I would have to agree with Henrik here.
Not to allow established connection from a higher level security zone to a
lesser one, seem to be more a design issue, than, that of clam implementation
issue. The idea of zones should be to guard inbound, no hamper user outbound.
It's true you can skin a cat a million ways, but some of those ways are simply
cruel, time consuming, and of little relevance to the objective.
If there is a router acting as a firewall (PIX or Cisco 2621, etc...) the a
simple ACL seems a much more robust solution. Of course the likely hood you are
using internal IP address is high, which means you will need to NAT from that
segment, which you most likely do because you need to have internet.
If the firewall is on the machine, then a simple allow statement to the right
chain in the iptables will achieve the same thing (windows has the same level
of security via a GUI).
In either case, the hack would be to figure it out on your network, not
request bloatware that will be used in very few situations, given the
complexity (thus insecurity) it introduces. (IMHO)
Frankly my objection is a bit personal too. I hate the fact that everyone and
everything is becoming HTTP. It is one single silly port of a possible 60,000
+, and its protocol was designed to centralize documentation. It has now become
the default port AND PROTOCOL for everything. This beyond ridiculous! Since now
everyone knows where to focus there attacks! The best way to protect data is to
keep it binary and OFF port 80 or 443.
This time in my IMNSHO
:oP
Date: Sun, 16 May 2010 09:29:57 +0300
From: h...@hege.li
To: clamav-users@lists.clamav.net
Subject: Re: [Clamav-users] Tiered freshclam updates on port443
On Fri, May 14, 2010 at 06:34:33PM -0400, Nathan Gibbs wrote:
At our site, the update server hosts clamav DBs, snort rules, some conf
files, etc. The ability to protect the other data would be a plus. It
would
add another layer of defense to our setup. However its not workable if
Freshclam cannot speak https. Its redundant as far as ClamAV's data
integrity
goes. However, I think its worth doing as far as hack value and
interoperability go.
Using https sounds silly in favor of more robust methods like rsync+ssh. I
certainly would trust rsyncing a verified set of signatures more than using
freshclam code which has had bugs in past.
-1 for adding yet another external library dependency for little purpose.
As far as the original poster goes, I don't think https protocol was the
issue, only TCP port. Such human generated firewall problems are solvable
in many ways if desired and IMHO has nothing to do with ClamAV.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
_
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with
Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml