Is anyone aware of a package that can detect viri on the network & possibly alert when there are?
Here is the scenario: Our network is utilized by guest users all the time, sometimes into the thousands. We see guests from all over with a variety of OSs & hardware, all of which, we have no control or say in that matter.
I am looking for something that I can run in promiscuous mode and/or on a span port that will sniff for viri and then alert/log when it sees a virus. We can then track down the culprits' ip/mac and shut off the switch port he/she is connected to and then visit with the guest to help them clean their machine.
Given the nature of our network and our guests' needs, an inline solution is not an option. Although, I recall that squid supports WCCP, I'm not sure that it would do what I am requesting. I also looked at snort+libclamav, but the info was inconclusive.
We are a CentOs shop and I have a spare dual xeon box that I can use for the task.
Thanks,
Eric
On Tue, 10 Oct 2006 10:38:58 -0500 (CDT) eric@austinconventioncenter.com wrote:
Here is the scenario: Our network is utilized by guest users all the time, sometimes into the thousands. We see guests from all over with a variety of OSs & hardware, all of which, we have no control or say in that matter.
I am looking for something that I can run in promiscuous mode and/or on a span port that will sniff for viri and then alert/log when it sees a virus.
I was faced with the same situation and I have gone a completely different route.
Everyday, one of my customers has 'guests' in the various board rooms and meeting rooms. There is always somebody with viruses, spyware and then they call me to help them or to fix their laptops.
What I did is: change the network!
The firewall/gateway inside interface has 2 separate IP addresses in different classes: * The company employees are in 10.0.0.0/16 * The visitors are in the 172.20.0.0/16
All employees' computer must have a registered MAC address. It's some work, but that the only way to go, and yes it can scale to thousands of users. The DHCP servers will serve them an IP address in the 10.0/16 address space.
All computers with a non-registered MAC address with get an IP in the 172.20/16 address space. Their default gateway is the secondary IP address of the gateway.
I have VLANs and maxport in place on the switches to control how many people can connect to a physical port and what they can do on the network.
The only things the non-registered users can access is the Internet, they cannot access any of the internal resources [including printers], and cannot infect or attack any of the internal network. If they want to print, they can supply us with a PDF file, and reception will print it for them [tried having an HP printer in one of the board room, but too many people did not have the correct driver.]
If you still want to run an antivirus at the layer 2 level, Cisco has ASA boxes that will do some antivirus. They do not have a full listing of all the viruses, but a select few hundred, the more recent/prevalent ones.
Hope this helps.
centos@911networks.com wrote:
All computers with a non-registered MAC address with get an IP in the 172.20/16 address space. Their default gateway is the secondary IP address of the gateway.
This is very clever, but I wonder, unless you control employees laptops one way or another, it seems like employee laptops would only be marginally better than unknown, external hosts in terms of malware. What's your experience on this, or how do you guarantee that employee laptops are clean?
Dave Thompson UW-Madison
On Tue, 10 Oct 2006 13:14:17 -0500 David Thompson thomas@cs.wisc.edu wrote:
This is very clever, but I wonder, unless you control employees laptops one way or another, it seems like employee laptops would only be marginally better than unknown, external hosts in terms of malware. What's your experience on this, or how do you guarantee that employee laptops are clean?
1. I have beaten them into submission. 2. It's not the employee's laptop, it's the company's laptop, so the employees are told what they can do and cannot do. They don't really want to loose their job because they have crashed the network or deleted the corporate word documents... 3. I regularly oversee all the laptops, just like the desktops. 4. If there are problem people, it's not my problem, it's a management problem. Management does not want to loose all the data or the network.
Then again allowing the employees to bring down your entire business doesn't really smell like good planning.
-Drew
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of centos@911networks.com Sent: Tuesday, October 10, 2006 2:53 PM To: CentOS mailing list Subject: Re: [CentOS] antivirus sniffer/scanner for networks
On Tue, 10 Oct 2006 13:14:17 -0500 David Thompson thomas@cs.wisc.edu wrote:
This is very clever, but I wonder, unless you control employees laptops one way or another, it seems like employee laptops would only be marginally better than unknown, external hosts in terms of malware.
