Security

Get IT Done: Implement a four-layer virus prevention strategy

Prevent computer virus infection with a four-layer security strategy


The threat of damaging computer viruses and the need for good antivirus software are greater than ever. Many organizations have already learned the painful and costly reality of leaving their networks unprotected against viruses. Once you are on board with the idea of implementing a thorough antivirus strategy, it's time to discuss how best to accomplish it within your infrastructure.

A network infrastructure can traditionally be divided into three distinct layers that require virus protection:
  • Layer 1—Internet (SMTP) gateways
  • Layer 2—Servers (messaging, application, file and print, etc.)
  • Layer 3—Clients (desktops and laptops)

However, with the burgeoning explosion of handheld devices, I think it is prudent for companies to incorporate a fourth layer into the equation, as well:
  • Layer 4—PDA devices (specifically Palms and/or Pocket PCs)

  • Figure A illustrates this scheme.

    Figure A
    The four layers of network infrastructure


    I don't believe anyone would dispute the merits of protecting layers 2 and 3. What often gets missed is the first layer. This is really the most important layer. Almost all viruses are being spread via the Internet, either by way of e-mail transfer or Web browsing. Theoretically, if you can secure the first layer so that viruses can’t enter the organization, then protecting layers 2 and 3 is practically unnecessary. I say “in theory” because in practice there are more ways to become infected than simply the Internet, and the technology to protect against new Web-based viruses is still rather immature.

    Let's take a look at virus protection for each of these four layers.

    Layer 1: Internet gateways
    The first layer of protection should really encompass two components,rules-based policy enforcement and virus scanning.

    By having rules-based policy enforcement, we can create rules to block viruses, based on known content (e.g., I LOVE YOU in the subject line), even before the antivirus manufacturers have released a signature. In addition, rules can be applied to look for old viruses that may be perhaps reclassified as hoaxes. For example, some antivirus manufacturers have classified the COKEGIF.EXE "virus" as merely a hoax, and their virus engines no longer block messages containing the attachment.

    By having virus protection at the first layer, organizations can trap and block viruses at perhaps one or two gateways for the entire company. Once a virus has entered, a company must rely on the server agents to take over. They are then forced to scan and cure the virus for many servers vs. one gateway. If for some reason the virus slips past the server layer, the business is then forced to rely on antivirus software at the client layer, which will involve potentially hundreds or thousands of nodes. Simple math dictates that stopping the virus immediately at the first layer is the most effective solution.

    If a company doesn’t manage its own Internet gateway, it’s left torely on its Internet service provider (ISP) to provide protection. If the ISP does not offer antivirus service or if it charges too much, switching service providers should be considered.

    Regardless of who provides the service, accurate and timely reporting is necessary. When the AnnaK virus was in the main, our organization blocked over 300 occurrences within the first few hours. This reporting was useful for two reasons. First, it validated the expense of installing and operating the Internet antivirus software and ensured its continued funding and support from senior management. Second, it helped us identify who the sources of the viruses were. This enabled us to pinpoint and tighten up the virus vulnerabilities found with several of our business partners.

    Layer 2: Servers
    The next layer is the server layer. Relying on your desktop computers to have their virus protection running is not enough. Within our organization, at any given time, I can guarantee that there are dozens of computers that have the antivirus software either disabled, uninstalled, or crippled in some form or another.

    You need to have protection on every server where people are saving files or storing e-mail messages. On these servers, your antivirus software must be configured to provide real-time protection as well as scheduled scanning protection. If you rely strictly on scheduled scanning and a virus makes its way onto a server in a public location, it may replicate and/or infect many workstations before you are able to deal with it during the nightly scanning process.

    Layer 3: Clients
    The desktop and laptop layer represents the largest, and possibly the most difficult, layer to protect. By accident, neglect, or intentional disabling, clients have the ability to cripple their antivirus software. Antivirus signatures need to be current, real-time monitoring must be enabled, and scheduled scanning should take place frequently.

    Within our own organization, we've gone one step further and written some intelligence into our logon scripts to ensure that the antivirus software version installed is current. If it isn’t, a proper (and updated) version of the software is pushed out. No workstation is allowed on our network without being properly configured for virus protection, including dial-up computers accessing the network remotely.

    Newer generations of antivirus software, such as McAfee's ePolicy Orchestrator, will automate this detection and distribution for you. It is also essential that you have a method for reporting workstations that are not up to date. Invariably, the handful of clients that are not current will cause the most grief within an organization.

    Layer 4: PDA devices
    The PDA layer is a relatively new layer to add to the equation. While PDAs have been around for quite some time now, it’s only recently that viruses have started cropping up for these devices. Correspondingly, antivirus manufacturers have started, albeit rather slowly, releasing software to protect such devices.

    I anticipate that this will be a whole new arena for virus creators to play around in, especially knowing how exposed most PDAs are. Once the PDA is infected, who's to say some clever individual won't have found a way to infect the desktop via the syncing process? Not all antivirus manufacturers are providing the same protection for Palms as they are for Pocket PCs. If you have both in your organization, your best move is to select software that will protect both types of devices, rather than one piece of software for Palms and another for Pocket PCs. Having more software to maintain will only add to your management burden.

    Bringing it together
    Obviously, this process involves a fair amount of work and cost—but then, most everything that is worthwhile does. The effort you invest up front will more than pay for itself the next time there's a major virus outbreak. You'll enjoy that smug feeling of knowing that your colleagues in the industry are madly scrambling to contain the damage done by the next contagious infection.

    How do you currently handle virus protection?
    Are you covered on all four layers? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

     

    Editor's Picks