Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security The Internet Your Rights Online

Cisco Working to Block Viruses at the Router 369

macmouse writes "The San Francisco Chronicle has an article about Cisco and Anti-Virus companies working together to block viruses at the ISP (Router) level. It sounds like they will be using traffic shaping to block malicious traffic. Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet. This can be a *big* problem for *nix/mac users which normally don't need or use AV software. Not to mention, being forced to purchase software from 'company x,y or z' in order to get online, regardless of platform. Hopefully, this is not going to happen."
This discussion has been archived. No new comments can be posted.

Cisco Working to Block Viruses at the Router

Comments Filter:
  • by Anonymous Coward
    ...expect 3 second delays per packet with this new ill-conceived plan. Routers would now have be be stateful and learn to distinguish files (and compressed files) over TCP connections. This is doomed to fail either because of its slow speed or due to the numebr of false virus matches it will find.
    • by Anonymous Coward
      You'll probably see this as a combination of the AV vendors products generating warningsand classifying new virii, and Cisco's Network Based Application Recognition extensions to IOS then filtering the same. See this link about Code Red er ed.shtml

      Of course, given enough traffic you could become CPU bound. Then you'll have to buy a Juniper :-)
      • by Anonymous Coward on Thursday November 20, 2003 @10:18AM (#7519313)
        Problems with Cisco's approach are numerous. It would be trivial for virus writers to work around these shortcomings. The only real way to block viruses is to be 100% stateful and reconstitute complete files from IP and TCP/IP somehow. This would suck CPU and memory like no tomorrow. It's also a losing proposition given all the protocols out there.

        NBAR Restrictions

        When using NBAR with the methods in this document, note that the following features are not supported by NBAR:

        • More than 24 concurrent URLs, HOSTs or MIME type matches

        • Matching beyond the first 400 bytes in a URL

        • Non-IP traffic

        • Multicast and other non-CEF switching modes

        • Fragmented packets

        • Pipelined persistent HTTP requests

        • URL/HOST/MIME/ classification with secure HTTP

        • Asymmetric flows with stateful protocols

        • Packets originating from or destined to the router running NBAR

      • by truth_revealed ( 593493 ) on Thursday November 20, 2003 @10:37AM (#7519479)
        Antivirus software slows down your machine to a third of its original speed. Disable it and see for yourself. You'll never use that junk again.

        I have a much more comprehensive scheme for identifying viruses anyway. I have modified my OS to pop a dialog for each incoming letter and verify if I want to accept it or not:

        You have received the letter "G" from IP address on port 492.
        Some viruses are known to have the letter "G".
        Would you like to accept it?
        Yes No

        You have received the letter "r" from IP address on port 492.
        Some viruses are known to have the letter "r".
        Would you like to accept it?
        Yes No

        You have received the letter "e" from IP address on port 492.
        Some viruses are known to have the letter "e".
        Would you like to accept it?
        Yes No

    • Did you read the article? The software doing the intelligent part will reside on the user's computer. The router will determine if the host attempting to make a connection has the relevant software installed. If not, it will be ACL'd. There's little the router is doing except creating the access control lists on the fly. Even if there was intelligence in the router, it would have to be done in a big box like a 6509 [] with a Content Switch card. FYI, the Content Switch card has a separate processor FOR EACH O
  • question (Score:4, Insightful)

    by xao gypsie ( 641755 ) on Thursday November 20, 2003 @10:05AM (#7519197)
    how does the fact that the router uses a packet shaper require the end user to have AV software? at my university, they use a packet shaper, and clients on the on-campus network do not have to have such software installed. this sounds like a great idea, tho...

    • Re:question (Score:4, Informative)

      by LordKronos ( 470910 ) on Thursday November 20, 2003 @10:10AM (#7519239)
      "The system under development will allow a computer network to check the safety of incoming traffic. Any device trying to connect to the network will be checked to see whether it has security measures already in place. Those that don't can be denied access, shunted off into a quarantined segment of the network or forced to download a security program. "
      • You know, they might just be checking for various exploits. For example, it might detect your version of IE and railroad your TCP request if you have the DSO exploit, or it might let you know if you have a vulnetable version of MSRPC. Similarly, it could check your OpenSSH version. Though I doubt it will.

      • by autopr0n ( 534291 )
        It sounds like they are just checking to see if the machine is exploitable. All that means is that Linux and Mac users are going to have to keep up with pathces too (and yes, there *are* occasional holse for those systems, just not worms)
        • Re:Uh (Score:4, Interesting)

          by julesh ( 229690 ) on Thursday November 20, 2003 @12:59PM (#7520830)
          . All that means is that Linux and Mac users are going to have to keep up with pathces too (and yes, there *are* occasional holse for those systems, just not worms)

          Speaking as someone who was nearly infected by a Linux worm through a BIND exploit, I can confirm that such things do exist and are in the wild.

