LIV - the Linux integrated viruswall
Teobaldo Adelino Dantas de Medeiros Federal Center of Technological Education
Paulo S. Motta Pires Federal University of Rio Grande do Norte
Technical stream: Friday 01 Oct 2004, 14.00-14.40.
We present LIV - The Linux Integrated Viruswall, a system developed to protect networks containing Windows workstations
against malicious agents. LIV joins features present in traditional gateway protection systems, like SMTP, HTTP and FTP
filtering, aggregating new functionalities. One of the innovative features is the ability of detecting compromised
workstations based in network traffic. Other is the use of a technique named "sharing-trap" to identify malicious agents
spread through local network. When LIV identifies an infected workstation, the Linux firewall and departmental routers are
configured so that compromised machines are isolated from the network, containing malicious agents spread. LIV integrates
and controls common Linux programs, like Apache, Squid, Sendmail, Samba and MySQL to detect and contain malicious agents.
The Apache HTTP server and the Squid proxy server implement together the download protection mechanism. Squid also sends
reports to the compromised machine users when their workstations are isolated from the network. The LIV SMTP filter,
integrated to Sendmail, can detect and remove known malicious agents present in attachments and is capable of preventing
the entrance of potential dangerous files via email. The Samba CIFS server implements the sharing-trap and MySQL database
stores the logs generated by Linux firewall. These logs will be analysed later by LIV to discover compromised workstations
in the network.
