Cisco Working to Block Viruses at the Router

macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."

nmap on a router?

[x-router]

I think what they are 'trying' to say is the the router itself will scan your machine in a nmap way to see if it can find problems.

If it finds issues then it will drop you from the network or block that port / problem.

Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?

Implications?

[spektr]

Does this mean that I can't talk about viruses using code-samples over the internet? I can't download and study exploits anymore? If there is any possibility to encode the virus-code to circumvent the filter, then the virus can possibly do the same...

LAN Systems

[grahamm]

Will it check that every computer connected to an internal network, probably hidden behind an internal NATing router, has the appropriate protection installed?

We kinda do this at Rutgers

[pyite]

We sort of do this at Rutgers University [rutgers.edu] This summer was absolutely crazy for the network, due to all the worms and such. A new policy was instituted which requires users to visit a website which checks their operating system. If they're running Windows, they are *required* to download a scanner that checks for the relevant worms and installs Anti-Virus software. Users running alternative operating systems are completely exempt. It just says "There are currently no additional requirements for running Linux on the residential network." We've just begun shutting people off who fail to comply with the policy. I, for one, like it. However, the routers start to get overloaded if they have too many access control lists because they have trouble running them on the ASICs. So, they have to run in software mode, which starts to slow things down.

Routers are transparent to end systems

[cpghost]

End systems are not affected by routers dropping IP packets with harmful content. All what end systems see are IP packets. They may see less of them, if filtering is enabled on the router, but the packets have nothing special about them that would need AV software on the clients.

But, a router doesn't always have to drop packets. It could tag them with a special marker, and clients could then react accordingly, e.g. by dropping them in their TCP/IP stack.

This could be somewhat similar to what SpamAssassin does, when tagging spam mail with an X-Spam header. It's up to the mail user agent to decide what to do with mails tagged that way.

different approach that may just work

[pvt_medic]

This is an interesting approach that may prove to be effective. The problem in the past in fighting viruses is that you have to have each individual computer updated. Most computers just were not updated regularly, despite the development of automatic systems. But by placing stragic routers across the internet and having them filter through these you could effectively fight viruses as effectively as any AV software could. I know my university scans all incoming e-mails and cleanses them, i think i have only once in my career here then recieved an infected e-mail. You do get into some ethical dilemas if you implement this on a global scale though. is it ok for the backbone of the internet to filter content? Its one thing for an ISP to do this, but what if a country like china wants to deam certain traffic dangerous and have them cleansed by the routers as well. (maybe not the best example since they do have the great china firewall, but you get the picture)

Security measures

[pjrc]

From the article:

Any device trying to connect to the network will be checked to see whether it has security measures already in place.

I just gotta wonder if this is going to look for any response on certain ports like 135-139, or if Cisco is specificly going to check for a proprietary response from the products of Network Asc, Symantec and Trend Micro?

What it ought to do is a TCP fingerprint and look for any Microsoft Windows operating system.

I don't mind this

[digitalgimpus]

I'm sure a open source product will allow Mac/Nix users to access such networks (at no cost).

Would make computing much more secure.

It's still annoying for Mac/nix users to get thousands of annoying virus emails from their windows friends (if you can call them friends).

Every product normally starts out with 1 company producing it... if it's good, normally clones come about.

Re:Implications?

[GoofyBoy]

Maybe even worse, it could be used for filtering out non-virus data, such as copyright infringing files or controversal political opinions.

Then again, that might be just "Doesn't this shiny metallic hat look good on me?" talk.

Re:I work for an ISP...

[sonofasailor]

So exactly how do I remove the viruses that don't reside on my computer? These are the ones that generate all the crap traffic. I can drop at my router, but why should I clog my pipe. For the matter why would an ISP want to deal with traffic congestion on their core due to crap traffic? My providor has placed traffic shaping on my stream before, both on their own because they were so congested (and they notified me), and also at my request. The police patrol the street not my house on a regular basis, think about it!

Re:nmap on a router?

[bmedwar]

My best guess is that you will VPN from your desktop to the edge router. This virtual connection will be signed so the router knows it can trust what your PC is reporting. The router won't establish the virtual connection unless you meet certain requirements in the info your PC sends during the handshake. After the connection is established, data will flow freely. This is my best (educated) guess.

Re:I work for an ISP...

[Asprin]

Agreed, but I don't think we'll get a *complete* solution to this until MS un-activates all of their APIs and rolls new ones out to the existing 9x-XP desktops. I think they can see the handwriting on the wall about this (and that's really why Linux and DRM are so important to them right now) but they are slow to implement the changes, let's face it, their entire corporate business model is strategerized around making it easy for developers to script, code and remotely activate EVERYTHING, and this is a conflicting interest with that strategery.

If we (the general universe of software buyers, not the /. audience) are going to stick with MS Windows as our #1 choice for A desktop OS, then the problem for us is that at whatever point MS decides to do "the right thing", we're probably three to five years from the ideal solution being fully implemented.

Re:Censorship in the Router?

[Minna Kirai]

I'm going to reproduce Speare's comment which was unfairly put at -1, because he's basically correct:

1. The router is the new favorite device for censorship. It's the last single-point-of-diversion before the network spreads out again, into the home or office department.
2. 
   
   How long before libraries are forced to use scary, sealed products with cuddly names like RouterNanny or RightRoute or PopCop? Where librarians can't adjust or override those kill lists?

