Do We Need A Hybrid Approach To Fighting Spam And Viruses?
from the on-the-network-or-on-the-desktop? dept
There’s an ongoing battle about how to best fight threats like spam and viruses (and spyware and trojans and worms, etc…). Some think that it should be at the network level, where an ISP or a company can set up filters, while others believe it needs to be at the desktop. In an interview with the CTO for MessageLabs (makers of “managed email security products” – so you know where his bias is) he makes the compelling case for moving the protection up to the network level (of course, he means using MessageLabs’ solution). His argument is that you can keep filters much more up-to-date at the network level, even to the point of updating them multiple times per day. It also removes the hassle of end-users getting anywhere near some of these malicious files – some of which use social engineering tricks to get users to do things they shouldn’t. Of course, he’s only telling half the story. Blocking at the network level is increasingly becoming a necessity, but it assumes that users always access the internet in the same way. These days, with laptops and things like WiFi, people access the internet from many different places, and you don’t always know who’s managing the network protection. You also don’t know who might be connecting to your local network – and what sort of nasty stuff they’ve already been exposed to. It seems that a hybrid approach is going to become increasingly important. Some have said the trend needs to move from “scan and block” to “comply and connect” – which may represent the hybrid approach that things are heading towards. You allow most of the filtering to still occur on the network, but you don’t allow an individual machine to connect to a network unless it’s been shown to “comply” with whatever security policies have been established. While more corporate users are moving in this direction, it may be time for residential broadband service providers to look at providing similar solutions themselves. The issue, as always, is how much control people are willing to give their service providers. No one wants to be denied a connection because suddenly their ISP says they haven’t complied with some weird security aspect that the user knows they have complied with. However, as these malicious attacks get worse, it’s likely that we’re going to move closer to a world where getting on the network is going to mean proving you’re clean, while network level machines will be required to block out the nastiest attacks.
Comments on “Do We Need A Hybrid Approach To Fighting Spam And Viruses?”
Ahhh... I've already spotted a few flaws with 'com
Picture the scene…
I attempt to connect to the net only to be told by my ISP that I’m not complying with the latest security patches.
My connection is denide is by ISP: where do I get my patches from now my ISP has kicked me off the net?
Use a ‘backup’ ISP? What if I don’t comply with there rules either?
The only way for this to work is if your ISP allows you limited access to download your patches.
I’m a (shameless) geek – I don’t mind doing this because I understand the implications and have enough savvy to install the patches.
What about ‘Average Joe/Joseline’ User?
What if the patch is a 10MB OS patch and the user is on a dial up?
What if the patch requires a reboot and the machine CAN’T be rebooted right now?
To make this work for the majority of (non geek) net users, these patches would have to implemented using something like Microsoft’s Update (as automatic as possible)… and we know what bad feeling Microsoft update generated.
Can you imaging all those *nix users out their screaming blue murder because their ISP has FORCED them to install something?
It’s a great idea in theory, but the practicality is probably unworkable.
It's down to MS and ISPs
If broadband ISPs gave out free firewalls (routers, not ZoneAlarm) then it would probably kill off 90% of the trojans to start with – Hell it would have saved you from Sasser!
Windows should come with some sort of AV package by default – maybe MS should buy Symantec?! That would kill off some more viruses.
If Outlook (or the whole MS HTML rendering engine!) didn’t automatically open attachments or render HTML with VBscript/JScript then that would kill off more.
Then to finish the job, you’d need ISPs to filter spyware (not sure how, just filtering out the Gator IP’s to start!)
Another issue is with laptops – any laptop that is going to be taken home from work, should be put in a DMZ when it comes back to the office, or should be running Linux.
Comply and Connect?
So, the idea is: you ask the machine for its “internal state signature”, and if the signature matches the ideal, you let it in. The downside is that you can’t install non-malicious software on your machine. The upside seems to be that you don’t let malicious code in, except that you can’t trust the machine to report its own state — how do you know it’s the kernel and not the virus who returns the signature?
This is not the solution. Nor are firewalls and virus scanners. And it amazes me: in the year two thousand and fucking four, some 20 years (more?) after the creation of the first virus, we still have the virus problem. Isn’t it the right time to understand that the solution is secure operating systems? What’s so fucking difficult in OSes which run everything in a sandbox? Why should a Word macro running in a mail client have access to all filesystems and the network? Why can’t I run “untrusted” code without giving it permission to do dangerous things (or at least limit the impact, and no, UNIX weenies, I don’t mean “destroying only one person’s home directory instead of thrashing the whole machine”)?
The answer to the rhetorical question is because nobody cares, or maybe because people think that fighting viruses constantly instead of doing real work is a natural way of doing things, but we should know it’s not true.