Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall tz180). Sounds attractive. But how does it work?
Let's say I'm downloading a pop3 email. Does the firewall stores the entire email and attachment, scan it for virus, then forward it on if it's clean? And if the attachment has a virus, can it strip out the attachment only and forward the rest of the email? This sounds too good to be true. And wouldn't this require a hard drive for the firewall?
Similar question for how it handles spyware, trojans, etc.
No. It just inspects it while it is downloading just like any other antivirus software does. They start at the beginning and end at the end. You only need a small buffer for that.
But it also does not work miracles. It does not forward anything "if it's clean". It only recognizes for what it has signatures. It won't recognize the newest malware until the signatures have it. It won't recognize very rare malware. It will also recognize things which are not bad. It will also recognize malware which is actually not dangerous on your computer because your computer is not vulnerable.
So basically, it may find a few things but it is still and always you who has to decide what's clean or not.
That's why yo use your own email server and then block attachments by mime type - and then you block anything that could be malicious by file type (mime type).
So you are saying that viruses only come through e-mail? Or how is this comment exactly related with the firewall box which scans the network traffic for viruses?
The OP mentioned Trojan. Do we discuss Trojans now?
How did you miss that it is about a firewall box (see subject)? POP was an example to illustrate that he does not know how the firewall filters the network traffic for malware. Isn't the "Let's say..." in the OP clear enough? Thus you are dragging this off-topic by discussing email servers as that does not explain "how the firewall box handles virus".
While this sorts out 99% of the crap, there's enough worms out there that send themselves as ZIP (encrypted, even...).
Virus scanners on mailservers usually try to unpack the archive files and remove those files from the content that still look dangerous. But even that is growing more and more difficult - the latest bugs in Acrobat mean that every PDF could be a problem :-(
If that is the case, the firewall may let half an email pass through, detect a virus, and cut off the rest of the email?
I guessed I wasn't clear. What I want to know is, if one of the email I'm downloading via pop3 has a virus and is detected by such firewall, what does it do? Delete one ethernet frame? Delete the rest of the session? Delete from the start of the signature till the end of the virus (assuming its virus database has length info)?
What if the virus' signature pattern happens to cross an ethernet packet boundary, would it still be detected? The firewall would have to be able to remove low and higher level network headers in order to piece multiple packets into one data stream to scan for virus. But if it is smart enough to do this, why not store, scan, and forward attachment if no virus is found?
Similarly, if a spyware is detected by such firewall while I'm downloading an activeX control, what does it do? Delete the data until the end of the activeX control data stream (assuming it can tell where the activeX ends)?
Gerald - don't request Follow-Up by email, this is Usenet and that's where the thread should stay.
I don't know what your problem is, but the op mentioned POP and that's the part I replied to, specifically, get over yourself. My explanation discussed how a firewall can be used to remove malware from email, which was something the OP should be aware of as part of an overall email/malware discussion.
Yep, we actually block Zip files except from a specific user account that only admins can reach. In addition to blocking at the firewall based on mime type we also use SMTP aware scanners that scan before the email/attachment reaches the mail server itself. Nothing is perfect, but we've never had a compromised client in more than 20 years.
The thread is off-topic because it has nothing to do with what the OP asked. That's why it is fup poster.
?? Where exactly is the firewall in your explanation:
"That's why yo use your own email server and then block attachments by mime type - and then you block anything that could be malicious by file type (mime type)."
I don't think that "email server" is generally considered the same as "firewall".
It still won't help to understand how the firewall box scans for viruses.
Unless you have anything to say which is relevant to the original question how a firewall box filters for viruses, this is off-topic, fup poster, and EOD.
FTR: those usually don't contain exploits but use PDF merely to evade keyword or pattern detection of spam filters. However, since there have been exploitable vulnerabilities in various PDF readers, PDF can't be considered a "safe" attachment. In fact there are no inherently "safe" attachments.
