Re: about viruswall?

[Sebastian Schneider <ses () straightliners de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just forgot some big point. In some countries it's required to have the 
permission from the users to drop e-mails at all since you're not the 
intended recipient and therefore having not the right to block these very 
mails.

Sebastian

On Wednesday 10 September 2003 03:35, Sebastian Schneider wrote:
> Hey Gabriel,
>
> depending on your budget as well as system setup the solution will be quite
> different .
>
> At first, the behavior of a so-called viruswall is similar to a firewall.
> If your front-end smtp server is based on linux running sendmail, exim or
> postfix it's quite easy to plug in an AV software scanning mail traffic and
> blocking e-mails with infected attachments or malicious code.
> There some solutions available as commercial products. There might be some
> being free. I set up Kaspersky Anti Virus for Mail Servers some time ago
> and it works out just fine and really fast killing malware before that
> e-mail is getting to anyone. Updates are available shortly after new virii
> have been analyzed (we were updating hourly).
> In sendmail it's really kind of easy as just adding the AV software as a
> new mailer and adding some rewriting rules.
>
> If your front-end mailer is Win based, it could become an issue as Brian
> pointed out. Depending on the software implemented it can be less serious.
>
> Additionaly, as you might already do, you should deploy av software on host
> basis.
>
> Sebastian
>
> On Tuesday 02 September 2003 18:08, Gabriel Orozco wrote:
> > Well, certainly I'm wrong when I think about all A-V solutions work like
> > mine, in Linux+QMail+qmailscan, where the message simply will not
> > transverse the smtp if it is not first scanned....
> >
> > I was not aware about it can be a problem in a NT/2K platform.
> >
> > What can I say? at best, I would say anybody that there are other
> > solutions different than Microsoft, and simply more secure.
> >
> > Regards
> > ----- Original Message -----
> > From: "chort" <chort () amaunetsgothique com>
> > To: <security-basics () securityfocus com>
> > Sent: Friday, August 29, 2003 6:45 PM
> > Subject: Re: about viruswall?
> >
> > > On Fri, 2003-08-29 at 09:28, Gabriel Orozco wrote:
> > > > With an antivitus running in your SMTP server is more than enough.
> > >
> > > WHOA!  This kind of attitude is simplistic at best, and extremely
> > > careless.
> > >
> > > Anti-Virus for your enterprise mail system can be very flakey (due to
> > > the complexity of interfacing with modern enterprise mail and groupware
> > > systems).  Some times there is a delay between when the message arrives
> > > and when it gets scanned, and it may be opened in that interval (a race
> > > condition).  Some times the service fails (particularly on NT/2K) and
> > > you may not realize that you're unprotected.  Besides those grave
> > > dangers, this is by default accepting that viruses will penetrate your
> > > network and will for a fact be on your internal servers (even if they
> > > do end up getting cleaned).  Are you so sure you want to guarantee that
> > > your Windows server will have viruses?
> > >
> > > Anti-Virus should be a multi-tiered defense.  One layer at the e-mail
> > > gateway, peeling away the dangerous stuff before it even makes it
> > > inside your inner firewall.  One layer on the mail/groupware server
> > > (preferably a different vendor than the gateway A-V) to catch anything
> > > that gets through, and to take care of things sent locally.  The last
> > > ditch should be on the desktop (possibly a third vendor) for a last
> > > chance to catch anything that the other two missed, and as a FIRST
> > > chance at smoking out infections that your users contract from websites
> > > or outside e-mail accounts.
> > >
> > > Just having A-V on your mail server is most certainly NOT "more than
> > > enough."  Why let things into your network if you know you can stop
> > > them in the DMZ and mitigate the risk?  That's why the "virus wall"
> > > concept was started years ago, and within the last couple of years it
> > > has grown to include anti-spam, content policy enforcement, Internet
> > > message encryption, etc and is now known as a secure e-mail gateway
> > > (not to be confused with INsecure e-mail gateways, which is what
> > > sendmail is).
> > >
> > > --
> > > Brian Keefer
> > >
> > >
> > > -----------------------------------------------------------------------
> > > -- -
> >
> > -
> >
> > > Attend Black Hat Briefings & Training Federal, September 29-30
> > > (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's
> > > premier technical IT security event.  Modeled after the famous Black
> > > Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers
> > > and sponsors. Symantec is the Diamond sponsor.  Early-bird registration
> > > ends September
> >
> > 6.Visit us: www.blackhat.com
> >
> > > -----------------------------------------------------------------------
> > > -- -
> >
> > --
> >
> >
> >
> >
> > -------------------------------------------------------------------------
> > -- Attend Black Hat Briefings & Training Federal, September 29-30
> > (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's
> > premier technical IT security event.  Modeled after the famous Black Hat
> > event in Las Vegas! 6 tracks, 12 training sessions, top speakers and
> > sponsors. Symantec is the Diamond sponsor.  Early-bird registration ends
> > September 6.Visit us: www.blackhat.com
> > -------------------------------------------------------------------------
> > -- -

- -- 

Sebastian Schneider
straightLiners IT Consulting & Services
Metzer Str. 12
13595 Berlin
Germany

Fon: +49-30-3510-6168
Fax: +49-30-3510-6169
www.straightliners.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/X2SeQ7mOWZBxbPcRAoP7AJ44YOpXZgyzJHyZEIh5xVG8E/MPXwCcDNrq
V1lJCPTmffaxe0t21LEjVTo=
=6rY4
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------