          The worm in question attempted to install a back door into my machine and was foiled by the greatest security measure ever taken: not having a LF on the end of /etc/inetd.conf (!)
    • Re:question (Score:2, Insightful)

      by MindStalker ( 22827 )
      "will be able to block network access to any computer or device that doesn't have its own security measures in place."

      The submitter is interpretting this to mean router will block any computer that can't say "I'm secure," But I think in reality it means that router will block any computer that seems to be doing bad thing.
      • Re:question (Score:5, Insightful)

        by hazem ( 472289 ) on Thursday November 20, 2003 @10:23AM (#7519347) Journal
        Boy, and how long until a virus can make the response "yup, I'm secure"...

        I wonder if this is the next step in the "Trusted Secure Computing" world? Routers won't accept traffic from non-trusted computers?
        • Boy, and how long until a virus can make the response "yup, I'm secure"...

          I suspect these companies wouldn't be so foolish to make it that simple (but you never know). Off the top of my head, I was thinking they could do something like:

          1)When a first request is received from a computer, the router sends a random challenge text to the computer on the port where the AV should be listening.
          2)AV software forwards this challenge text on to the AV company's website (here the router would have to be able to ide
          • 1) Router checks machine for known exploits.

            Anyway, how would the AV company even know if the machine was running the "real" software in your scenario? It wouldn't anymore then the router. The entire concept of checking for AV software is rediculous. They only mentioned "security mesures", they probably consider running Linux or MacOS a security mesure in and of itself like most people do. Only the most deranged person in the world would consider restricting a network to windows machines would be a g
    • how does the fact that the router uses a packet shaper require the end user to have AV software?

      I think the more correct term would be stateful packet inspection [] whereby the contents of packets are checked, rather than shaped. This would allow the router to see if there was "phone home" software on the client attempting to do somethign nasty.

      However, I am likely to be corrected :)

      • I doubt it is stateful packet inspection.

        You don't normally want routers to be doing that too much due to overhead. More likely, this will be some bullshit idea that makes the machine attempted to obtain an IP address provide some type of cookie-like mechanism or some type of challenge-response handshake to indicate to the router that IP W.X.Y.Z has been Ok-ed.

        It won't solve the problem.

        More likely, this is a trial ballon to judge level of opposition to the entire idea. Personally, it fucking sucks to

    • by Alsee ( 515537 ) on Thursday November 20, 2003 @02:22PM (#7521658) Homepage
      Cisco's Network Admission Control program would enable companies to install on every PC and mobile device a client, called the Cisco Trust Agent, which could attest to certain levels of security... []
      However, the technology won't work unless security software can tell the Trusted Agent application the current state of security on the computer or mobile device.
      "This important problem can't be addressed individually," said John Thompson, CEO of Symantec. "Collaboration is a must."
      The technology might also spur sales of PCs and devices that use trusted-computing hardware--controversial technology that uses encryption, special memory and security software to lock away secrets on a PC from prying eyes.

      To lock away secrets on a PC from the OWNERS eyes! &%^#@! Trusted Computing!

      Symantec Corp. (Nasdaq:SYMC), today announced that it has joined forces with Cisco Systems to provide solutions that restrict network access to only compliant and trusted client machines including personal computers and PDAs.... Out-of-compliance machines may be denied access, quarantined, or sent to a separate location for remediation, while machines in compliance with the organizations' set policies will be granted access to the network. []

      Trend Micro, Inc. (TSE:4704) (Nasdaq:TMIC), a leader in network antivirus and Internet content security software and services, today announced its support of the new Cisco(R) Network Admission Control Program []

      THREE major router companies, Cisco, Symantec, and Trend Micro, are ALL supporting this inititave to lock non-TCPA computers out of the internet! #@%^$!

      If you are running Microsoft Windows you will be locked out of the internet unless you are running Palladium. If you are running Mac or Linux or anything else, you will be locked out of the internet unless you are running a Mac or Linux version of Palladium.

      I have repeatedly said in Trusted Computing discussions that sooner or later people not using it would start getting locked out of parts of the internet. Silly me, I thought that more and more websites would start using it and simply not serve you a page unless it was encrypted. I never considered that the basic internet hardware itself would deny you any connection at all! This is INSANE!

