As we know, firewall is designed to keep unauthorized outsiders from tampering with a computer system or network. We don't talk about computer security without mentioning cryptography. In that situation, may I know,How does cryptographic protection (at the TCP/IP layers or at the application layer) affect a firewall's ability to protect against viruses?
For sure there should be some important effects to enforce or weaken firewall's ability....
thanks!!!!
A firewall cannot protect against viruses.
Yours, VB.
VB,
A firewall can protect against viruses - I just purchased one for a client, a Sonicwall TZ170 with Gateway AV service.
Firewalls (hardware & software) are to control connections to/from a computer or lan. Crypto is to provide privacy for messaging and data storage. Casey
That is a broad categorization. Utilization of a third-generation firewall could conceivably perform such processes and procedures. An application layer firewall is a third-generation firewall technology that evaluates network packets for valid data at the application layer before allowing a connection. There is nothing to say that a firewall could not analyze and permit or deny transmissions at the application level. This analysis could differentiate virii before transfer down the protocol stack.
Granted I do not have knowledge of any firewalls that perform this function per se; however in theory it seems entirely possible.
BTW --- what effect does cryptography have; first and foremost performance issues. This however is dependent on the type of cryptography utilized. Which you did not state. Also you must take into consideration the resource consumption required to perform crypto procedures at a given bandwidth. Not to mention key sizes!
Thomas R. Jones
the firewall operates(ie inspects) the tcp headers, not the payload. SPI ensures that bogus packets(ie those other than the initial contact) are reject.
the newest generation of FWs performs deep inspection (ie the payload) but only for specific applications and only non-encrypted data(payloads)
VB,
Your statement was that a firewall cannot protect against viruses. They can. Nothing was said about "how" they perform that function (UTM) so don't make statements that are ill defined and then decide to bend it to suit you when someone calls you on it.
As for "new ones" are you referring to zero-day virus detection or something even newer than that? If it's not known - then is it really a virus?
There's a lot of technology out there that has attempted over the years to detect malicious code but I seriously doubt we'll ever get to 100% efficiency - in our lifetime.
Bob S.
Seems to be a problem of definitions.
I'm trying to be exact now:
A Virus Scanner is something, that detects malware in streams or in persistent data ("detecting negative things"). I'm not using virus scanners, which search RAM, because I think they're useless.
A Firewall is a filtering entity on a way of network traffic, which filters away any traffic, which is not conforming to a security policy (where I define "allowed traffic", not "forbidden traffic", so this is "detecting positive things and filtering away anything else" in network traffic).
These are the terms I'm working with commonly.
You can say, that a Virus Scanner can be a special case of firewall on layer 7 according to RFC 2979, if it filters away data with malware.
You can say, that a Firewall can be a special case of a virus scanner, according to RFC 2979, if it filters on layer 7 and removes mails and transmitted files with malware.
I would not prefer to define in such a way, because this mixes terms. I'd prefer to define, that if a firewall implementation filters that way, it additionally has a virus scanner component (as I did).
Clear now?
YMMV.
No. I'm not refering to such terms.
I cannot see anything working with the exception of predefined patterns¹. All heuristics I know have so many false positives and so less hits, that I would call them useless in practice.
Yours, VB.
¹ With "patterns" I don't mean regular patterns only. They may be defined arbitrary algorithmically. They may not be designed to implement heuristics, though. In any case, such patterns describe one single type of malware each.VB,
Excuse the top posting but I'll respond after each of your comments:
Yes it is and I took your comment at face value and as a stand-alone comment but you obviously were thinking a few miles ahead.
A Gateway AV solution is an on-the-fly solution so while the packet(s) are being inspected, it's typically at wire speed on the bigger/better appliances. Whether they're using a high-speed shift register or buffering it in RAM, I don't know but supposedly, the "time hit" is only slightly greater than a firewall only device. Manufacturer dependent. So, the AV is not searching through RAM in this architecture.
Understand.
