Managed Security Services

Fire-Proofing Your Network With UTM,
Part 3: Layering on anti-X defenses — continued

by Lisa Phifer VP Core Competence, Inc. [December 31, 2007]

Scanning for Viruses and Spyware
A major driver behind SMB UTM adoption is ability to block viruses and spyware before they enter the network. Doing so can avoid costly desktop/server cleanups, reduce dependency on endpoint security compliance, and speed organizational response to brand new attacks.

However, there is a price to be paid: scanning requires CPU and memory, which significantly reduces UTM throughput. Network operators must strike a reasonable balance between risk and reward. Small businesses often find UTM anti-virus/spyware performance acceptable and well worth the investment, while large enterprises are far less likely to scan at the outer perimeter. When making your choice, consider tuning knobs that control which traffic is scanned and the resources consumed.

For example, the MX1004 offers two scan engines: a Sophos signature-based virus scanner and a behavior-based Virus Prevent System (VPS). Settings determine whether the appliance applies one or both engines to HTTP, FTP, SMTP, and/or POP3 (Figure 3-5). Selected file attachments can also be scanned or skipped based on file extension. Advanced parameters tune performance by limiting scanned message size, concurrent scans, timeouts, and quarantined messages.

These global options make it easy to scan high-risk application messages for virus and spyware payload without imposing that overhead on other traffic. However, the MX1004 cannot scan for viruses carried by other protocols or encrypted/password-protected files. For example, when we e-mailed and downloaded 30+ live viruses, the appliance caught all but one: a Bagle worm zip file caught by our desktop anti-virus (Figure 3-6).

Note that POP3 users are told whenever virus or spyware payloads are found. Due to resource requirements, you may not want your network to quarantine them. The MX1004 can do so, but managing quarantined files falls to the administrator. We found that Sophos-linked virus alerts provided enough information that we opted to disable appliance quarantine after testing (Figure 3-7).

Go to page three: Filtering spam >