      The problem with Turusted Computing is easy to fix. There is absolutely nothing wrong with new hardware, but the owner has to have actual control over his machine. The owner MUST have his key. He could receive that key on a printed peice of paper, or he could get it somehow during the Take_Ownership command. There is no POSSIBLE justification to deny the owner this information. There is no POSSIBLE way that the owner could lose any protection. The hardware could be identical, therefore the hardware can do everything it could before. The only difference is that the computer can no longer be hijacked as a weapon against it's owner.

      This trivial difference preserves EVERY claimed benefit of Trusted Computing and eliminates EVERY possible abuse of TCPA. Those backing Trusted Computing will NEVER permit such a change in the system because the very purpose of Trusted Computing is to enforce DRM and other abuses.

  • nmap on a router? (Score:5, Interesting)

    by x-router ( 694339 ) < minus poet> on Thursday November 20, 2003 @10:07AM (#7519209)
    I think what they are 'trying' to say is the the router itself will scan your machine in a nmap way to see if it can find problems.

    If it finds issues then it will drop you from the network or block that port / problem.

    Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?

    • This is nothing new (Score:5, Informative)

      by arth1 ( 260657 ) on Thursday November 20, 2003 @10:26AM (#7519383) Homepage Journal
      Rather than check if you have the latest version of norton installed..but perhaps I read it wrong?

      The way I read it, their marketing department has just found out that LinkSys (now Cisco's subsidiary) has had this functionality for years now, where the cheapo firewall routers can be configured to not give access to the outside unless certain AV software is installed on the host. So it's marketed as a new innovation -- there's probably half a dozen patents filed for it already, plus a bunch of different names under which this can be marketed.
      Problem is, it doesn't work except in very specific and small homogenous installations.

    • Re:nmap on a router? (Score:2, Interesting)

      by bmedwar ( 693432 )
      My best guess is that you will VPN from your desktop to the edge router. This virtual connection will be signed so the router knows it can trust what your PC is reporting. The router won't establish the virtual connection unless you meet certain requirements in the info your PC sends during the handshake. After the connection is established, data will flow freely. This is my best (educated) guess.
    • Reading the article over on ZDNet indicates that this technology is targeted on Corporations. Corporate desktops would have a SW agent installed that talked to the Cisco devices (Switches more likely than routers). This SW agent would be designed to communicate with various AntiVirus software out there to ensure it is up to date. If it is not the Agent would tell the Switch not to talk to this PC (or, I imagine, put it on a special VLAN that had an update server for the AV software as well as a patch server
    • I think what they are 'trying' to say is the the router itself will scan your machine in a nmap way to see if it can find problems.

      From what I've heard, it's some kind of 802.1x extension which takes the patch status of the system into account. It requires a fair deal of cooperation from the host, and we'll see if it makes a difference. I'm sure malware will be adapted accordingly if there's widespread use of this functionality.

      The "scan before connect" idea has already been implemented by the NetReg [] p
  • Implications? (Score:5, Interesting)

    by spektr ( 466069 ) on Thursday November 20, 2003 @10:07AM (#7519211)
    Does this mean that I can't talk about viruses using code-samples over the internet? I can't download and study exploits anymore? If there is any possibility to encode the virus-code to circumvent the filter, then the virus can possibly do the same...
    • Re:Implications? (Score:4, Interesting)

      by GoofyBoy ( 44399 ) on Thursday November 20, 2003 @10:27AM (#7519390) Journal
      Maybe even worse, it could be used for filtering out non-virus data, such as copyright infringing files or controversal political opinions.

      Then again, that might be just "Doesn't this shiny metallic hat look good on me?" talk.
    • Re:Implications? (Score:3, Insightful)

      by MoonFog ( 586818 )
      The article doesn't say much in the technical sense, but I would guess you could still swap source code etc. No antivirus software I've ever used has stopped me from downloading and / or sending source code.
      As for already compiled files ? We'll need a bit more information about what this AV will do, but I rarely send just one simple .exe file over to my friends for testing/debugging.
    • Re:Implications? (Score:2, Insightful)

      by forrestt ( 267374 )
      If you couldn't send code-samples, or study exploits anymore, you probably also couldn't download virus definition updates. I don't think that the anti-virus companies would agree to that since the updates are where they make their money.
    • I would guess just zipping it up would do for that.

      Router/ISP-level virus blocking should only apply to themost prolific virii, which would probably have self-executing code in them..
  • LAN Systems (Score:4, Interesting)

    by grahamm ( 8844 ) <> on Thursday November 20, 2003 @10:07AM (#7519214) Homepage
    Will it check that every computer connected to an internal network, probably hidden behind an internal NATing router, has the appropriate protection installed?
    • Re:LAN Systems (Score:5, Insightful)

      by arth1 ( 260657 ) on Thursday November 20, 2003 @10:22AM (#7519337) Homepage Journal
      Also, how will the router check the security of devices where desktop security doesn't apply, like routers, printers, proxy servers, PDAs, or heck, even a promiscuous traffic logger?

      "Access to 'HP LaserJet 8000' on denied. The Cisco DRM system has determined that this host listens to ports (80/tcp, 135/tcp, 515/tcp), but does not run approved virus protection software." Yes, I can imagine explaining that to a vice president at 7am...

  • Questions (Score:2, Insightful)

    by popa ( 590190 )
    Damnit... first 3 comments are all trolls. Anyway, what will this mean as far as licensing issues? Right now you get a corp edition of virus software and that covers X amount of desktops. What about the guy that doesn't want the virus software, can it be disabled/purchased without? How would this work? Also, if I get a simple mail sending virus, how does my cisco KNOW that the email to my wife, and the viral email to my wife are different? I guess I don't need to worry about this, Cisco seems to be able to
  • If enough users install router-based virus blocking, then everyone will receive protection. This protection will be especially strong if routers at ISPs and in the backbone contain the filters. At the very least, a virus-hostile infrastructure will slow the spread of viruses - the doubling time for infected machines will be inversely proportional to the fraction of unfiltered virus messages.

    Mac users and *nix users need not worry as long as enough routers are configured and maintained to filter viruses
  • by pyite ( 140350 ) on Thursday November 20, 2003 @10:09AM (#7519229)
    We sort of do this at Rutgers University [] This summer was absolutely crazy for the network, due to all the worms and such. A new policy was instituted which requires users to visit a website which checks their operating system. If they're running Windows, they are *required* to download a scanner that checks for the relevant worms and installs Anti-Virus software. Users running alternative operating systems are completely exempt. It just says "There are currently no additional requirements for running Linux on the residential network." We've just begun shutting people off who fail to comply with the policy. I, for one, like it. However, the routers start to get overloaded if they have too many access control lists because they have trouble running them on the ASICs. So, they have to run in software mode, which starts to slow things down.
    • Use a blackhole routing system instead of ACLs. easier to manage and because it uses uRPF to do the drops, it's very hardware friendly. I posted a summary on NANOG about two weeks ago how I did this at the University of Wisconsin.
    • Why do the pampered students need to be able to use their own PCs on the campus network anyway? Let them go to a computer centre where the
      machines have been set up correctly. Computers are not (yet) such a vital tool at uni that students need to be online 24/7, in fact I did a comp sci degree and didn't even OWN a computer
      much less have one plugged into the internet in my friggin room!
  • by DavidpFitz ( 136265 ) on Thursday November 20, 2003 @10:09AM (#7519234) Homepage Journal
    The article doesn't say that client software is required at all... it says that after some checks the user may be prompted to download some software (presumably from an internal source) before it can connec to the internet.

    However, if this original check is just done by some network secutiry checking (ie. looking to see if there is a vulnerable version of SSH or a misconfigured IIS etc) then all that would needed to be done would be to fix the potential exploit rather than install a piece of client software.

    Potentially, this would just be like running nmap and other similar tools against the machine in question to test it out fot net-worthiness.

    It could also check for open mail relays, which could help in the Fight Against Spam (tm).

    • The article doesn't say that client software is required at all... it says that after some checks the user may be prompted to download some software (presumably from an internal source) before it can connect to the internet.

      What I imagine that they are tackling is the problem of people connecting to the network without the latest patches and virus definitions installed. New installs and laptops tend to bite you.

      The way I would implement it would to have a server machine sitting on the network, providing
  • This makes me wonder how hard it would be for ISP's to block DOS attacks at the router level. I've been studying my Cisco lately, and it does readily doable, especially if the source of a ping flood or the like is known.
  • by cpghost ( 719344 ) on Thursday November 20, 2003 @10:11AM (#7519246) Homepage

    End systems are not affected by routers dropping IP packets with harmful content. All what end systems see are IP packets. They may see less of them, if filtering is enabled on the router, but the packets have nothing special about them that would need AV software on the clients.

    But, a router doesn't always have to drop packets. It could tag them with a special marker, and clients could then react accordingly, e.g. by dropping them in their TCP/IP stack.

    This could be somewhat similar to what SpamAssassin does, when tagging spam mail with an X-Spam header. It's up to the mail user agent to decide what to do with mails tagged that way.

  • Hopefully, this is not going to happen.


    I'll give someone a few bucks to help rid the entire planet of the crap that's out there. I don't know about you, but I'm sick and tired of ridding my clients (and freinds, family, etc.) of all the bugs they get. If the ISP's can stop this crap at the routing level, man, I'm there. I'll happily pay the extra few bucks a month/year to make EVERYONE'S life easier.

    Yes, I use Linux (Gentoo represent!), but what's your point? I got a great OS for 100% fr
  • by Cytlid ( 95255 ) on Thursday November 20, 2003 @10:11AM (#7519254)
    ... and got my CCNA in June. We have a saying... "Let routers route and servers serve." Anti-virus is clearly a IT problem, but it's also a server responsibility. Not a router responsibility. I can't imagine supporting this. Every once in a while, we get someone (customer, whomever) who says "Oh! This new virus works on port 7654! Please block port 7654!" ... then I say "What happens if I run my website on port 7654? You can't get to it?". Limiting the function of a routing device because it might carry malicious code on an application level is a bad idea. This isn't a solution to the problem, this is another band-aid.
    • Amen... especially since blocking those ports only stops it until someone brings their infected laptop on the inside and BOOM you have an outbreak.

      I work for a private university and during the luvsan outbreak even with all the interdepartment routers blocking it's traffic we still ended up with rampant infections.

      The PHBs wondered how on earth that could happen... come to find out it was one of them... with their laptop and wireless card. They weren't even using the network at each location they went to
    • So exactly how do I remove the viruses that don't reside on my computer? These are the ones that generate all the crap traffic. I can drop at my router, but why should I clog my pipe. For the matter why would an ISP want to deal with traffic congestion on their core due to crap traffic? My providor has placed traffic shaping on my stream before, both on their own because they were so congested (and they notified me), and also at my request. The police patrol the street not my house on a regular basis, think
      • So exactly how do I remove the viruses that don't reside on my computer? These are the ones that generate all the crap traffic. I can drop at my router, but why should I clog my pipe. For the matter why would an ISP want to deal with traffic congestion on their core due to crap traffic? My providor has placed traffic shaping on my stream before, both on their own because they were so congested (and they notified me), and also at my request. The police patrol the street not my house on a regular basis, thi

    • If you've got a CCNA, you know the difference between outbound and inbound ports. If the new virus works on port 7654, and I have nothing on my network that responds to inbound communications on port 7654, I have no need for that traffic. Rather than block it at my firewall, why not block it at my ISP to keep it off my inbound bandwidth?
    • You argue for one side of the coin, where a layer 2 router does just that, and a layer 3 router inspect its data. A level 4.. 5.. so on and so on.. Best device for it's job right?

      But you can argue the other way.

      All a router does is inspect a level of the network layer, pulls out some data, and pushes the traffic depending on that layer. So what's wrong with a router or switch inspecting one layer more? Routers and switches already do it on the mac and ip level. Nothing wrong w/ inspecting the applica
    • by Asprin ( 545477 )

      Agreed, but I don't think we'll get a *complete* solution to this until MS un-activates all of their APIs and rolls new ones out to the existing 9x-XP desktops. I think they can see the handwriting on the wall about this (and that's really why Linux and DRM are so important to them right now) but they are slow to implement the changes, let's face it, their entire corporate business model is strategerized around making it easy for developers to script, code and remotely activate EVERYTHING, and this is a con
  • by Smuj ( 249217 )
    Okay, first of all, this won't require anyone to install any client application anywhere. That's the point. The filters would steer away malware at the router, before it even reaches the user.

    Secondly, this is a good idea, so long as it's implemented only at gateways to private networks. Signature based filtering is bound to block some legit traffic, and network admins need to keep that in mind when implementing this kind of functionality.

    Third, Cisco routers already do this to some extent. You can bl
  • by pvt_medic ( 715692 ) on Thursday November 20, 2003 @10:13AM (#7519276)
    This is an interesting approach that may prove to be effective. The problem in the past in fighting viruses is that you have to have each individual computer updated. Most computers just were not updated regularly, despite the development of automatic systems. But by placing stragic routers across the internet and having them filter through these you could effectively fight viruses as effectively as any AV software could. I know my university scans all incoming e-mails and cleanses them, i think i have only once in my career here then recieved an infected e-mail. You do get into some ethical dilemas if you implement this on a global scale though. is it ok for the backbone of the internet to filter content? Its one thing for an ISP to do this, but what if a country like china wants to deam certain traffic dangerous and have them cleansed by the routers as well. (maybe not the best example since they do have the great china firewall, but you get the picture)
  • This would just never work. I do not think people would be overjoyed at the prospect of needing "yet more security" to be purchased on top of their hardware and software. Why would running AV software be necessary if it gets stopped at the GW/ISP? Make it transparent to the user, in the end that is your customer, it should not be your job to make your customer jump through hoops in order to get the most out of their computer/internet connection, regardless of OS. Where would this leave the specialty operati
  • After reading the article, it seems like the router probes the source of 'suspect traffic' for known vulnerabilities, and if the source appears compromised, the router then quarantines/drops/whatevers the traffic until it can verify the source has been patched.

    Not a well written article though. Quite short on technical details; my interpretation could be wrong too.

  • Security measures (Score:5, Interesting)

    by pjrc ( 134994 ) <> on Thursday November 20, 2003 @10:17AM (#7519306) Homepage Journal
    From the article:

    Any device trying to connect to the network will be checked to see whether it has security measures already in place.

    I just gotta wonder if this is going to look for any response on certain ports like 135-139, or if Cisco is specificly going to check for a proprietary response from the products of Network Asc, Symantec and Trend Micro?

    What it ought to do is a TCP fingerprint and look for any Microsoft Windows operating system.

    • So of course the very first thing virus writers will do is write code that makes your computer look like it should for the routers scanning it.

    • From what I've heard from Cisco (yesterday), it sounds like it is probably a proprietary response from the specific applications-- including Cisco's Security Agent, too, so you can't let the unprotected users get on (and infect) your internal network.

      I don't think Cisco's dumb enough to set it up so the response could be so easily faked. So it will take time to figure out how to, er, emulate those proprietary responses (*grin*).

      The OS fingerprinting is coming, too, a little further down the roadmap-- a

  • Router-based virus filtering is unlikely to work if too much traffic is over VPNs or in encrypted e-mails. Viruses in encrypted transmissions would pass unfiltered through all the intermediate routers. Overlapping VPNs (such as when multiple companies interconnect in a supply chain) create a potentially unfiltered path for viruses to spread far and wide.

    VPN and encryption users could protect themselves with other virus filters (or virus filtering on internal routers that handle plaintext). But, we all
  • I don't mind this (Score:4, Interesting)

    by digitalgimpus ( 468277 ) on Thursday November 20, 2003 @10:22AM (#7519344) Homepage
    I'm sure a open source product will allow Mac/Nix users to access such networks (at no cost).

    Would make computing much more secure.

    It's still annoying for Mac/nix users to get thousands of annoying virus emails from their windows friends (if you can call them friends).

    Every product normally starts out with 1 company producing it... if it's good, normally clones come about.
  • by romcabrera ( 699616 ) on Thursday November 20, 2003 @10:23AM (#7519350) Homepage
    RTFA: This is about blocking "network access to any computer or device that doesn't have its own security measures in place".

    That is way veeery different. Stations will be ENFORCED to have installed this software in networks with this scheme. WTF???

  • by BuilderBob ( 661749 ) on Thursday November 20, 2003 @10:25AM (#7519363)

    It's entirely possible this article and the security program is directed at Windows users only. Neither Cisco or the Anti-virus vendors are malicious enough (IMHO) to block Unix/Mac boxes because they don't need the anti-virus software the companies sell. The wild internet frontier of email-address-confirming porn and Gatorware is probably here to stay.

    It's also possible they might figure out a way to block certain version of programs, say WuFTPd, from having an unsecured link to the outside world. This could help prevent a university network being used as a DDOS tool because a student didn't upgrade his ftp server. Or a mail server which doesn't smart-relay through an authenticating server to stop student PC's spamming.

    It's not always a virus that brings a network down. But when a university is forced to print 10,000 CDs with anti-virus and windows worm-removing tools to give to new students (who aren't allowed access to the university network if their box looks active on port 137) this might look like an alternative.

    The evil that it does bring is in the form of anti-Free networking, where Linux boxes are used to form cheap routers and gateways, without a Cisco(R)-Symantec(R) licensed monitoring system, your access to the larger internet may be limited by your upstream provider, ala Verisign certs.

    This system is probably for the intranet users to stop an OE/ IE virus bringing down their system before the poor tech guy patches the boxes.

  • Evil Bit (Score:2, Funny)

    by jeffy210 ( 214759 )
    Nah, they're going to solve the packet shaping
    issue by appending the "Evil bit" to the
    virus packets :)
  • From the article :
    Cisco, Network Associates, Symantec and Trend Micro will develop a new system for protecting networks against infection. The system, which the four firms hope to start selling early next year, will be able to block network access to any computer or device that doesn't have its own security measures in place.

    Isn't this sort of DRM related ? "it's own security measures in place". Don't like the sound of that...

  • Anti-virus software cuts the speed and responsiveness of your system when starting processes in HALF. As a person who is always starting and stopping tools and utilities and apps, putting in AV would be a big no-go for me.

    I have a real firewall and a DSL Router, I don't use Outlook nor IE, my systems are patched, and I know how recognize the trust level to place in places I visit on the web and to scan every single thing I download from the net and save to my HDD before I toy with them.