Almost.....;-)
Your reference to RFC2979 made me go looking and digging a bit and I can't see where this version
You make a valid point about not wanting to group the two terms together from a purists viewpoint but the industry has already done so and they call it, UTM (Unfified Threat Management). Every company seems to have a different slant on what that means but for now - it's hype that has some legitimacy and I have no doubt it will eventually be rolled into the firewall definition. Right now, the "application" references in RFC2979 are for applications that transverse a firewall. A Gateway AV solution does not traverse the firewall but is a secondary function - after the firewall.
It's obvious you do not care for antivirus solutions and I chuckled when I read this statement in RFC2979. It pretty well sums up the defintion of a firewall:
Quoted from RFC2979.....in part....
"Nevertheless, it is important to remember that the only perfectly secure network is one that doesn't allow any data through at all and that the only problem with such a network is that it is unusable."
So where does that leave us? Right smack in the middle of choosing the lesser of the evils. But in this case - and the reason I jumped in on this thread was to point out that there is technology out there at a price point that is reasonable and provides a modicum of security via a UTM approach for small business, SOHO applications.
Is it good enough for the IBM's, GE's, AMEX type company's - absolutely not since they are big targets. But for a small business, yes, it's a reasonable and efficient solution. Not perfect by a long shot but what esle would you recommend?
Bob S.
No, they can't. By design, I can always create a virus that slips by.
Of course they are. And you'll understand it when it's tossing down your system.
Well, primitive guessing and relying on bad statistics has nothing to do with security.
I agree. Of course, implementation needs RAM here. But it's not the RAM of the computers which should be protected.
From there (Chapter 1. Introduction, second paragraph):
| A "firewall" is an agent which screens network traffic in some way, | blocking traffic it believes to be inappropriate, dangerous, or both.
Yes. I just want to differ for better describing the behaviour of some products.
[Virus Scanners]Secure configuration, which is called by some people "hardening". And intelligent use. Maybe usage of not-so-b0rken software.
Yours, VB.
And by the same logic no anti-virus ,'by design', can protect against viruses since you can always create one that will slip by.
Geo
Sebastian,
Think.... "Problem - Solution". I wasn't looking to get into a pissing contest over firewalls or antivirus programs. No doubt you can write a virus that will be "new" for a brief period and after it hits the first computer - it's no longer new. But also, poorly written software will bring down a system too.
So now tell us what your solution is please - we know the problem. I didn't make any "primitive guesses" or spout any "statistics" so maybe you can clarify your comment so we can learn from your experience.
Thanks,
Bob S.
snip........
VB,
I obviously missed the interpretation of "firewall" in the sense of it being an AV device but I see your point - now.
I'll age myself here but the last time I designed a "hardened" communications circuit, it involved satellite circuits and KG-81 crypto's for a very large radar system. The term "hardening" has been greatly "softened" since mil-specs have essentially been abolished and commercial specs now the norm. So what I know as hardening and securing a communications network will vary widely from what a commercial application considers to be a secure system.
Thanks for the lesson,
Bob S.
Not true. A new virus remains new to any virus scanner as long as noone has detected and analyzed it and created a signature for the respective virus scanner. If the virus keeps a low profile that can be quite a while.
cu
59cobalt
Wrong. Write-protecting all executables and/or removing exec right globally gives a complete protection against viruses.
The common serious solution against viruses is to globally remove exec rights for all non-admin users and whitelist all needed applications. Using file permissions to deny write access to all programs would be sufficient as well, and usually these are combined.
Does really a big part of the security guys need education in simplest academic IT knowledge?
And the solution for that is obvious: only use well-written software with a reasonable amount of trustworthyness.
Wrong? What is wrong? It seems that logic and common sense are not exactly your forte.
You made a comment about firewalls and I pointed that using your logic one could say that anti-virus programs would be useless. What has that to do with your follow-up comment?
Geo
My unstated assumption was that the virus did it's dirty work and was detected by a user. Doesn't need a signature file made by an AV company to have a "detected" stamp placed on it. Like anything else, it only remains new until used once....
Not to argue the point, I do agree with you that a virus can remain undetected and proliferate to many systems before being detected.
Bob S.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.