Home page logo

bugtraq logo Bugtraq mailing list archives

Re: On the ultimate futility of server-based mail scanning
From: aleph1 () securityfocus com
Date: Fri, 8 Mar 2002 10:18:46 -0700

* David Kennedy CISSP (david.kennedy () acm org) [020306 23:08]:
I understand the complaints, but I don't admit defeat nor will I reject as
futile a solution that's working.  Server-based mail scanning has technical
limitations.  So?  If a server-based solution intercepts only 80% of the
inbound malicious code to an enterprise that still 80% less for the IS/IT
staff to worry about and 80% less for desktop scanners to catch or 80% less
for users to judge whether "new photos from my party" is a bad or good
thing.  Certainly there are ways to attack the scanner and cause a denial
of service, as there are ways to bypass some scanners.  The scanners must
keep up with the threats and so far most have.  Server-based scanning
provides a chokepoint in today's environments that is far easier to
maintain than thousands of Microsoft desktops with wide variations of
client anti-virus "solutions."

Ultimately we live with the deployed systems we have, and their
limitations.  I'm unaware of a solution available today that supports
management and user demands for "friendliness" and puts secure end-user
software on the desktop.  Server-based scanning provides a solution *today*
that, while imperfect, is manageable and effective in stopping most of the
malicious code in the wild.  "Most" is not "all," but it's a lot more than

David is correct. And this is not limited to anti-virus products. The
same can be said of any application that attempts to interpret the
communications between two entities and make security decisions based
on them. Examples include firewalls and networks intrusion detection 
systems. This is in essence the same argument made by Ptacek and Newsham
in their seminal paper "Insertion, Evasion, and Denial of Service: Eluding 
Network Intrusion Detection".

Nonetheless, the argument does not mean these type of systems are useless.
It simply means they are not a silver bullet and that you must be conscious
of their limitations. And the are ways to make them more robust such
as normalizing the traffic between the two end points (see for example
Handley, Kreibich and Paxson's "Network Intrusion Detection: Evasion, 
Traffic Normalization, and End-to-End Protocol Semantics").

I would hope that some network based malicious code detection solutions
would implement some of these strategies soon.

Elias Levy
Si vis pacem, para bellum

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]