|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Fire-Proofing Your Network With
UTM,
Part 3: Layering on anti-X defenses —
continued
VP Core Competence, Inc. [December 31, 2007] |
 |
Scanning for Viruses and Spyware
A major driver behind SMB UTM adoption is ability to block viruses and
spyware before they enter the network. Doing so can avoid costly desktop/server
cleanups, reduce dependency on endpoint security compliance, and speed
organizational response to brand new attacks.
However, there is a price to be paid: scanning requires CPU and memory, which significantly reduces UTM throughput. Network operators must strike a reasonable balance between risk and reward. Small businesses often find UTM anti-virus/spyware performance acceptable and well worth the investment, while large enterprises are far less likely to scan at the outer perimeter. When making your choice, consider tuning knobs that control which traffic is scanned and the resources consumed.
For example, the MX1004 offers two scan engines: a Sophos signature-based virus scanner and a behavior-based Virus Prevent System (VPS). Settings determine whether the appliance applies one or both engines to HTTP, FTP, SMTP, and/or POP3 (Figure 3-5). Selected file attachments can also be scanned or skipped based on file extension. Advanced parameters tune performance by limiting scanned message size, concurrent scans, timeouts, and quarantined messages.
|
Figure 3-5: Basic antivirus configuration |
These global options make it easy to scan high-risk application messages for virus and spyware payload without imposing that overhead on other traffic. However, the MX1004 cannot scan for viruses carried by other protocols or encrypted/password-protected files. For example, when we e-mailed and downloaded 30+ live viruses, the appliance caught all but one: a Bagle worm zip file caught by our desktop anti-virus (Figure 3-6).
|
Figure 3-6: MX1004 antivirus results |
Note that POP3 users are told whenever virus or spyware payloads are found. Due to resource requirements, you may not want your network to quarantine them. The MX1004 can do so, but managing quarantined files falls to the administrator. We found that Sophos-linked virus alerts provided enough information that we opted to disable appliance quarantine after testing (Figure 3-7).
|
Figure 3-7: MX1004 antivirus alerts |
Go to page three: Filtering spam >
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers