Unfortunately, it is outside the abilities of a packet filtering firewall to monitor content. Looking at a single packet, it is almost impossible to figure out if it is part of an innocent correspondence or if it is a part of a malicious program.
This requires assembling entire objects (mails, web pages, etc.), then running them through a content scanner, this is something a proxy server can do for you, but a packet filter can not. One client of mine runs a program called "Mimesweeper" between their GB firewall and their mail server. While it certainly helps, it requires regular, almost constant updating -- a fast-moving worm like Nimda managed to get through their system...updates were available quickly, but the worm was out before the updates could even be worked on, and they hit this office before they were installed. As with most companies, they don't have people who's only task in life is to monitor for new viruses and updates, though considering how fast Nimda came on, I don't really think it would have mattered in this case. Some mail lists (i.e., gb-users) filter out all attachments. I think this solution could also be used in many corporate environments effectively (yes, I can imagine everyone reading this cringing right now). Internally, you don't need to be sending files around by e-mail attachment -- anyone remember shared locations on networks? Externally, you have issues of file format compatability and macro viruses...and you deal with this because, what? Someone is too lazy to copy/paste the text of a document into a message? Sure, this could be a problem if you have reason to shuttle around spreadsheets, or have LEGITIMATE reason to transfer complete documents, but I think a lot of this is laziness and encouragement from MS to do silly things than true corporate need. Another option would be to quarentine all files with attachments for 24-48 hours AFTER receipt, to give the scanner writers and maintainers a chance to detect and remove viruses. Not aware of anything doing this yet, but it might be a wise step. This is the ONLY way I can see to keep ahead of the viruses -- keep the virus containers BEHIND the virus scanners. Yes, this would kill the magic of E-mail -- instant communications, but hey, I suggested sending the message as text, anyway. (and no, I don't honestly expect anyone will take my advice on those last two suggestions) Ultimately, however, this is a management and training issue. Think about this for a moment... Let's say your company has a fleet of vehicles used by employees for some purpose. If you are having trouble with your drivers running into each other, other vehicles and pedestrians, what do you do? Install big, padded bumpers? Throttle limiters? Warning lights? "IDIOT DRIVER ON BOARD" warning signs? Not likely. You will make sure your drivers have proper driver training, you will monitor what they do via "How's my driving?" numbers, etc. The ones that can't manage to drive safely or repaint the company vehicle in their own favorite colors, or add custom wheels and the like will be terminated or reassigned. No one (hopefully) would ever think of trying to use technological solutions to what is basicly a management problem when it comes to the company vehicles... So, why are things different with computers? Train them NOT to run attachments. If they do, repremand them. Dock their pay for the cost of repairs (probably put a cap of $1000 on that...just trying to make a point, not trying to bankrupt anyone). If they continue to violate company policy, remove them from the 'net or fire 'em. Treat your computer systems like any other company asset -- why computers are treated differently with regard to abuse than any other company asset is beyond me. (Can you tell I'm tired of the "I thought my virus scanner would protect me" whine?) Nick. Joe Darwin wrote: > I would like to know if any has or knows of software that can scan all > traffic in at the firewall on all ports that are accepeted inbound. > > I believe that if this is done we can elimiate the problem of virus on > port 80 and the .eml downloads being executed from users at > workstations. > > All comments welcome on how to keep people download things that are > infected at the firewall. > > Thank you > > Joe > eVGA.com -- http://www.holland-consulting.net/
