>We are working on some security policies for our firewall and I
>need some advice on ftp. First, a little background. Our firewall
>is not yet the bastion host type. I consists of a router, connected
>to the Internet, then an isolated ethernet to a dual-homed Unix
>box which has ip-forwarding turned off. As a result, user which
>need to ftp files from the Internet must log into their account on
>the gateway host and then ftp from there (I know this isn't the
>preferred method but I have no choice at the moment).
If I understand your configuration correctly, you should
be able to use an FTP proxy of some sort, to permit FTP traffic
without requiring a login on the firewall machine. [One place to
look for such a proxy is in our firewall toolkit]
>Our question is what should we do to limit the chances that an executable
>which a user may bring through the gateway machine has a virus?
Joking aside, this is a really tough problem. There are
two issues to consider:
-> consistency of security
Encoding is the technical gotcha. There are just too many
ways that files get encoded for transmission over the 'net to be
able to have a prayer of finding a virus in them. What about if it's
in a uuencoded file? Or a uuencoded .ZIP file? Or a uuencoded tar
of a bunch of .ZIP archives? What about a MIME document? Or a .hqx file?
Or... You get the idea. There's a chance you'll find something by scanning,
but it's very, very slim. It's so slim, in fact, that it's probably
only "warm fuzzies" security -- it looks good on paper but that's all.
Consistency of security is another issue. Many of the folks I
have talked to who are concerned about bringing virii in from the
internet don't have any kind of policy that controls bringing data
into the corporate network on floppy disks. It's not consistent
security practice to worry a whole lot about virii coming in from
over the 'net when anyone can bring one in on a floppy -- and in
fact I suspect that's how a majority of virii are transmitted.
A firewall isn't a panacea and doesn't replace educating
your users. A better approach to the virus problem is to educate
staff to understand that they should scan stuff before they install
it, whether it came from over the 'net, or a BBS, or a shareware
disk, or from their buddy's machine down the hall. That way you're
attacking the whole class of virus related problems across the
board, rather than fighting a losing battle to try to implement
a technical solution on your firewall itself.
>Do most ftp sites scan their executables for viruses or a regular basis?
Some do before uploading them.
>Is there a virus scanner, which runs under unix, which can check for
>viruses in both unix and dos executables?
UNIX virii are hard to check for and I suspect that
anyone who is claiming they have a "virus scanner" for UNIX
is doing some creative marketing. Probably the best way to "scan"
for virii under UNIX is to checksum all your system files and
make sure they haven't changed -- it gets around the operating
system dependencies nicely. Look at tools like Tripwire as possible
Scanning for DOS virii on a UNIX box is also a bit of a
wild goose chase. Why? Because any DOS executable that's being
transmitted through the UNIX box is probably encoded for transmission
and then you have the whole issue of figuring out what the encoding
is and means...