If the program handling the attached file has an exploitable bug, then an exploit contained in the attached file may lead to compromisation of your system once you open the attachment. Meaning that for every type of attachment there's a nonzero chance that it may contain malware at some point.
And since you don't own or moderate the group, it's not your place to declare something off-topic, and when you don't understand something, and when you can't comprehend, it doesn't make it OT.
Read it again, asince this was a firewall discussion, it would make sense that a firewall might protect an email server. Yea, I didn't spell it out, but then I didn't expect to have some asshole jump into it and try to moderate the thread.
That would be the first thing you've got right today.
INTERNET >> FW >> NETWORK >> EMAIL SERVER & Workstations
So, by implementing a firewall with SMTP Proxy service you can remove attachment types (based on mime types) and eliminate most of the threats, and since most people would also have SMTP aware AV software, the PDF's and Zip files would also be checked as definitions become available.
So, get off your high-horse, quit acting like an asshole, and realize that there are a lot of people that know a lot more than you.
This paragraph has nothing to do with the question in the OP:
"Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall tz180). Sounds attractive. But how does it work?"
This paragraph has nothing to do with the question in the OP:
"Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall tz180). Sounds attractive. But how does it work?"
This paragraph has nothing to do with the question in the OP:
"Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall tz180). Sounds attractive. But how does it work?"
This paragraph has nothing to do with the question in the OP:
"Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall tz180). Sounds attractive. But how does it work?"
This paragraph has nothing to do with the question in the OP:
"Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall tz180). Sounds attractive. But how does it work?"
I don't know your definition of 'off-topic'. But can you be any more off-topic from the OP? Anything you write about is what you brought up but which is unrelated to the OP. Why do you think a generic firewall discussion about something is applicable only because the subject contains "firewall" or the group has "firewall" in the name?
But all you write has nothing to do with the question of the OP. Even your strange requirement that you should use your email server to firewall is odd, because you can still use the same firewall to filter the traffic from any external email server to your computer via POP or IMAP.
Thus, maybe you could write something on-topic and explain how the firewall does it exactly? "How can a firewall box handle virus?" Setting up your own e-mail server has nothing to do with that nor is a requirement to make some use of a virus filtering firewall box...
Now, maybe if you had been just a little smarter you might have been able to read the rest of his post and see this part:
" Let's say I'm downloading a pop3 email. Does the firewall stores the entire email and attachment, scan it for virus, then forward it on if it's clean? "
Notice the "Let's say" which clearly indicates that this is an example to explain which kind of problem the OP has. POP3 is only one example. The question covers all protocols. POP3 was just picked as example. All you wrote won't explain how the firewall will scan HTTP, FTP, or IM traffic for malware, or may filter Java applets, etc.
The question is broader then the example. It is useless to poke on the e-mail server as it does not cover HTTP, FTP, IM or any other network protocol which may be scanned for malware.
And everything you wrote still does not explain how the firewall works in regard to the question related to the e-mail scanning: "Does the firewall stores the entire email and attachment, scan it for virus, then forward it on if it's clean?"
But you don't answer this question either. You don't explain how the firewall would scan e-mails for malware. Filtering certain mime types is obviously something different than scanning for viruses. Your comment could be simply extended to "block all e-mail traffic". This way the firewall would also effectively stop all incoming malware through e-mails. But still, the firewall would not scan the e-mails for malware. It would just filter a port...
So, why don't you simply answer the question how the firewall works? You know the example but even there you don't explain how it works. How does a virus scanner on a network firewall work? How does it scan network traffic like smtp, imap, pop3, http, ftp, any IM protocol, etc. for malware? To repeat rephrase the example in the OP: "Let's say I'm downloading a 100MB file via ftp. Does the firewall store the entire download, scan it for virus, then forward it on if it's clean?"
But I guess it is futile to ask for answers from you. You would only poke around some details in the FTP protocol and would say that you would filter certain file extensions from downloading... Still does not explain the question but you have you buzzword "FTP" thus it is time for you to elaborate on FTP...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.