Cisco Working to Block Viruses at the Router 369
macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."
nmap on a router? (Score:5, Interesting)
If it finds issues then it will drop you from the network or block that port / problem.
Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?
Implications? (Score:5, Interesting)
LAN Systems (Score:4, Interesting)
We kinda do this at Rutgers (Score:5, Interesting)
Routers are transparent to end systems (Score:4, Interesting)
End systems are not affected by routers dropping IP packets with harmful content. All what end systems see are IP packets. They may see less of them, if filtering is enabled on the router, but the packets have nothing special about them that would need AV software on the clients.
But, a router doesn't always have to drop packets. It could tag them with a special marker, and clients could then react accordingly, e.g. by dropping them in their TCP/IP stack.
This could be somewhat similar to what SpamAssassin does, when tagging spam mail with an X-Spam header. It's up to the mail user agent to decide what to do with mails tagged that way.
different approach that may just work (Score:3, Interesting)
Security measures (Score:5, Interesting)
I just gotta wonder if this is going to look for any response on certain ports like 135-139, or if Cisco is specificly going to check for a proprietary response from the products of Network Asc, Symantec and Trend Micro?
What it ought to do is a TCP fingerprint and look for any Microsoft Windows operating system.
I don't mind this (Score:4, Interesting)
Would make computing much more secure.
It's still annoying for Mac/nix users to get thousands of annoying virus emails from their windows friends (if you can call them friends).
Every product normally starts out with 1 company producing it... if it's good, normally clones come about.
Re:Implications? (Score:4, Interesting)
Then again, that might be just "Doesn't this shiny metallic hat look good on me?" talk.
Re:I work for an ISP... (Score:2, Interesting)
Re:nmap on a router? (Score:2, Interesting)
Re:I work for an ISP... (Score:3, Interesting)
Agreed, but I don't think we'll get a *complete* solution to this until MS un-activates all of their APIs and rolls new ones out to the existing 9x-XP desktops. I think they can see the handwriting on the wall about this (and that's really why Linux and DRM are so important to them right now) but they are slow to implement the changes, let's face it, their entire corporate business model is strategerized around making it easy for developers to script, code and remotely activate EVERYTHING, and this is a conflicting interest with that strategery.
If we (the general universe of software buyers, not the
Re:Censorship in the Router? (Score:2, Interesting)
How long before libraries are forced to use scary, sealed products with cuddly names like RouterNanny or RightRoute or PopCop? Where librarians can't adjust or override those kill lists?
Speare's right because the only way "virus scanning in the router" can work is if the routers have the ability to read the contents of all packets. That means that encrypted connections will be forbidden: the router can't check if there's a virus inside, so to play things safe it must assume the worst and drop the packet.
Thus, government wiretappers, criminal eavesdroppers, and other nasty-types will have their livelihoods secured. Citizens won't be able to avoid surveillance by encrypting their own data, and Big Brother will watch over us all.
Re:I work for an ISP... (Score:2, Interesting)
By and large, this is, of course, correct. But that's not to say that there aren't some sane roles for a router to play in network and even system security.
Here's a random thing I thought of, tell me if this seems sane. You're running a network of machines; you want to make sure these machines all have a certain patchlevel in order to participate.
So, each machine has software installed that keeps track of which patches are installed on the machine. When the machine starts up, it does the following: contact DHCP/router and get an address. Router goes into 'lockdown' mode for that addy, which means only letting it talk to one server. Machine contacts that server for a patch list. If the machine is up to date, it contacts the router and router turns off 'lockdown' mode. If it's not, software comes up to install patch from the server.
Of course, I've left out some details on a proper implimentation, but isn't this a fairly sane way for a router to participate and cooperate in order to try and keep a network "safe"?
Doug
Re:Uh (Score:4, Interesting)
Speaking as someone who was nearly infected by a Linux worm through a BIND exploit, I can confirm that such things do exist and are in the wild.
The worm in question attempted to install a back door into my machine and was foiled by the greatest security measure ever taken: not having a LF on the end of
Re:nmap on a router? (Score:3, Interesting)
From what I've heard, it's some kind of 802.1x extension which takes the patch status of the system into account. It requires a fair deal of cooperation from the host, and we'll see if it makes a difference. I'm sure malware will be adapted accordingly if there's widespread use of this functionality.
The "scan before connect" idea has already been implemented by the NetReg [netreg.org] project and its contributors.
This is called client compliancy.... (Score:3, Interesting)
Saying that ISPs will start requiring it is purely speculation and sensationalism.. Oh wait, I am on Slashdot.
Anyhow, just because a Mac doesn't get targetted for viruses much doesn't mean you shouldn't run antivirus software. What happens the day a Mac virus DOES get out in the wild? The same goes for *NIX systems.
And, umm, yes, a Linux machine can be susceptible to Windows viruses. Think about a MS Word macro virus if you're using CrossOver Office and happen to have an infected file...
Disclaimer: I work for a major antivirus company. If you don't use our product, you should atleast have some sort of protection on your machine. There are some free alternatives, too.
yet another wrong approach (Score:3, Interesting)
I keep saying, the best way to reduce worm propagation is through a sanctioned smtp whitelist [slashdot.org] since most compromised systems use smtp as the transmission vehicle, and most originate from spontaneous, unauthorized mail relays that the worms themselves introduce.
As for other means of worm propagation, a compromised server would easily generate a typical DOS profile that a well-configured network should already identify and deal with, regardless of this client-server-extra-software provision Cisco is trying to impose, which would require constant updating and more money to maintain.
Great solution (Score:2, Interesting)
This is what we do at work: (Score:3, Interesting)
So that's our corporate customers. We also have qmailscanner filtering all our mail using F-prot (they have per-server licenses for decent rates, not the retarded per-client ones that would quickly bankrupt any ISP), which cuts problems on our ADSL network by about 75% or more. It's worth noting however that even with a 2.3 Ghz CPU, the server load is typically about 2.5 or 3.0 at any given time. This kind of scanning for the 150,000 messages a day we get would have been impossible only three years ago.
Would we start using a router like the one Cisco came out with? Hell no. 10% of our customers actually have a clue, and they usually pay for a more expensive internet account. To lose hundreds of our best customers over something like this would be stupid. As well, if we used a router that required a specific virus scanner (like our corporate customers have), it could alienate as much as 60% of the people who have already bought a virus scanner that *isn't* the virus scanner the router requires.
No. This is not something you subject the general public to.