UTM that inspects VPN traffic for viruses?

UTM that inspects VPN traffic for viruses?

am 21.01.2008 16:31:12 von 1crazyrican

I have vendors that need remote access to my server. They have been
using RAS. Although the server had virus protection, we got hit with
something that disabled our file shares and caused a day of downtime.
I want to scan all traffic between our network and the Internet for
viruses, which means scanning VPN traffic as well as web browsing and
downloads. Is this possible? This is a 10 user envirnment, any
recommendations?

thanks

Re: UTM that inspects VPN traffic for viruses?

am 21.01.2008 22:12:32 von Flash Gordon

1crazyrican@gmail.com wrote, On 21/01/08 15:31:
> I have vendors that need remote access to my server. They have been
> using RAS. Although the server had virus protection, we got hit with
> something that disabled our file shares and caused a day of downtime.
> I want to scan all traffic between our network and the Internet for
> viruses, which means scanning VPN traffic as well as web browsing and
> downloads. Is this possible? This is a 10 user envirnment, any
> recommendations?

It is certainly possible, you just need to do it once the traffic has
popped out of the tunnel and is in the clear. I would also say that you
need a firewall that limits what your vendor can assess to the specific
machines and ports that the vendor needs access to, that way even if
they do have a virus there are limits on the mechanisms it could use to
spread to your network. If your vendor can place files on your systems
you might want an on-access virus scanner on all systems that the vendor
can access even if you would not bother otherwise. Finally, you might
want to limit the times your vendor can access your systems to being
only when they really need to (i.e. you have phoned them up and asked
them to investigate something).

I'm actually in the position of being employed by a vendor and needing
remote access to customer systems, and some of the restrictions can be
annoying, but if I was the customer I would want to lock down tight what
the vendor can do.
--
Flash Gordon

Re: UTM that inspects VPN traffic for viruses?

am 22.01.2008 04:30:25 von 1crazyrican

On Jan 21, 4:12=A0pm, Flash Gordon wrote:
> 1crazyri...@gmail.com wrote, On 21/01/08 15:31:
>
> > I have vendors that need remote access to my server. They have been
> > using RAS. Although the server had virus protection, we got hit with
> > something that disabled our file shares and caused a day of downtime.
> > I want to scan all traffic between our network and the Internet for
> > viruses, which means scanning VPN traffic as well as web browsing and
> > downloads. Is this possible? This is a 10 user envirnment, any
> > recommendations?
>
> It is certainly possible, you just need to do it once the traffic has
> popped out of the tunnel and is in the clear. I would also say that you
> need a firewall that limits what your vendor can assess to the specific
> machines and ports that the vendor needs access to, that way even if
> they do have a virus there are limits on the mechanisms it could use to
> spread to your network. If your vendor can place files on your systems
> you might want an on-access virus scanner on all systems that the vendor
> can access even if you would not bother otherwise. Finally, you might
> want to limit the times your vendor can access your systems to being
> only when they really need to (i.e. you have phoned them up and asked
> them to investigate something).
>
> I'm actually in the position of being employed by a vendor and needing
> remote access to customer systems, and some of the restrictions can be
> annoying, but if I was the customer I would want to lock down tight what
> the vendor can do.
> --
> Flash Gordon

Thanks, the information was helpful. So you're saying there aren't any
devices that can inspect VPN traffic that you know of?
thanks again

Re: UTM that inspects VPN traffic for viruses?

am 22.01.2008 21:37:10 von Wolfgang Kueter

1crazyrican@gmail.com wrote:


> Thanks, the information was helpful. So you're saying there aren't any
> devices that can inspect VPN traffic that you know of?

If a device can decrypt (and scan) the traffic on the way between the 2
encryption endpoints a VPN is no longer what its name implies - *private*
and security for the trafic does no longer exist.

So content filtering (scanning) can only take place after decryption by one
of the trusted VPN endpoints.

Depending on firewall modell traffic through VPN-Tunnels can be filtered by
interface(s), source, destination, destination port etc.

If you want to do content filtering you'll need some sort of proxy/content
filter behind the gateway or sometimes integrated into the gateway. UTM
boxes offer usually proxies/content filters only for http, ftp, smtp, pop3
and seldom if ever for the SMB stuff (Microsoft network services) or even
RDP.

Wolfgang

Re: UTM that inspects VPN traffic for viruses?

am 23.01.2008 12:53:08 von arjunhegde

On Jan 21, 7:31=A0pm, 1crazyri...@gmail.com wrote:
> I have vendors that need remote access to my server. They have been
> using RAS. Although the server had virus protection, we got hit with
> something that disabled our file shares and caused a day of downtime.
> I want to scan all traffic between our network and the Internet for
> viruses, which means scanning VPN traffic as well as web browsing and
> downloads. Is this possible? This is a 10 user envirnment, any
> recommendations?
>
> thanks

all u need to do is find a firewall which can act as a vpn
accelerator...

