On 18 October 2013 12:41, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: >> I have to join Marc here and say "me too". In my organisation we >> actually have those controls in place (antivirus/antimalware) in the >> Internet gateways and we do not disable them for specific traffic >> flows unless a detailed risk analysis has been done (and approved). > > Personally I disagree with this approach as you are making the gateways > themselves more open to attack adding risk to all rather than the > targetted,
You can disagree with this approach. However, in my 10+ experience setting up security gateways for Internet traffic (mostly for HTTP/FTP/SMTP) I've seen only a few vulnerabilities in the gateways themselves. Many of the gateways I have deployed are either network appliances with a Common Criteria certification (see http://www.commoncriteriaportal.org/), or are deployed using specific software running in a hardened (again, Common Criteria certified) operating system configuration. So I'd say the risk of exposing "all" by running a properly setup gateway is rather low. In my organisation (and I know we are not alone here), we do not just rely on the antivirus running on the desktops. We also do rutinary anti-virus/anti-malware checks on gateways running in a DMZ and block suspicious files that cannot be analysed (e.g. encrypted files not using corporate encryption, such as a ZIP file with a password). It's not just us, it is a common approach followed by many organisations and is based on the "defence-in-depth" principle. > especially when antivirus are so easy to fool anyway. That's also why we analyse incoming files with more than one antivirus engine. And that's also why we do behavioral analysis (i.e. run downloaded software in a sanbox) to detect malicious files. > There are many perfectly legitimate hacking tools that may hit the repo > that AV will pickup (backtrack distro has many) but also is their any > danger of av browser plugins and google even blocking debian.org. If somebody in my organisation is downloading and running hacking tools, I (with my network/security admin hat on) want to know it. These tools are only allowed for a specific group of individuals and under specific conditions, and I expect our gateways to block these downloads too. Regards Javier -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cab9b7usbptbv4belvars_wketn_3uyd1g7hody+o4kazcox...@mail.gmail.com