Scanning on the wire

Dr Igor Muttik McAfee AVERT

Among the side effects of the explosion in both the use of the Internet and connectivity levels is - unsurprisingly - the proliferation of malicious software in networks. Traditional workstation-only solutions are acquiring features from the standard network security arsenal - firewalls, mail scanning, spam filtering, intrusion detection/protection.

At the same time, standard tools and hardware for protecting networks (firewalls, routers, switches, intrusion-detection and intrusion-protection systems) are having more and more features bolted onto them in order to better combat malware. Increasing network loads dictate the hardware approach, but adding anti-malware and anti-spam features requires flexibility that is generally achievable only in software. A major requirement is an ability to perform algorithmic and computationally complex analysis - required, for instance, to detect non-static malware. Detecting such objects (polymorphic worms, for instance) via software anti-virus scanners is a developed, mature technology but converting this functionality into network hardware is problematic.

We present an analysis of alternative design solutions for network scanning that implements AV features - pure hardware (quick but inflexible), pure software (slower but thorough), a combination of both (complex, more expensive, but could be quick and flexible) and a combination of a simple hardware device attached to a central server that provides centralized complex scanning (cheap and flexible but not easily scalable). Several real-life examples are used to illustrate.

We discuss an effect of a discovery of many exploits in common Internet graphical data formats like WMF, PNG, BMP, ANI on hardware versus software business. Problems associated with scanning different Internet protocols are also analysed.

 del.icio.us  digg this! digg this

Quick Links

Poll
The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Yes
No
I don't know
Leave a comment
View 11 comments

99 Subscription Promo

VB100 certification
VB100 This month's VB100 test saw some major changes and a radical overhaul of the VB100 test methodology - for the first time allowing products to use their 'cloud' look-up systems. John Hawes has all the details.
See full results.

Virus Bulletin currently has 224,240 registered users.