Re: On the ultimate futility of server-based mail scanning

From: aleph1at_private
Date: Fri Mar 08 2002 - 09:18:46 PST

Next message: bugzillaat_private: "[RHSA-2002:043-10] Updated openssh packages available"

Previous message: pschlesingerat_private: "Linksys BEFVP41 VPN Server does not follow proper VPN standards"
In reply to: David Kennedy CISSP: "Re: On the ultimate futility of server-based mail scanning"
Next in thread: Richard M. Smith: "RE: On the ultimate futility of server-based mail scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* David Kennedy CISSP (david.kennedyat_private) [020306 23:08]:
> I understand the complaints, but I don't admit defeat nor will I reject as
> futile a solution that's working.  Server-based mail scanning has technical
> limitations.  So?  If a server-based solution intercepts only 80% of the
> inbound malicious code to an enterprise that still 80% less for the IS/IT
> staff to worry about and 80% less for desktop scanners to catch or 80% less
> for users to judge whether "new photos from my party" is a bad or good
> thing.  Certainly there are ways to attack the scanner and cause a denial
> of service, as there are ways to bypass some scanners.  The scanners must
> keep up with the threats and so far most have.  Server-based scanning
> provides a chokepoint in today's environments that is far easier to
> maintain than thousands of Microsoft desktops with wide variations of
> client anti-virus "solutions."
> 
> Ultimately we live with the deployed systems we have, and their
> limitations.  I'm unaware of a solution available today that supports
> management and user demands for "friendliness" and puts secure end-user
> software on the desktop.  Server-based scanning provides a solution *today*
> that, while imperfect, is manageable and effective in stopping most of the
> malicious code in the wild.  "Most" is not "all," but it's a lot more than
> "none."

David is correct. And this is not limited to anti-virus products. The
same can be said of any application that attempts to interpret the
communications between two entities and make security decisions based
on them. Examples include firewalls and networks intrusion detection 
systems. This is in essence the same argument made by Ptacek and Newsham
in their seminal paper "Insertion, Evasion, and Denial of Service: Eluding 
Network Intrusion Detection".

Nonetheless, the argument does not mean these type of systems are useless.
It simply means they are not a silver bullet and that you must be conscious
of their limitations. And the are ways to make them more robust such
as normalizing the traffic between the two end points (see for example
Handley, Kreibich and Paxson's "Network Intrusion Detection: Evasion, 
Traffic Normalization, and End-to-End Protocol Semantics").

I would hope that some network based malicious code detection solutions
would implement some of these strategies soon.

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

Next message: bugzillaat_private: "[RHSA-2002:043-10] Updated openssh packages available"
Previous message: pschlesingerat_private: "Linksys BEFVP41 VPN Server does not follow proper VPN standards"
In reply to: David Kennedy CISSP: "Re: On the ultimate futility of server-based mail scanning"
Next in thread: Richard M. Smith: "RE: On the ultimate futility of server-based mail scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 13:39:49 PST