General

The Plague Upon Us—continued Complementary or Competing?

Not only can it be useful to scan in more than one location—it can also be useful to scan with more than one product. Different vendors have different strengths, so deploying solutions from more than one AV vendor's product line can sometimes be beneficial.

"When a company is using AV at more than one point on the network, for example on the desktop and at the firewall, there are advantages to using different products," said Ian Poynter, an independent security consultant. "Although the vendors all make signatures for new viruses available reasonably quickly, you're hedging your bets against problems with one particular virus or software product."

Poynter's advice reflects our own experience. We recently tested the Ositis AVStripper, an appliance that runs Trend Micro AV software. We also ran McAfee or Symantec desktop AV on each PC. In most cases, the first AV scanner encountered did the trick—McAfee or Symantec on the way out, Trend Micro on the way in. But several viruses made it past our primary AV, only to be stopped by our secondary AV. There are many reasons this can happen, including delayed update in the early hours of a virus outbreak and differences in configuration that determine which files get scanned.

On the other hand, Symantec warns that having two sets of security products running on the same system adds overhead, redundancy, and confusion. To avoid conflict, companies may assign responsibility for different network tiers to different vendors. "If a vendor has a weakness on a given tier, e.g., delayed response on a specific platform or inconsistent response across network tiers, a customer should not choose a multi-tier solution from that same vendor. By the same token, choosing a second or even third vendor solely based on a dual-vendor policy can actually introduce vulnerabilities and risk."

So many choices
To this point, we've been intentionally vague about gateways. However, there are many points of network entry where one can scan for viruses, and the AV products designed for each location can be quite different.

• Standard SMTP and proprietary groupware servers are one popular location, in part due to the prevalence of mail-borne viruses. A few examples include McAfee GroupShield, Trend Micro InterScan for Sendmail, F-Secure Anti-Virus for Microsoft Exchange, and Norton AntiVirus for Lotus Notes / Domino. Few debate the merit of e-mail virus scanning; it is often a good investment.
• File, Web, and proxy servers can be outfitted with products like McAfee NetShield for NT or NetWare, Trend Micro Server Protection for NetApp Filers or EMC Celerra File Servers, and Symantec CarrierScan for Network-Attached Storage or Content Caching and Delivery Systems. Products like these are tailored for specific platforms; value proposition and approach vary greatly. For example, Trend Micro and Symantec AV products integrate with Network Appliance using the Internet Content Adaptation Protocol (iCAP). Of course, if you don't have a NetApp, these scanners are irrelevant to you.
• F-Secure Anti-Virus for Firewalls and Trend Micro InterScan VirusWall use the Content Vector Protocol (CVP) to integrate with Check Point FireWall-1 and other CVP-compliant firewalls. Trend Micro recently announced integration with NetScreen firewalls using its Content Scanning Protocol (CSP). These products are designed to operate in conjunction with your firewall, checking FTP, HTTP, and SMTP protocols as they enter or leave your network. This approach offers single-point control and monitoring, but can also create a bottleneck (see below).
• Recently, several AV appliances have been introduced. Examples include the Ositis AVStripper, McAfee WebShield, Aladdin eSafe, and Finjan SurfinGate for E-Mail. According to Jan Sundgren of the Giga Information Group, "Antivirus is particularly well suite to the plug-and-play convenience of the appliance approach. We expect the launch of more appliances and we expect them to find customers, particularly among small to midsize enterprises."

The benefits previously discussed for gateway scanning apply to AV software running in each of these locations. However, many of these devices are mission critical, raising concerns about availability, performance, and scalability.

Making anti-virus more robust
Start with the obvious: beef up any server that runs AV. Where co-resident AV is too great a burden, consider using an interface like iCAP, CVP, or CSP to offload AV processing to a "scan server." For example, Symantec claims that CarrierScan for NetApp Filers and NetCache can process 40 documents per second, depending upon platform and file size, while increasing access latency only milliseconds.

When AV scanning occurs on or just behind the firewall, a potential bottleneck or single point of failure is created. To mitigate this risk, Trend Micro recommends creating something they call a "VirusWall Cluster." A VirusWall Cluster is a group of AV gateways that operate together as a unit, using StoneBeat load balancing and high-availability software. Need more horsepower? Just add another AV gateway to your cluster.

Consider distributing load by content type. For example, one might scan SMTP on mail servers and HTTP at Web caches. Alternatively, one could scan both with a multi-protocol engine, using configuration options to direct each protocol to a dedicated scan server. Distribution caters to different performance requirements—for example, SMTP scanning can usually take place "in the background", while HTTP scanning must occur in real-time, with very low latency. In some cases, efficiencies may be gained by combining virus detection with other application-specific processing—for example, spam stripping or Web content filtering.

The ISP opportunity
Like any other business, ISPs need to defend their own turf from viruses. In most cases, AV software should be deployed on ISP employee desktops and in-house servers. The risk of professional embarrassment, information loss, downtime, and even liability is simply too great for most ISPs to ignore.

But how far can or should an ISP go to scan, quarantine or delete viruses in e-mail passing through its mail servers? What are the legal or privacy issues facing an ISP that scans customer mail for viruses without the customer's consent? Is an ISP justified in deleting a mass-mailing worm or zombie-laden trojan before they can wreak havoc?

"This is a challenging and unresolved question," said Ben Wright, the attorney who authored The Law of Electronic Commerce. "It is a question that will be growing in importance over the next couple of years. The trend in the law will be to expect more from service providers to address the security vulnerabilities of their customers. Plus, government will be expecting ISPs to gather and share more intelligence about security breaches such as virus attacks. Service providers will be walking a tightrope between the perceived obligation to do something about viruses and the potential liability for making a mistake that damages someone. To a degree, ISPs can limit their exposure to liability with proper service agreements."

In fact, ISPs can benefit from delivering AV protection as a value-added service. Customers may contract the ISP to scan inbound e-mail for a given domain, whether the mailboxes are hosted by the ISP or e-mail is relayed by the ISP to the customer's SMTP server. Customers are likely to expect AV protection on ISP-operated Web servers. However, customers might pay a premium for AV scanning performed by ISP scan servers, located beside or in front of colo servers hosted at an ISP's data center.

Finally, when life hands you lemons, make lemonade. ISPs can profit from reselling AV solutions, monitoring and responding to virus activity, or delivering full-blown "managed anti-virus" services. Companies that offer managed AV services include Big Fish, Breakwater, CLEAN Communications, CyberPatrol, Guardent, ISS, Itegra, McAfee, MessageLabs, and Vigilinx, to name just a few. For a quick overview of managed AV services, read our annual Managed Security Service Provider Survey. For an interesting discussion about the managed AV opportunity, inherent risks, and judicious use of service agreements, check out this December, 2001 ISP-Marketing list debate.

—End

< Back to page 1: The Plague Upon Us