Lance and Christine wrote:
I am new to firewalls, but I am not new to virii at all, ( best AV
product in Russia, but it was never released, only beta-tested )
It seems, that SMTP packets are not enough at all. How many users get
software mailed to them? How many users just download it? I would guess
the ratio is 20:1. Of course, if you restricted ftp and http, they would
use mail, but I assume you didn't, because then there would be no need
of such a firewall.
Even if you decided to use it, it would either be worthless or give you
a lot of overhead. Polymorphic virii are the most dangerous ones, and
only heuristic modes can detect them. Heuristic analysis takes a lot of
CPU time, gives a lot of false alarms and thus inappropriate for a
firewall. If you disabled heuristics, you would render this tool
useless, since polymorphic virii reign the bacteria world now. ( NB:
Polymorphic virus is a virus that encrypts itself, adds a decryptor
routine and varies that routine greatly. One of the most known
polymorphics has 4 billion possible decryption routines. ) Now you see
why detecting them takes so much CPU "horsepower". They are detected by
scanning for strings known to be in each variant of a virus, but
polymorphics have more than 4 billion possible variants of code..
I intentionally simplified it, but you may request further info.
I think that if you really wanted to protect yourself against virii,
you'd have to educate your users. If you still insist on using that
package, you should forward all SMTP packages to a different box to
avoid huge overhead.
> i was handed a product announcement yesterday about a symantec tool
> which does virus checking on smtp packets on the firewall. i didn't
> look very closely at it, but it raised a couple of points on which i
> would like some feedback.
> first, is the firewall the right place to do this kind of checking? on
> a fairly skinny host (in my case, a sparc 2 running firewall 1),
> wouldn't the overhead of virus checking impact the flow of packets? and
> finally, is smtp checking enough? it seems inadequate. thanks for any