Re: UTM that inspects VPN traffic for viruses?

am 23.01.2008 21:19:08 von Wolfgang Kueter

Arjun wrote:


> all u need to do is find a firewall which can act as a vpn
> accelerator...

Complete nonsense, why don't you keep quiet when you are clueless?

Wolfgang

Re: UTM that inspects VPN traffic for viruses?

am 24.01.2008 07:25:05 von Sean

Scanning the content of a secure connection would be considered as a
'man-in-the-middle' attach and would completely defeat the purpose.

Scanning incoming content from the Internet is no problems. I use
SafeSquid as content filtering proxy to control access to the net,
which is integrated with ClamAV to do just that at the gateway, with
satisfactory results. SafeSquid also has a buit-in connectivity to
other commercial AVs like Dr. Web, NOD32, Kaspersky, Sophos, Avast,
Trend Micro, Symantec, etc.

I don't know if this can be done, but this is just an idea, if it
would be helpful.
SafeSquid can also be deployed as a reverse proxy. You can granularly
configure who is allowed to access what, when and how much. So, I
think it should be possible to define IP based or authentication based
rules for the vendors, and define what they are allowed to access?
Again, all the content that you receive from the vendors, can also be
scanned. Would that be a workable solution?

Re: UTM that inspects VPN traffic for viruses?

am 24.01.2008 09:34:18 von arjunhegde

On Jan 24, 12:19=A0am, Wolfgang Kueter wrote:
> Arjun wrote:
> > all u need to do is find a firewall which can act as a vpn
> > accelerator...
>
> Complete nonsense, why don't you keep quiet when you are clueless?
>
> Wolfgang


wats rong with that..... confirm urself buddy...

Re: UTM that inspects VPN traffic for viruses?

am 25.01.2008 20:35:19 von 1crazyrican

On Jan 24, 1:25=A0am, Sean wrote:
> Scanning the content of a secure connection would be considered as a
> 'man-in-the-middle' attach and would completely defeat the purpose.
>
> Scanning incoming content from the Internet is no problems. I use
> SafeSquid as content filtering proxy to control access to the net,
> which is integrated with ClamAV to do just that at the gateway, with
> satisfactory results. SafeSquid also has a buit-in connectivity to
> other commercial AVs like Dr. Web, NOD32, Kaspersky, Sophos, Avast,
> Trend Micro, Symantec, etc.
>
> I don't know if this can be done, but this is just an idea, if it
> would be helpful.
> SafeSquid can also be deployed as a reverse proxy. You can granularly
> configure who is allowed to access what, when and how much. So, I
> think it should be possible to define IP based or authentication based
> rules for the vendors, and define what they are allowed to access?
> Again, all the content that you receive from the vendors, can also be
> scanned. Would that be a workable solution?

I understand the concept of a VPN tunnel and how it is encrypted to
protect the data, but if my firewall is the endpoint, and it is
encrypting/decrypting data, doesn't that mean that it should be able
to inspect the data for malware? I did a google and came up with the
paragraph below. I am aware that the device is intended for managed
service providers but the concept is the same and I would imagine it
could be provided on a device for a a small to medium business.
thanks!

"MSSP: Virus-Free managed VPN Service
Taking advantage of Fortinet's integrated antivirus protection,
managed service providers can deliver the industry's most secure VPN
service by enabling Fortinet's advanced antivirus engine to block
incoming and outgoing VPN traffic that contains viruses, worms,
trojans, spyware and other malicious content to prevent virus
outbreaks from spreading from office to office. As an added benefit,
Fortinet's flexible VPN architecture allows for interoperability with
most IPSec VPN gateways. Regardless of the VPN CPE the customer has in
place, the FortiGate system deployed at the core will ensure virus-
free VPN traffic."
http://www.fortinet.com/solutions/vpn.html

Re: UTM that inspects VPN traffic for viruses?

