Re: Virus Checking on Firewall

To: <debian-firewall@lists.debian.org>
Subject: Re: Virus Checking on Firewall
From: Richard A Nelson <cowboy@debian.org>
Date: Thu, 27 Sep 2001 17:23:33 -0400 (EDT)
Message-id: <Pine.LNX.4.33.0109271712240.23418-100000@badlands.lexington.ibm.com>
In-reply-to: <20010927121007.X24987@universal-fasteners.com>

On Thu, 27 Sep 2001, Jim Penny wrote:

> On Thu, Sep 27, 2001 at 10:58:26AM -0400, Richard A Nelson wrote:
> > On Wed, 26 Sep 2001, Chad Morgan wrote:
> >
> > > I was wondering what the best way (if any) of stopping email viruses
> > > through a firewall.
> >
> > Put your virus scanner there...
> >
>
> I respectfully disagree with this.
> The questioner sepecifically said that people were fetching mail
> from outside services.   Presumably this means POP, IMAP, and
> probably webmail, and if webmail, probably HTTPS webmail.

Indeed, I was thinking only of a fetchmail type setup.  Anything
more complicated has little chance of working at all.

> Also, I don't really think that a virus scanner belongs on a firewall.
> These tend to be very heavy and closed source.  I would worry
> Denial of Service Attacks and even straight attacks on the virus
> engine.

I'll agree that there are problems with virus scanners and *any*
kind of mailhub (firewall or not), but I see more pressure being
put on folk to do so anyway...  The mailhub is a better place
than the firewall, and about the only hope (currently) of stopping
things like the mail spreading of nimda, etc...

> In my opinion, the only thing to do is to make it more difficult
> for the end users to shoot themselves in the foot.  (Amazing how
> many times they can shoot themselves in the foot and expect us
> to come along and patch them up again.)

ohhh - flashback to college and Adventure (750pt version) - there
was a long missive after so many (3?) reincarnations ;-)

> This means that the
> mail client absolutely, positively must not automatically handle
> content in any way.  No preview, no launching browsers, no javascript,
> no VBS, nothing but text.  And it absolutely must not hide extensions,
> ever.  I.e. kill LookOut!, kill LookOut Real Fast!, kill Rotus Motes,
> and you might have a chance.

Amen ! However, thats a long row to hoe...  And will be helped by
carp like nimda -
	CR and Nimda put a hell of a crimp on the IBM infernal network,
	and my daughter is part of a group hitting every Scott Co school
	to eradicate these beasties

-- 
Rick Nelson
<jim> Lemme make sure I'm not wasting time here... bcwhite will remove
      pkgs that havent been fixed that have outstanding bugs of severity
      "important".  True or false?
<JHM> jim: "important" or higher.  True.
<jim> Then we're about to lose ftp.debian.org and dpkg :)
* netgod will miss dpkg -- it was occasionally useful
<Joey> We still have rpm....

Reply to:

References:
- Re: Virus Checking on Firewall
  - From: Jim Penny <jpenny@universal-fasteners.com>

Prev by Date: UDP blocking
Next by Date: Re: Masqerading vs. Applikationproxy
Previous by thread: Re: Virus Checking on Firewall
Next by thread: AW: Help I am getting frustrated
Index(es):
- Date
- Thread