Dr Igor Muttik McAfee AVERT
Among the side effects of the explosion in both the use of the Internet and connectivity levels is - unsurprisingly - the proliferation of malicious software in networks. Traditional workstation-only solutions are acquiring features from the standard network security arsenal - firewalls, mail scanning, spam filtering, intrusion detection/protection.
At the same time, standard tools and hardware for protecting networks (firewalls, routers, switches, intrusion-detection and intrusion-protection systems) are having more and more features bolted onto them in order to better combat malware. Increasing network loads dictate the hardware approach, but adding anti-malware and anti-spam features requires flexibility that is generally achievable only in software. A major requirement is an ability to perform algorithmic and computationally complex analysis - required, for instance, to detect non-static malware. Detecting such objects (polymorphic worms, for instance) via software anti-virus scanners is a developed, mature technology but converting this functionality into network hardware is problematic.
We present an analysis of alternative design solutions for network scanning that implements AV features - pure hardware (quick but inflexible), pure software (slower but thorough), a combination of both (complex, more expensive, but could be quick and flexible) and a combination of a simple hardware device attached to a central server that provides centralized complex scanning (cheap and flexible but not easily scalable). Several real-life examples are used to illustrate.
We discuss an effect of a discovery of many exploits in common Internet graphical data formats like WMF, PNG, BMP, ANI on hardware versus software business. Problems associated with scanning different Internet protocols are also analysed.