Most of the virus-scanning products allow different levels of aggressiveness. When scanning is set for maximum accuracy, to scrutinize every PC I/O function, performance suffers. When top PC performance is important, the scanner's aggressiveness must decrease, and the risk that the scanner might miss malicious code increases. A good desktop scanner balances acceptable performance and aggressive scanning, but PC performance will always decrease. For these reasons, network administrators often choose to place the antivirus software elsewhere.
Email server. Because most new malicious code arrives through Internet email, many organizations install antivirus software on email servers. For the most part, this choice works well. The antivirus software scans incoming and outgoing email messages for malicious code. However, email antivirus software can do nothing to malicious code that arrives by other paths. If malicious code arrives on a disk, through an FTP client, from the Web, or from any other file server, email-based protection does little to prevent its spread. Even if you have email-based virus scanning, users with third-party HTML-based email accounts, such as MSN Hotmail, might download and execute malicious code. Also, email-based scanners can't usually scan encrypted emails, such as those created with the pretty good privacy (PGP) plugin. Therefore, always consider email-based scanners an important, though partial, solution.
File server. You can install a virus scanner on a file server. From that location, the software can scan all incoming and outgoing files. Having a virus scanner in this location doesn't affect local desktop performance because the scanning occurs on the server. Also, as new malicious code appears, you need to update the antivirus software in only one location. Still, the file-server location has drawbacks. First, file server—based scanners can be buggy and cause the entire file server to crash. Second, the software scans only files stored on or sent to the file server. An infected document file opened on a disk won't trigger file server—based protection.
Finally, in most cases, a local PC must be infected for the server to eventually notice the infection. If you return to the previous example, you'll see that a locally infected Microsoft Word document can infect the local Office copy and make modifications before the server-based antivirus software becomes involved.
Internet border. Placing antivirus software on an Internet-connected firewall, router, or gateway, which Figure 2 shows, is an increasingly widespread choice. The software scans all incoming Internet packets (although in practice usually only HTTP, FTP, and SMTP packets by default) for malicious code. You can purchase border devices preconfigured with the scanning software, add a border device as an internal or external adjunct feature, or use such a device as a centralized update location. Some scanning firewalls, for example, work by verifying that every PC connecting to the Internet has the most up-to-date signature database.
When a monitored PC attempts to send a network packet through the firewall, the firewall queries the antivirus software on the PC to find out its version and virus signature database. If either is outdated or if the program doesn't respond, the PC is updated. If the PC fails to respond accurately or accept the antivirus update, the outgoing request is denied.
Many vendors' Web sites send new antivirus signature updates directly to the firewall (which mimics some file server—based configurations), which the firewall then distributes to the desktops. Even if users uninstall their desktop antivirus software, the firewall device reinstalls the software when they next connect to the Internet. You can configure most border-scanning products to look inside .zip and "safe" file extensions—if they don't already do so by default.
In the most common configuration for software-based firewalls, the antivirus program resides on the same server as the firewall. The customer might purchase the firewall from one vendor and the scanning software from another. The scanning software intercepts the traffic headed through the firewall before the traffic arrives at the network. Border devices that let a secondary interface device or software application perform the scanning are becoming increasingly popular. Internet border devices rely more and more on interface standards such as Common Content Inspection API (CCIAPI) and Open Platform for Security's (OPSEC's) Content Vectoring Protocol (CVP). Each interface standard defines a standard way to connect network-traffic-analyzing software to border devices, such as gateways, routers, and firewalls. For example, you can add virus-scanning software to a firewall or HTML-content scanning (to block banned Web sites or prevent malicious programs) to a proxy server.
Check Point Software Technologies' CVP standard originated in the early work on CCIAPI. The scanning software is considered a CVP server, while the border device is considered a CVP client, as Figure 3 shows. CVP and similar border-device interfaces help both antivirus vendors and consumers. For example, you can partner Finjan Software's SurfinGate software with Check Point's FireWall-1 product, Microsoft's Internet Security and Acceleration (ISA) Server, AXENT Technologies' Raptor Firewall, and the F-Secure Policy Manager tool. You can integrate Check Point's FireWall-1 product with no fewer than 20 security products.
OPSEC/CVP is often touted as an open standard, but Check Point completely controls it. For a product to be certified as compliant, the product must pass interoperability tests that Check Point solely determines. In actuality, it means many products denoted as CVP- or OPSEC-compliant work only with Check Point products. Some vendors whose products interoperate with additional vendors' products mark their more flexible products as "CVP-generic" or offer additional interfaces. When you consider a new firewall, proxy server, or router, check whether the product supports an antivirus interface, and if so, which one.
Although placing scanning software at the border prevents malicious content from invading the network perimeter, using that location has drawbacks. First, much like file and email server antivirus software, border antivirus software doesn't help when malicious code arrives another way. Most scanning firewalls scan only FTP, HTTP, and SMTP protocols by default. Malicious code can still come in through instant messaging (IM) clients, multimedia plugins, and every other protocol type. Second, scanning communication encrypted by PGP or Secure Sockets Layer (SSL) is difficult if not impossible. As encryption becomes more popular, gateway-scanning servers will either become impractical or will have to store the necessary decryption keys on the device. Third, scanning network packets at wire speed and comparing their payloads against thousands of signature strings can cause a performance penalty (just like the other options).
Prev. page
1
[2]
3
next page 
