[CentOS] antivirus sniffer/scanner for networks

Tue Oct 10 16:27:59 UTC 2006
centos at 911networks.com <centos at 911networks.com>

On Tue, 10 Oct 2006 10:38:58 -0500 (CDT)
eric at austinconventioncenter.com wrote:

> Here is the scenario:  Our network is utilized by guest users all
> the time, sometimes into the thousands. We see guests from all over
> with a variety of OSs & hardware, all of which, we have no control
> or say in that matter.
> 
> I am looking for something that I can run in promiscuous mode
> and/or on a span port that will sniff for viri and then alert/log
> when it sees a virus.

I was faced with the same situation and I have gone a completely
different route.

Everyday, one of my customers has 'guests' in the various board rooms
and meeting rooms. There is always somebody with viruses, spyware and
then they call me to help them or to fix their laptops.

What I did is: change the network!

The firewall/gateway inside interface has 2 separate IP addresses in
different classes:
* The company employees are in 10.0.0.0/16
* The visitors are in the 172.20.0.0/16

All employees' computer must have a registered MAC address. It's some
work, but that the only way to go, and yes it can scale to thousands
of users. The DHCP servers will serve them an IP address in the
10.0/16 address space.

All computers with a non-registered MAC address with get an IP in the
172.20/16 address space. Their default gateway is the secondary IP
address of the gateway. 

I have VLANs and maxport in place on the switches to control how many
people can connect to a physical port and what they can do on the
network.

The only  things the  non-registered users can  access is  the
Internet, they cannot access any of the internal resources
[including printers], and cannot infect or attack any of the internal
network. If they want to print, they can supply us with a PDF file,
and reception will print it for them [tried having an HP printer in
one of the board room, but too many people did not have the correct
driver.]

If you still  want to run an  antivirus at the layer 2  level, Cisco
has ASA boxes that  will do some antivirus. They do not  have a full
listing of all the viruses, but a  select few hundred, the more
recent/prevalent ones.

Hope this helps.

-- 
Thanks
http://www.sqlhacks.com
The SQL knowledge base