Time to unlurk for a message or two....
Someone brought up a while ago that a real look to the future should be
in prevention. To this day I still wonder why it is that the antivirus
software vendors don't take more steps to PREVENTION. In addition to
constantly updating their lists of known virus patterns, why aren't they
spending some time and money to research new possible patterns and
prevent them. Cause lets be honest, if theres hackers out there who can
come up with new trojans, then theres people out there who can be hired
to create them ahead of time and prevent them as well.
Obviously it isn't as simple as all that, but it would be nice to see a
company that actually took a serious effort in the right direction.
As a network admin, I know it sure would be nice to hear about a new
virus and my system is already protected against it instead of having to
clean it out of my network after the fact and install a patch to ammend
the virus definition file.
Dave Mikulka
-----Original Message-----
From: Stephen Gutknecht (firewalls) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 13, 2000 2:05 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Undesired outbound data "leaking" - the next frontier?
Yes, but let's look toward the future. Is this problem getting larger
or
smaller? Unless new programs like RealAudio/Napster/etc stop being
created,
I will say it could get larger.
Checksum of programs on the client --- that is exactly what "Anti-virus"
software is basically doing, scanning all files on a system and doing
pattern matching. The anti-virus software vendors are also in the
business
of making "lists" and distributing those "lists" of patterns.
I personally don't see as much need for the real-time "system slowing"
non-stop virus scanning that Martin [[EMAIL PROTECTED]] talks about for
this
type of issue. A scan every 24 hours would seem sufficient to identify
potentially "undesired" programs (above and beyond normal virus
scanning).
I can think of two technologies available today:
--- The netnanny web filter software. These companies are in the
business
of tracking the web pages out there and classifying them based on porno
and
other factors. What about "safe to post data"? Yes, these lists of
sites
are far far far from perfect... but the technology and model exists.
--- The anti-virus checking of executables.
A new type of program and server?
===================================
Maybe there needs to be a new network protocol? Maybe a digital
signature
applied to the opening packet of a network session? Maybe some new type
of
program that runs on client PC's and requests permission from a
"outbound
security server" before a firewall would allow a new session?
That doesn't sound like a bad idea. Something like ZoneAlarms that runs
on
the client operating system and intercepts all outbound traffic... but
INSTEAD of asking the user of the PC ("do you want to allow iexplore.exe
to
go outbound") -- it does a request to a "corporate authorization
server."
And base the program detection on a digital signature/checksum -- not
just
the name of the exe! So far, at least one program (Zone Alarms) has
proven
sufficient at detecting new outbound traffic session on a PC.
And besides, the firewall policy could be to block ALL OUTBOUND unless
authorized. So if the person isn't running the "authorized outbound
requester program," or has a trojan that bypasses it -- outbound data
would
never get out...
The same could be said for user identification. Perhaps "logging into
the
firewall" should be required for outbound Internet use in general. We
know
is in our email and custom applications, but we really have no idea who
a
web surfer is (other than their machine IP)?
Oh yha, one other thing... any program that blocks user access when the
program isn't authorized... it should allow the user to be sent to a
custom
web page and not just pop up a "you can't connect" error. This way the
MIS-types can at least provide the user (via private web server) with
site-specific informaton on how to deal with the issue.
Stephen Gutknecht
Renton, Washington
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