am 26.01.2008 07:26:17 von arjunhegde

On Jan 25, 11:35=A0pm, 1crazyri...@gmail.com wrote:
> On Jan 24, 1:25=A0am, Sean wrote:
>
>
>
>
>
> > Scanning the content of a secure connection would be considered as a
> > 'man-in-the-middle' attach and would completely defeat the purpose.
>
> > Scanning incoming content from the Internet is no problems. I use
> > SafeSquid as content filtering proxy to control access to the net,
> > which is integrated with ClamAV to do just that at the gateway, with
> > satisfactory results. SafeSquid also has a buit-in connectivity to
> > other commercial AVs like Dr. Web, NOD32, Kaspersky, Sophos, Avast,
> > Trend Micro, Symantec, etc.
>
> > I don't know if this can be done, but this is just an idea, if it
> > would be helpful.
> > SafeSquid can also be deployed as a reverse proxy. You can granularly
> > configure who is allowed to access what, when and how much. So, I
> > think it should be possible to define IP based or authentication based
> > rules for the vendors, and define what they are allowed to access?
> > Again, all the content that you receive from the vendors, can also be
> > scanned. Would that be a workable solution?
>
> I understand the concept of a VPN tunnel and how it is encrypted to
> protect the data, but if my firewall is the endpoint, and it is
> encrypting/decrypting data, doesn't that mean that it should be able
> to inspect the data for malware? =A0I did a google and came up with the
> paragraph below. I am aware that the device is intended for managed
> service providers but the concept is the same and I would imagine it
> could be provided on a device for a a small to medium business.
> thanks!
>
> "MSSP: Virus-Free managed VPN Service
> Taking advantage of Fortinet's integrated antivirus protection,
> managed service providers can deliver the industry's most secure VPN
> service by enabling Fortinet's advanced antivirus engine to block
> incoming and outgoing VPN traffic that contains viruses, worms,
> trojans, spyware and other malicious content to prevent virus
> outbreaks from spreading from office to office. As an added benefit,
> Fortinet's flexible VPN architecture allows for interoperability with
> most IPSec VPN gateways. Regardless of the VPN CPE the customer has in
> place, the FortiGate system deployed at the core will ensure virus-
> free VPN traffic."http://www.fortinet.com/solutions/vpn.html- Hide quoted =
text -
>
> - Show quoted text -

as i told if ur firewall is goin to act a VPN gateway the UTM solution
could very well do that...instead if your vpn gateway is inside
firewall then UTM will not be able to check into the content (as it's
encrypted)...hope u get it..

Re: UTM that inspects VPN traffic for viruses?

am 26.01.2008 17:19:44 von 1crazyrican

On Jan 26, 1:26=A0am, Arjun wrote:
> On Jan 25, 11:35=A0pm, 1crazyri...@gmail.com wrote:
>
>
>
>
>
> > On Jan 24, 1:25=A0am, Sean wrote:
>
> > > Scanning the content of a secure connection would be considered as a
> > > 'man-in-the-middle' attach and would completely defeat the purpose.
>
> > > Scanning incoming content from the Internet is no problems. I use
> > > SafeSquid as content filtering proxy to control access to the net,
> > > which is integrated with ClamAV to do just that at the gateway, with
> > > satisfactory results. SafeSquid also has a buit-in connectivity to
> > > other commercial AVs like Dr. Web, NOD32, Kaspersky, Sophos, Avast,
> > > Trend Micro, Symantec, etc.
>
> > > I don't know if this can be done, but this is just an idea, if it
> > > would be helpful.
> > > SafeSquid can also be deployed as a reverse proxy. You can granularly
> > > configure who is allowed to access what, when and how much. So, I
> > > think it should be possible to define IP based or authentication based=

> > > rules for the vendors, and define what they are allowed to access?
> > > Again, all the content that you receive from the vendors, can also be
> > > scanned. Would that be a workable solution?
>
> > I understand the concept of a VPN tunnel and how it is encrypted to
> > protect the data, but if my firewall is the endpoint, and it is
> > encrypting/decrypting data, doesn't that mean that it should be able
> > to inspect the data for malware? =A0I did a google and came up with the
> > paragraph below. I am aware that the device is intended for managed
> > service providers but the concept is the same and I would imagine it
> > could be provided on a device for a a small to medium business.
> > thanks!
>
> > "MSSP: Virus-Free managed VPN Service
> > Taking advantage of Fortinet's integrated antivirus protection,
> > managed service providers can deliver the industry's most secure VPN
> > service by enabling Fortinet's advanced antivirus engine to block
> > incoming and outgoing VPN traffic that contains viruses, worms,
> > trojans, spyware and other malicious content to prevent virus
> > outbreaks from spreading from office to office. As an added benefit,
> > Fortinet's flexible VPN architecture allows for interoperability with
> > most IPSec VPN gateways. Regardless of the VPN CPE the customer has in
> > place, the FortiGate system deployed at the core will ensure virus-
> > free VPN traffic."http://www.fortinet.com/solutions/vpn.html-Hide quoted=
text -
>
> > - Show quoted text -
>
> as i told if ur firewall is goin to act a VPN gateway the UTM solution
> could very well do that...instead if your vpn gateway is inside
> firewall then UTM will not be able to check into the content (as it's
> encrypted)...hope u get it..- Hide quoted text -
>
> - Show quoted text -

Got it, and thanks.