i Application Note: Edge-based Virus Scanning
Copyright 2002 ServGate Technologies, Inc.
APPLICATION NOTE
658 Gibraltar Court
Milpitas, CA 95035
Phone: 408-635-8400
Fax: 408-635-8470
www.servgate.com
Edge-based Virus
Scanning
Edge-based Virus Scanning
APPLICATION NOTE
All product names referenced herein are trademarks or registered trademarks of their Respective companies. ServGate Technologies, Inc. disclaims proprietary interest in the trademarks and brand names of others. As with all literature created and distributed by ServGate Technologies, Inc., we make every effort to ensure the information is truthful and factual, however, ServGate Technologies, Inc. will not be liable for any inaccuracies or accidental exclusions. ServGate Technologies, Inc. reserves the right to modify this and any document without prior notification. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, for any purpose without express verbal or written consent by ServGate Technologies, Inc.
Application Note: Edge-based Virus Scanning Copyright 2002 ServGate Technologies, Inc.
iii
Table Of Contents
Objective……….. 1
Legacy Two-tier Virus Scanning……….. 2
Edge-based Virus Scanning in at Three-tier Model……..3
Edge-based Virus Scanning
Application Note
Objective
With the proliferation of viruses, worms, Trojans and blended threats like Nimda and Code Red at an all-time high, the need to protect the corporate network has never been higher. We have all read the studies: “…countless billions of dollars in lost productivity every year due to the devastating effects of viruses.”
Client and server-based virus scanning software provides adequate protection for simple networks, but the complexities of deployment, enforcement and in larger companies make this approach unpredictable and inadequate. By adding virus scanning at the network edge, viruses and worms can be stopped before they enter the network, offering an essential layer of protection against these increasingly sophisticated threats. ServGate Technologies has teamed with McAfee™ to integrate their award-winning virus-scanning engine into ServGate EdgeForce Security Gateways. The combined solution provides Firewall, VPN, Antivirus, Content Filtering and attack detection in a single, easily managed security appliance.
Application Note: Edge-based Virus Scanning Copyright 2002 ServGate Technologies, Inc.
2 Demilitarized Zone (DMZ) Mail Server FTP Server Web Server Client-based AntiVirus Server-based AntiVirus
Legacy Two-tier Virus Scanning
In a two-tiered anti-virus model, every client and server has independent virus scanning software installed on each machine. For email, the software typically scans all SMTP and/or POP3 traffic for infected files based on frequently updated virus definition files
obtained from the manufacturer of the virus scanning software. Additionally, FTP and HTML protocols may be scanned for viruses since the majority of threats lie in email attachments; POP3 and SMTP are typically the most important features of a virus-scanning package.
Two common threats in a typical network are viruses entering the network through the Firewall external (EXT) port destined for the mail, FTP or web server in the demilitarized zone (DMZ), and infected traffic originating from the client machines themselves (for
instance a dirty floppy disk, or an infected file downloaded form the Internet).
The client and server-based model offers reasonable protection for small networks, but there are significant risks associated with the model. It is difficult to manage hundreds or thousands of software packages at the individual client and server level.
• Even with modern mass-install and configuration utilities, it is very easy for individual users to modify the settings on the software, rendering them helpless against viruses.
• It is difficult to monitor and enforce each piece of virus scanning software to make sure it is compliant with the latest version of virus definitions form the manufacturer.
• There is risk in relying on a single manufacturer to stop all viruses, even with frequently updated virus definition files.
Many firewall vendors have placed 3rd party virus scanning logic on their appliances that ‘polices’ clients and servers in the network to ensure that they have the latest versions of virus definition files on individual machines. While this adds to the effectiveness of the overall security system, viruses and worms are left to enter the network where they are liable to wreak havoc with unprotected machines, or machines that do not have the most recent version of the anti-virus database.
Edge-based Virus-Scanning in a Three-tier Model
By adding virus scanning at the
network edge, a few good things happen. First, another complete layer of network security has been added to further protects the network. Viruses and worms are stopped before they enter the network. Second, by mixing vendors such that one
manufacturer of AV software is used at the client and server level, and another manufacturer at the edge-level, the virus scanning task has been ‘diversified’, further ensuring the network is protected in the case of a new outbreak.
A key component of edge-based virus scanning is file quarantine. It is important for the network manager to have the option to hold and inspect infected files before making the delete decision. Not only does this help in the troubleshooting and planning process, but provides significant aid to the forensic investigation process as well.
Security solutions that detect viruses are a must in today’s corporate network,
irrespective of network size. Small to Midsize Businesses and enterprises of all sizes are now considering a more comprehensive security solution based on a three-tier model. Why not stop viruses where they enter the network, at the network edge, then hedge the bet by adding anti-virus protection at the client and server level.
Demilitarized Zone (DMZ) Mail Server FTP Server Web Server
