include much needed antivirus products in FC2
Lamar Owen
lowen at pari.edu
Tue Jan 6 00:01:15 UTC 2004
On Monday 05 January 2004 05:36 pm, seth vidal wrote:
> > Same thing I have found in any large setting. THe costs of putting
> > anti-virus software on over 100 desktops in time, effort, extra
> > sysadmins, and a dozen other things... makes centralizing it better.
> You have to have AV on the clients ANYWAY b/c email is not the only
> vector for viruses.
> So you're not benefited by centralizing, you're just taking care of it
> in two places.
Ah, but you are so wrong.
If I scan at the e-mail gateways, I accomplish at least these seven things:
1.) I protect outgoing mail for outside people, thus limiting the spread of
worms if and when the desktop does get compromised;
2.) Because of 1, I limit my liability exposure if one of my users infects
someone outside with a bad worm;
3.) Well over 99.99% of viruses come in via e-mail;
4.) Scanning and stripping the executable reduces my users' POP/IMAP
bandwidths; some of these guys are using IPsec over dialup, where every 150K
windows worm eats time (and those 150K worms add up fast, when over a
thousand per hour are traversing the incoming e-mail gateway! (which has
happened a couple of times here)) : the desktop-based scanner still has to
download the e-mail;
5.) Stripping ALL executable attachements (using MIMEDefang, MailScanner,
Sophos MailMonitor (which can just simply delete executable attachments out
of hand as well as scanning them), or other tool of choice) protects against
many unknown viruses and Trojans;
6.) Installing an e-mail gateway scanner is very little effort and very little
cost;
7.) E-mail scanning has massive bang-for-the-buck: what viruses are left that
come in other ways probably (not always) will be isolated incidents; an
e-mail worm can propagate like wildfire (not always true, but almost always
true) and quickly swamp response teams, because e-mail worms never come in
one at a time....
Further, with Sophos Enterprise Manager you can have centralized desktop
scanner updates and management (as I'm sure NAV Enterprise also allows),
which gives you the best of both worlds.
Belt and suspenders aren't necessarily expensive. Lack of either can produce
embarassment and extreme effort to correct exposure. But if I had to choose
between the two, I'd choose to use e-mail scanning and then take draconian
security policies at the desktop level. A good NIDS can be trained to
recognize network viruse propagation, and simple file integrity tools can
help with the desktop situation. Eliminating floppies, disallowing users
from installing software, etc, all help control the very few non-e-mail
viruses in the wild. But it's best to have both.
Likewise, I have multiple layers of firewalling; ATM enforced ELAN
segregation, IP rules, and something like ZoneAlarm on each desktop are what
I use, in addition to the border gateway. While I won't say it's perfect, it
is useful.
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the devel
mailing list