Scanning on the wire
Dr Igor Muttik McAfee AVERT
Among the side effects of the explosion in both the use of the Internet and connectivity
levels is - unsurprisingly - the proliferation of malicious software in networks. Traditional
workstation-only solutions are acquiring features from the standard network security arsenal
- firewalls, mail scanning, spam filtering, intrusion detection/protection.
At the same time, standard tools and hardware for protecting networks (firewalls,
routers, switches, intrusion-detection and intrusion-protection systems) are having more
and more features bolted onto them in order to better combat malware. Increasing network
loads dictate the hardware approach, but adding anti-malware and anti-spam features requires
flexibility that is generally achievable only in software. A major requirement is an ability
to perform algorithmic and computationally complex analysis - required, for instance, to
detect non-static malware. Detecting such objects (polymorphic worms, for instance) via
software anti-virus scanners is a developed, mature technology but converting this functionality
into network hardware is problematic.
We present an analysis of alternative design solutions for network scanning that implements
AV features - pure hardware (quick but inflexible), pure software (slower but thorough),
a combination of both (complex, more expensive, but could be quick and flexible) and a
combination of a simple hardware device attached to a central server that provides centralized
complex scanning (cheap and flexible but not easily scalable). Several real-life examples
are used to illustrate.
We discuss an effect of a discovery of many exploits in common Internet graphical data
formats like WMF, PNG, BMP, ANI on hardware versus software business. Problems associated with
scanning different Internet protocols are also analysed.