    I've been on the n
  • At one time I was getting 50 virii/day, all small variants of a few types. It would have been so much better for everyone to have them filtered at ISP level. Seems like an easy fix at router level.

    And no reason I can see why every one should have AV software because of this..
  • I hust happened to be at a Cisco / Synstar presentation on security and products yesterday. Some engineer from Cisco talked about that.

    It seems more like :
    - It is targeted at corporations who need to deal with more than just one entry point to their network, some of which are currently hard to deal with (VPNs from badly-secured home PCs, legacy dial-up access, laptops that have connected to other corporate networks and/or the Internet).
    - The idea seems more like having some sort of automated verification
  • by shoppa ( 464619 ) on Thursday November 20, 2003 @10:43AM (#7519519)
    If a site is so MS-centric that they require I use MS software to send them E-mail, then I don't want to send them E-mail. It's that simple. There is a well-established process (RFC's) for Internet standards. If someone chooses to ignore them, they're the ones going off into fantasy land.
  • According to the white paper [] on CCO this relies more on port based authentication and policy settings than on stateful inspection of the traffic flows across the router.

    This systems used a piece of code called the "Cisco Security Agent", in standalone, or as part of certain AV software, to check the configuration of the pc, prior to authenticating to the switch, for access to the network. Port authentication is already available today, so this is a natural extension of the 802.1X technology.

    Once the 802.1
  • This is a bad thing. Why? Because routers are one of those appliances, like toasters, that are supposed to Just Work. No magic, no "intelligence", no attempt to outguess the user - just do the damned job already. Route packets.

    As soon as that model is compromised, you have a new source of uncertainty every time you have to debug a network problem. When packets don't make it to their destination, is the problem a firewall at this end? Or at that end? OR - new possibility - funky anti-virus software o

  • I disagree... Why not just have the firmware inside the router programmed to read all incoming bits. Instead of just passing them, it would physically read the data coming through and just use the ISP as a relay to see if in fact this code is viral or not? The latency wouldn't be much of a big deal so long as the ISP puts up nice "big block" machines to handle the request loads...
  • And how, exactly, are they going to decide if my equipment is "secure"? I'll wager that if I hook my C64 up to the internet, it won't be susceptible to many viruses. I imagine the same is true of my vt340 terminal... but they probably aren't going to respond to some random probe that asks if they're secure.

    I'll say it again. A router's job is to ROUTE PACKETS. Nothing more, nothing less. If you want a firewall to keep virii out, get one. If your ISP wants a firewall to keep your virii off the net, TH
  • Looking at it in an negative light however, it might mean that your required to have anti-virus software installed in order to use the internet.

    Ummm... no. YOU won't have to have any installed, your ROUTER will. And, of course, that is IF somehow they make it manditory for routers to contain some sort of an anti-virus protocol, which in my opinion and probably many others will never be manditory.
  • What Cisco is developing is a Host Integrity System, something it lacks in its current offerings. A good example to use would be Sygate's Secure Enterprise [].

    Cisco's new offering serves as a checkpoint at the router or L3 switch level. Hosts incoming must pass a certain set of criteria (MD5 hash of approved AV running, sig file at certain level, hotfix X installed) before they are allowed to pass. While previously used to protoct remote users (Aventail [] and Checkpoint [] are good examples), Cisco is moving to
  • Hell, that's just irresponsible. Sure, mac/*nix have a dramatically decreased chance of virus infection ( argue why until you're blue in the face ), but that is no reason to be careless about it.
  • In the future, ISPs will no longer sell "Internet connections", they will instead sell AOL'esque access to the web and email. The access will be filtered against viruses, SPAM and will include parental controls and complete usage monitoring (which will deter kids from circumventing parental controls).

    People will pay money not to be SPAM'ed and not to have to worry about protecting their machine all the time. This will protect the net from most unprotected Windows machines.

    For home-workers, Cisco and s

  • > This can be a *big* problem for *nix/mac users which normally don't need or use AV software.

    I don't think most major ISP would leave Mac users out in the cold, but I could easily see where they would give two rips about Lunix users (or require they upgrade to a "business" account which support such operating systems that were design to be used as "servers"). What I am more concerned with is freedom of choice:

    > In an unusual alliance among staunch competitors, Cisco Systems will collaborate w

  • If this is taken to its end conclusion, the HSD will get involved, and then mandate that you only use things that is on the 'approved' list.

    Be it hardware, OS, App software, tools.. your TV....

    And if you even TRY to run something else, your connection is severed, and the proper authorities are notified of the then illegal act...

