Teobaldo Adelino Dantas de Medeiros Federal Center of Technological Education
Paulo S. Motta Pires Federal University of Rio Grande do Norte
We present LIV - The Linux Integrated Viruswall, a system developed to protect networks containing Windows workstations against malicious agents. LIV joins features present in traditional gateway protection systems, like SMTP, HTTP and FTP filtering, aggregating new functionalities. One of the innovative features is the ability of detecting compromised workstations based in network traffic. Other is the use of a technique named "sharing-trap" to identify malicious agents spread through local network. When LIV identifies an infected workstation, the Linux firewall and departmental routers are configured so that compromised machines are isolated from the network, containing malicious agents spread. LIV integrates and controls common Linux programs, like Apache, Squid, Sendmail, Samba and MySQL to detect and contain malicious agents. The Apache HTTP server and the Squid proxy server implement together the download protection mechanism. Squid also sends reports to the compromised machine users when their workstations are isolated from the network. The LIV SMTP filter, integrated to Sendmail, can detect and remove known malicious agents present in attachments and is capable of preventing the entrance of potential dangerous files via email. The Samba CIFS server implements the sharing-trap and MySQL database stores the logs generated by Linux firewall. These logs will be analysed later by LIV to discover compromised workstations in the network.