Cisco Working to Block Viruses at the Router 369
macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."
Re:question (Score:4, Informative)
"The system under development will allow a computer network to check the safety of incoming traffic. Any device trying to connect to the network will be checked to see whether it has security measures already in place. Those that don't can be denied access, shunted off into a quarantined segment of the network or forced to download a security program. "
Re:And you though the internet was slow now (Score:3, Informative)
http://www.cisco.com/warp/public/63/nbar_acl_co
Of course, given enough traffic you could become CPU bound. Then you'll have to buy a Juniper
Re:And you though the internet was slow now (Score:3, Informative)
Re:And you though the internet was slow now (Score:4, Informative)
NBAR Restrictions
When using NBAR with the methods in this document, note that the following features are not supported by NBAR:
More than 24 concurrent URLs, HOSTs or MIME type matches
Matching beyond the first 400 bytes in a URL
Non-IP traffic
Multicast and other non-CEF switching modes
Fragmented packets
Pipelined persistent HTTP requests
URL/HOST/MIME/ classification with secure HTTP
Asymmetric flows with stateful protocols
Packets originating from or destined to the router running NBAR
This is nothing new (Score:5, Informative)
The way I read it, their marketing department has just found out that LinkSys (now Cisco's subsidiary) has had this functionality for years now, where the cheapo firewall routers can be configured to not give access to the outside unless certain AV software is installed on the host. So it's marketed as a new innovation -- there's probably half a dozen patents filed for it already, plus a bunch of different names under which this can be marketed.
Problem is, it doesn't work except in very specific and small homogenous installations.
Regards,
--
*Art
Re:And you though the internet was slow now (Score:5, Informative)
"Traffic shaping" is a fucking joke right now. It's just a half-ass measure to get the low hanging fruit only. You don't know anything about protocols. Each OSI LAYER, eh? Who cares. How are you going to distinguish the individual files infected with viruses being transmitted if they use a proprietary protocol or compression or encryption of any kind.
Simple. According to the article, and the post you replied to, they are not even going to try something as incredibly stupid as that. Instead, they will require authentication according to their own protocol which will allow them to determine whether you have antivirus software. Traffic from hosts without virus protection can then be treated differently than traffic from host which have it.
As to Michael's comment about this requiring people to use Windows on every host, that's just silly. Cisco themselves use BSD and their customers are heavy into real OSs like Solaris, etc. They are not going to stop traffic from such hosts, even by default. I would be willing to bet that they are going to work in some way of identifying the type of host that they are getting the traffic from, and therefore allowing the administrator of the firewall to give Linux, Solaris, et al a pass in such cases.
Cisco firewalls are not your little linksys router from Fry's or that 386 running OpenBSD over in the corner. They have pretty powerful hardware and very flexible software. You can construct some pretty neat rulesets and do very clever things, so this kind of thing is honestly not a surprise and certainly not beyond their capabilities.
Use a Blackhole Router (Score:3, Informative)
Eh? (Score:3, Informative)
The only way this does any good is if the Cisco has the *nix box prove that it is running AV software doing content analysis on the stream from the Windows box, or else software that relays to the Windows box the demand to show credentials. Either way this means that there will likely be a necessary licensing fee for AV or credentials checking software for whatever router you want to have talk to a Cisco.
Very clever. Cisco doesn't take the load on their hardware (except for the trivial task of demanding your licensed credentials), and forces you to license software from one of its partners, and to take the load on your hardware.
This is sort of like the police responding to a burglary epidemic by requiring all homeowners to install lead shielding on their doors and windows, with a kickback to the police atheletic fund for each shielding installation.
Re:You cannot possibly keep up (Score:3, Informative)
real great solution, what happens when i get that user that has win95 and a version of norton just as old. Your computers says "Hey big boy I have some super spanky AV installed. Let my mail through!"
"Duh! ok boss"
Great that they're tying something new, this just doesn't seem to hard to circumvent.
Win95's old Norton will not be able to authenticate to this system. You will have to buy the brand new sofware that ties into teh validation system. If they do this the smart way, that will include checking version of software and date of virus defs. You did notice that all the big antivirus manufacturers are part of the system, right?
I think it will be circumventable, but not easily if they do this right, and any circumvention of the system will require a significant increase in virus payload. Besides, before the person who can be infected gets infected, they will notice they cannot connect to their ISP (or their work firewall) and get the updated software. It's a pretty elegant solution IMHO.