop situation.  Eliminating floppies, disallowing users 
from installing software, etc, all help control the very few non-e-mail 
viruses in the wild.  But it's best to have both.

Likewise, I have multiple layers of firewalling; ATM enforced ELAN 
segregation, IP rules, and something like ZoneAlarm on each desktop are what 
I use, in addition to the border gateway.  While I won't say it's perfect, it 
is useful.  
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu

More information about the devel mailing list