Prevention? As is tying up the fingers of those creating and distributing
viri in the first place???
Thanks,
Ron DuFresne
On Wed, 13 Dec 2000, Dave Mikulka wrote:
> Time to unlurk for a message or two....
>
> Someone brought up a while ago that a real look to the future should be
> in prevention. To this day I still wonder why it is that the antivirus
> software vendors don't take more steps to PREVENTION. In addition to
> constantly updating their lists of known virus patterns, why aren't they
> spending some time and money to research new possible patterns and
> prevent them. Cause lets be honest, if theres hackers out there who can
> come up with new trojans, then theres people out there who can be hired
> to create them ahead of time and prevent them as well.
> Obviously it isn't as simple as all that, but it would be nice to see a
> company that actually took a serious effort in the right direction.
> As a network admin, I know it sure would be nice to hear about a new
> virus and my system is already protected against it instead of having to
> clean it out of my network after the fact and install a patch to ammend
> the virus definition file.
>
> Dave Mikulka
>
> -----Original Message-----
> From: Stephen Gutknecht (firewalls) [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, December 13, 2000 2:05 PM
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Undesired outbound data "leaking" - the next frontier?
>
>
> Yes, but let's look toward the future. Is this problem getting larger
> or
> smaller? Unless new programs like RealAudio/Napster/etc stop being
> created,
> I will say it could get larger.
>
> Checksum of programs on the client --- that is exactly what "Anti-virus"
> software is basically doing, scanning all files on a system and doing
> pattern matching. The anti-virus software vendors are also in the
> business
> of making "lists" and distributing those "lists" of patterns.
>
> I personally don't see as much need for the real-time "system slowing"
> non-stop virus scanning that Martin [[EMAIL PROTECTED]] talks about for
> this
> type of issue. A scan every 24 hours would seem sufficient to identify
> potentially "undesired" programs (above and beyond normal virus
> scanning).
>
> I can think of two technologies available today:
>
> --- The netnanny web filter software. These companies are in the
> business
> of tracking the web pages out there and classifying them based on porno
> and
> other factors. What about "safe to post data"? Yes, these lists of
> sites
> are far far far from perfect... but the technology and model exists.
> --- The anti-virus checking of executables.
>
> A new type of program and server?
> ===================================
> Maybe there needs to be a new network protocol? Maybe a digital
> signature
> applied to the opening packet of a network session? Maybe some new type
> of
> program that runs on client PC's and requests permission from a
> "outbound
> security server" before a firewall would allow a new session?
>
> That doesn't sound like a bad idea. Something like ZoneAlarms that runs
> on
> the client operating system and intercepts all outbound traffic... but
> INSTEAD of asking the user of the PC ("do you want to allow iexplore.exe
> to
> go outbound") -- it does a request to a "corporate authorization
> server."
> And base the program detection on a digital signature/checksum -- not
> just
> the name of the exe! So far, at least one program (Zone Alarms) has
> proven
> sufficient at detecting new outbound traffic session on a PC.
>
> And besides, the firewall policy could be to block ALL OUTBOUND unless
> authorized. So if the person isn't running the "authorized outbound
> requester program," or has a trojan that bypasses it -- outbound data
> would
> never get out...
>
> The same could be said for user identification. Perhaps "logging into
> the
> firewall" should be required for outbound Internet use in general. We
> know
> is in our email and custom applications, but we really have no idea who
> a
> web surfer is (other than their machine IP)?
>
> Oh yha, one other thing... any program that blocks user access when the
> program isn't authorized... it should allow the user to be sent to a
> custom
> web page and not just pop up a "you can't connect" error. This way the
> MIS-types can at least provide the user (via private web server) with
> site-specific informaton on how to deal with the issue.
>
> Stephen Gutknecht
> Renton, Washington
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
