RE: AntiVirus Software

["Joe Ippolito" <joe () joesnet com>]

I will back up Patrick's take on CVP.  Tried it with FW1's and NAV.  IT was
not pretty although it was a early release of both products.  I prefer
Mcafee's product on MS Proxy a mail server scanner, desktop software and
lots of user education.  I cannot see adding the load and uncertainty to my
first line of defense.

-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Patrick M.
Hausen
Sent: Wednesday, September 08, 1999 3:39 AM
To: Robert Driscoll
Cc: firewall-wizards () nfr net
Subject: Re: AntiVirus Software


Hi!

>       This question revolves more around Virus Scanning than firewalling.
> But since the scanner will talk directly to the firewall, I would like any
> input you may wish to elicit.
>
> [...]
>
>       My question is does anyone have experience configuring firewalls to
> pass traffic to an virus scanner? It does seem to add a bit of complexity
> to the situation. I'm interested in hearing about possible pitfalls and
> traps
> that maybe lurking. We are looking at configuring SMTP first and then if
> that
> works, FTP and HTTP.
>
>       Any comments on scanning products would be appreciated as well.

Our experiences with CVP based scannning were, well, not that great.
Our setup is Gauntlet Firewall for Unix with Datafellows F-Secure for
Firewalls.

As I got from the gauntlet-users archive, CVP version 1.0 has got serious
limitations, like not being able to specify what to scan (i.e. HTML
and GIFs are scanned, too, if you want to scan HTTP transfers) and a
maximum of 5 concurrent open "sessions" between the firewall and the
scanning engine.

This has proven a showstopper for FTP and HTTP transmissions. Users
experience massive slowdowns, short downloads (i.e. half of a file
is transmitted) and the like.

If you want to deploy a solution based on CVP, make sure all products
support CVP 2.0 which addresses some of the problems. F-Secure does,
while Gauntlet doesn't.

Even CVP 2.0 has got hard coded limitations, now it's 254 sessions,
so in a high bandwith configuration with many users it might still
fail.

Generally vendors seem to prefer proxy based solutions that
don't use CVP. E.g. Trendmicro. NAI announced Gauntlet 5.5 would
have a built-in scanning engine for the HTTP proxy. I didn't
get my hands on that yet.

We're still using CVP 1.0 in the above setup to scan emails. Works
flawlessly so far. Nonetheless there are standalone "SMTP proxy"
based scanners for email, too.

Regards,
Patrick