Speare's right because the only way "virus scanning in the router" can work is if the routers have the ability to read the contents of all packets. That means that encrypted connections will be forbidden: the router can't check if there's a virus inside, so to play things safe it must assume the worst and drop the packet.

Thus, government wiretappers, criminal eavesdroppers, and other nasty-types will have their livelihoods secured. Citizens won't be able to avoid surveillance by encrypting their own data, and Big Brother will watch over us all.

Re:I work for an ISP...

[duggy_92127]

We have a saying... "Let routers route and servers serve."

By and large, this is, of course, correct. But that's not to say that there aren't some sane roles for a router to play in network and even system security.

Here's a random thing I thought of, tell me if this seems sane. You're running a network of machines; you want to make sure these machines all have a certain patchlevel in order to participate.

So, each machine has software installed that keeps track of which patches are installed on the machine. When the machine starts up, it does the following: contact DHCP/router and get an address. Router goes into 'lockdown' mode for that addy, which means only letting it talk to one server. Machine contacts that server for a patch list. If the machine is up to date, it contacts the router and router turns off 'lockdown' mode. If it's not, software comes up to install patch from the server.

Of course, I've left out some details on a proper implimentation, but isn't this a fairly sane way for a router to participate and cooperate in order to try and keep a network "safe"?

Doug

Re:Uh

[julesh]

. All that means is that Linux and Mac users are going to have to keep up with pathces too (and yes, there *are* occasional holse for those systems, just not worms)

Speaking as someone who was nearly infected by a Linux worm through a BIND exploit, I can confirm that such things do exist and are in the wild.

The worm in question attempted to install a back door into my machine and was foiled by the greatest security measure ever taken: not having a LF on the end of /etc/inetd.conf (!)

Re:nmap on a router?

[Florian Weimer]

I think what they are 'trying' to say is the the router itself will scan your machine in a nmap way to see if it can find problems.

From what I've heard, it's some kind of 802.1x extension which takes the patch status of the system into account. It requires a fair deal of cooperation from the host, and we'll see if it makes a difference. I'm sure malware will be adapted accordingly if there's widespread use of this functionality.

The "scan before connect" idea has already been implemented by the NetReg [netreg.org] project and its contributors.

This is called client compliancy....

[nvrrobx]

Okay... This setup is usually called "client compliancy" and is starting to become common amongst VPN solutions. The VPN server will check your machine upon connection for antivirus software, virus definition version / dates, and possibly client firewall software.

Saying that ISPs will start requiring it is purely speculation and sensationalism.. Oh wait, I am on Slashdot.

Anyhow, just because a Mac doesn't get targetted for viruses much doesn't mean you shouldn't run antivirus software. What happens the day a Mac virus DOES get out in the wild? The same goes for *NIX systems.

And, umm, yes, a Linux machine can be susceptible to Windows viruses. Think about a MS Word macro virus if you're using CrossOver Office and happen to have an infected file...

Disclaimer: I work for a major antivirus company. If you don't use our product, you should atleast have some sort of protection on your machine. There are some free alternatives, too.

yet another wrong approach

[mabu]

This is yet another mafia subscription boondoggle that corporate america wants to foist on the public. It's also another security/business model that only is of value if worms and other undesireable traffic continues to propagate. The tech community should not buy into these schemes becuase they do not really cure the problem, merely promise a slightly-effective treatment (at best) that will require an ongoing investment of time, money and resources to even function.

I keep saying, the best way to reduce worm propagation is through a sanctioned smtp whitelist [slashdot.org] since most compromised systems use smtp as the transmission vehicle, and most originate from spontaneous, unauthorized mail relays that the worms themselves introduce.

As for other means of worm propagation, a compromised server would easily generate a typical DOS profile that a well-configured network should already identify and deal with, regardless of this client-server-extra-software provision Cisco is trying to impose, which would require constant updating and more money to maintain.

Great solution

[ahuq]

I think this would definetely be a good solution for Universities to manage the traffic on their network and in terms of preventing infections. There are too many students that come in with infected machines and are too ignorant to install antivirus software. I dont know how much more load it is going to place on routers but i hope it works better then writing ACLs.

This is what we do at work:

[edunbar93]

I'm the sysadmin for a small ISP. Some of our customers (namely, the corporate ones with lots of cash) already have this on a smaller scale. Their firewall/router checks to see if VirusScan is running on the end-users' computer, and if it's not, it installs it. At least, if you've bought enough licenses to cover all the workstations you have. Excess workstations don't get antivirus, and they also don't get online - at least until you shut that feature off for that IP. Of course, it's desirable to upgrade the number of licenses. It's pretty scary to be running a corporate network with only one computer not virus scanning when you see headlines like this one [slashdot.org].

So that's our corporate customers. We also have qmailscanner filtering all our mail using F-prot (they have per-server licenses for decent rates, not the retarded per-client ones that would quickly bankrupt any ISP), which cuts problems on our ADSL network by about 75% or more. It's worth noting however that even with a 2.3 Ghz CPU, the server load is typically about 2.5 or 3.0 at any given time. This kind of scanning for the 150,000 messages a day we get would have been impossible only three years ago.

Would we start using a router like the one Cisco came out with? Hell no. 10% of our customers actually have a clue, and they usually pay for a more expensive internet account. To lose hundreds of our best customers over something like this would be stupid. As well, if we used a router that required a specific virus scanner (like our corporate customers have), it could alienate as much as 60% of the people who have already bought a virus scanner that *isn't* the virus scanner the router requires.

No. This is not something you subject the general public to.