> Conventional thinking & common sense dictate that a firewall,
> or any other network choke-point, is an inappropriate place
> to scan bits for viruses.
I agree, and have said as much here in the past.
The fact is, though, that vendors are now starting to offer
virus-checking at the firewall. I 'm not enthusiastic about this,
but it's evidently what a lot of consumers want. If I was more
cautious than usual in saying so, it's because occasionally I get
tired of singing the same tune.......
> Push this to the hosts.
> Be pragmatic.
I'm not sure it's a matter of pragmatism. There are any number of
places a virus attack might strike behind the firewall (depending
on how it's configured): encrypted E-mail attachments, dial-in,
floppynet, intranet etc. Since virtually all these attacks are aimed
-at- the desktop, it must be possible to demonstrate that if you're
going to have -one- line of defense, the desktop is where it has to
be. Of course, you can have supplementary defenses anywhere else,
including the perimeter, if you can afford the products -and- the
traffic (and other) overheads.
David Harley \ | / alt.comp.virus FAQ
uk \ | / & Anti-Virus Web Page
Support & Security Analyst \ | / Folk London On-Line gig-list
Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/