Cisco Working to Block Viruses at the Router

macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."

Re:question

[LordKronos]

RTFA:
"The system under development will allow a computer network to check the safety of incoming traffic. Any device trying to connect to the network will be checked to see whether it has security measures already in place. Those that don't can be denied access, shunted off into a quarantined segment of the network or forced to download a security program. "

Re:And you though the internet was slow now

[Anonymous Coward]

You'll probably see this as a combination of the AV vendors products generating warningsand classifying new virii, and Cisco's Network Based Application Recognition extensions to IOS then filtering the same. See this link about Code Red

http://www.cisco.com/warp/public/63/nbar_acl_cod er ed.shtml

Of course, given enough traffic you could become CPU bound. Then you'll have to buy a Juniper :-)

Re:And you though the internet was slow now

[pyite]

Did you read the article? The software doing the intelligent part will reside on the user's computer. The router will determine if the host attempting to make a connection has the relevant software installed. If not, it will be ACL'd. There's little the router is doing except creating the access control lists on the fly. Even if there was intelligence in the router, it would have to be done in a big box like a 6509 [cisco.com] with a Content Switch card. FYI, the Content Switch card has a separate processor FOR EACH OSI LAYER. So, it can analyze each separately and do traffic shaping like that.

Re:And you though the internet was slow now

[Anonymous Coward]

Problems with Cisco's approach are numerous. It would be trivial for virus writers to work around these shortcomings. The only real way to block viruses is to be 100% stateful and reconstitute complete files from IP and TCP/IP somehow. This would suck CPU and memory like no tomorrow. It's also a losing proposition given all the protocols out there.

NBAR Restrictions

When using NBAR with the methods in this document, note that the following features are not supported by NBAR:

• More than 24 concurrent URLs, HOSTs or MIME type matches

• Matching beyond the first 400 bytes in a URL

• Non-IP traffic

• Multicast and other non-CEF switching modes

• Fragmented packets

• Pipelined persistent HTTP requests

• URL/HOST/MIME/ classification with secure HTTP

• Asymmetric flows with stateful protocols

• Packets originating from or destined to the router running NBAR

This is nothing new

[arth1]

Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?

The way I read it, their marketing department has just found out that LinkSys (now Cisco's subsidiary) has had this functionality for years now, where the cheapo firewall routers can be configured to not give access to the outside unless certain AV software is installed on the host. So it's marketed as a new innovation -- there's probably half a dozen patents filed for it already, plus a bunch of different names under which this can be marketed.
Problem is, it doesn't work except in very specific and small homogenous installations.

Regards,
--
*Art

Re:And you though the internet was slow now

[rifter]

"Traffic shaping" is a fucking joke right now. It's just a half-ass measure to get the low hanging fruit only. You don't know anything about protocols. Each OSI LAYER, eh? Who cares. How are you going to distinguish the individual files infected with viruses being transmitted if they use a proprietary protocol or compression or encryption of any kind.

Simple. According to the article, and the post you replied to, they are not even going to try something as incredibly stupid as that. Instead, they will require authentication according to their own protocol which will allow them to determine whether you have antivirus software. Traffic from hosts without virus protection can then be treated differently than traffic from host which have it.

As to Michael's comment about this requiring people to use Windows on every host, that's just silly. Cisco themselves use BSD and their customers are heavy into real OSs like Solaris, etc. They are not going to stop traffic from such hosts, even by default. I would be willing to bet that they are going to work in some way of identifying the type of host that they are getting the traffic from, and therefore allowing the administrator of the firewall to give Linux, Solaris, et al a pass in such cases.

Cisco firewalls are not your little linksys router from Fry's or that 386 running OpenBSD over in the corner. They have pretty powerful hardware and very flexible software. You can construct some pretty neat rulesets and do very clever things, so this kind of thing is honestly not a surprise and certainly not beyond their capabilities.

Use a Blackhole Router

[Robert Hayden]

Use a blackhole routing system instead of ACLs. easier to manage and because it uses uRPF to do the drops, it's very hardware friendly. I posted a summary on NANOG about two weeks ago how I did this at the University of Wisconsin.

Eh?

[wytcld]

So the Cisco tries to check if the computer trying to connect has approved AV software running. The Cisco itself isn't running the software, it's forcing the connecting system to. If the system connecting is a *nix router doing NAT, with a bunch of Windows boxes behind it, what's the Cisco's behavior? If it goes back to the IP it sees a *nix box, but the traffic is from a Windows box which just might have a virus, unless good AV software is running on it (despite the firewall - your travelling staff just plugged in their laptop in the office).

The only way this does any good is if the Cisco has the *nix box prove that it is running AV software doing content analysis on the stream from the Windows box, or else software that relays to the Windows box the demand to show credentials. Either way this means that there will likely be a necessary licensing fee for AV or credentials checking software for whatever router you want to have talk to a Cisco.

Very clever. Cisco doesn't take the load on their hardware (except for the trivial task of demanding your licensed credentials), and forces you to license software from one of its partners, and to take the load on your hardware.

This is sort of like the police responding to a burglary epidemic by requiring all homeowners to install lead shielding on their doors and windows, with a kickback to the police atheletic fund for each shielding installation.

Re:You cannot possibly keep up

[rifter]

real great solution, what happens when i get that user that has win95 and a version of norton just as old. Your computers says "Hey big boy I have some super spanky AV installed. Let my mail through!"
"Duh! ok boss"
Great that they're tying something new, this just doesn't seem to hard to circumvent.

Win95's old Norton will not be able to authenticate to this system. You will have to buy the brand new sofware that ties into teh validation system. If they do this the smart way, that will include checking version of software and date of virus defs. You did notice that all the big antivirus manufacturers are part of the system, right?

I think it will be circumventable, but not easily if they do this right, and any circumvention of the system will require a significant increase in virus payload. Besides, before the person who can be infected gets infected, they will notice they cannot connect to their ISP (or their work firewall) and get the updated software. It's a pretty elegant solution IMHO.