    Yes, you will call me paranoid, just remember this in 5 years when it takes place... 10 Years ago people scoffed when I suggested 'data police'.. Now look, people are jailed for
  • by nvrrobx ( 71970 ) on Thursday November 20, 2003 @01:46PM (#7521270) Homepage
    Okay... This setup is usually called "client compliancy" and is starting to become common amongst VPN solutions. The VPN server will check your machine upon connection for antivirus software, virus definition version / dates, and possibly client firewall software.

    Saying that ISPs will start requiring it is purely speculation and sensationalism.. Oh wait, I am on Slashdot.

    Anyhow, just because a Mac doesn't get targetted for viruses much doesn't mean you shouldn't run antivirus software. What happens the day a Mac virus DOES get out in the wild? The same goes for *NIX systems.

    And, umm, yes, a Linux machine can be susceptible to Windows viruses. Think about a MS Word macro virus if you're using CrossOver Office and happen to have an infected file...

    Disclaimer: I work for a major antivirus company. If you don't use our product, you should atleast have some sort of protection on your machine. There are some free alternatives, too.
  • by mabu ( 178417 ) * on Thursday November 20, 2003 @01:50PM (#7521319)
    This is yet another mafia subscription boondoggle that corporate america wants to foist on the public. It's also another security/business model that only is of value if worms and other undesireable traffic continues to propagate. The tech community should not buy into these schemes becuase they do not really cure the problem, merely promise a slightly-effective treatment (at best) that will require an ongoing investment of time, money and resources to even function.

    I keep saying, the best way to reduce worm propagation is through a sanctioned smtp whitelist [] since most compromised systems use smtp as the transmission vehicle, and most originate from spontaneous, unauthorized mail relays that the worms themselves introduce.

    As for other means of worm propagation, a compromised server would easily generate a typical DOS profile that a well-configured network should already identify and deal with, regardless of this client-server-extra-software provision Cisco is trying to impose, which would require constant updating and more money to maintain.
  • Eh? (Score:3, Informative)

    by wytcld ( 179112 ) on Thursday November 20, 2003 @01:58PM (#7521400) Homepage
    So the Cisco tries to check if the computer trying to connect has approved AV software running. The Cisco itself isn't running the software, it's forcing the connecting system to. If the system connecting is a *nix router doing NAT, with a bunch of Windows boxes behind it, what's the Cisco's behavior? If it goes back to the IP it sees a *nix box, but the traffic is from a Windows box which just might have a virus, unless good AV software is running on it (despite the firewall - your travelling staff just plugged in their laptop in the office).

    The only way this does any good is if the Cisco has the *nix box prove that it is running AV software doing content analysis on the stream from the Windows box, or else software that relays to the Windows box the demand to show credentials. Either way this means that there will likely be a necessary licensing fee for AV or credentials checking software for whatever router you want to have talk to a Cisco.

    Very clever. Cisco doesn't take the load on their hardware (except for the trivial task of demanding your licensed credentials), and forces you to license software from one of its partners, and to take the load on your hardware.

    This is sort of like the police responding to a burglary epidemic by requiring all homeowners to install lead shielding on their doors and windows, with a kickback to the police atheletic fund for each shielding installation.
  • by edunbar93 ( 141167 ) on Thursday November 20, 2003 @03:37PM (#7522520)
    I'm the sysadmin for a small ISP. Some of our customers (namely, the corporate ones with lots of cash) already have this on a smaller scale. Their firewall/router checks to see if VirusScan is running on the end-users' computer, and if it's not, it installs it. At least, if you've bought enough licenses to cover all the workstations you have. Excess workstations don't get antivirus, and they also don't get online - at least until you shut that feature off for that IP. Of course, it's desirable to upgrade the number of licenses. It's pretty scary to be running a corporate network with only one computer not virus scanning when you see headlines like this one [].

    So that's our corporate customers. We also have qmailscanner filtering all our mail using F-prot (they have per-server licenses for decent rates, not the retarded per-client ones that would quickly bankrupt any ISP), which cuts problems on our ADSL network by about 75% or more. It's worth noting however that even with a 2.3 Ghz CPU, the server load is typically about 2.5 or 3.0 at any given time. This kind of scanning for the 150,000 messages a day we get would have been impossible only three years ago.

    Would we start using a router like the one Cisco came out with? Hell no. 10% of our customers actually have a clue, and they usually pay for a more expensive internet account. To lose hundreds of our best customers over something like this would be stupid. As well, if we used a router that required a specific virus scanner (like our corporate customers have), it could alienate as much as 60% of the people who have already bought a virus scanner that *isn't* the virus scanner the router requires.

    No. This is not something you subject the general public to.

The flow chart is a most thoroughly oversold piece of program documentation. -- Frederick Brooks, "The Mythical Man Month"