What's your experience on this, or how do you guarantee that employee laptops are clean?
1. I have beaten them into submission. 2. It's not the employee's laptop, it's the company's laptop, so the employees are told what they can do and cannot do. They don't really want to loose their job because they have crashed the network or deleted the corporate word documents... 3. I regularly oversee all the laptops, just like the desktops. 4. If there are problem people, it's not my problem, it's a management problem. Management does not want to loose all the data or the network.
-- Thanks http://www.sqlhacks.com The SQL knowledge base _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You need to Span/Mirror the traffic from your distribution switch(es) to an ethernet card appropriate for the size of traffic you see, 0-100mbps 100mbps ethernet, 100-1000 gigabit. And then run Snort with all of the plugins to look for malicious traffic. There aren't really network "virus" scanners so much as there are IDS detection programs which will detect the traffic signatures of the 'worm/malware' spreading software and alert you. As viruses are generally local host problems but the 'spreading' of them you CAN detect.
HTH.
-Drew
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of eric@austinconventioncenter.com Sent: Tuesday, October 10, 2006 11:39 AM To: centos@centos.org Subject: [CentOS] antivirus sniffer/scanner for networks
Is anyone aware of a package that can detect viri on the network & possibly alert when there are?
Here is the scenario: Our network is utilized by guest users all the time, sometimes into the thousands. We see guests from all over with a variety of OSs & hardware, all of which, we have no control or say in that matter.
I am looking for something that I can run in promiscuous mode and/or on a span port that will sniff for viri and then alert/log when it sees a virus. We can then track down the culprits' ip/mac and shut off the switch port he/she is connected to and then visit with the guest to help them clean their machine.
Given the nature of our network and our guests' needs, an inline solution is not an option. Although, I recall that squid supports WCCP, I'm not sure that it would do what I am requesting. I also looked at snort+libclamav, but the info was inconclusive.
We are a CentOs shop and I have a spare dual xeon box that I can use for the task.
Thanks,
Eric _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You need to Span/Mirror the traffic from your distribution switch(es) to an ethernet card appropriate for the size of traffic you see, 0-100mbps 100mbps ethernet, 100-1000 gigabit. And then run Snort with all of the plugins to look for malicious traffic. There aren't really network "virus" scanners so much as there are IDS detection programs which will detect the traffic signatures of the 'worm/malware' spreading software and alert you. As viruses are generally local host problems but the 'spreading' of them you CAN detect.
HTH.
-Drew
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of eric@austinconventioncenter.com Sent: Tuesday, October 10, 2006 11:39 AM To: centos@centos.org Subject: [CentOS] antivirus sniffer/scanner for networks
Is anyone aware of a package that can detect viri on the network & possibly alert when there are?
Here is the scenario: Our network is utilized by guest users all the time, sometimes into the thousands. We see guests from all over with a variety of OSs & hardware, all of which, we have no control or say in that matter.
I am looking for something that I can run in promiscuous mode and/or on a span port that will sniff for viri and then alert/log when it sees a virus. We can then track down the culprits' ip/mac and shut off the switch port he/she is connected to and then visit with the guest to help them clean their machine.
Given the nature of our network and our guests' needs, an inline solution is not an option. Although, I recall that squid supports WCCP, I'm not sure that it would do what I am requesting. I also looked at snort+libclamav, but the info was inconclusive.
We are a CentOs shop and I have a spare dual xeon box that I can use for the task.
Thanks,
Eric _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks, I will pursue the snort path then....
On Tue, 10 Oct 2006 10:38:58 -0500 (CDT) eric@austinconventioncenter.com wrote:
Here is the scenario: Our network is utilized by guest users all the time, sometimes into the thousands. We see guests from all over with a variety of OSs & hardware, all of which, we have no control or say in that matter.
I am looking for something that I can run in promiscuous mode and/or on a span port that will sniff for viri and then alert/log when it sees a virus. We can then track down the culprits' ip/mac and shut off the switch port he/she is connected to and then visit with the guest to help them clean their machine.
I think that first to look at is network design. With proper design such as vlans, secondary ip addresses, and proper dhcp config.
I have ta similar requirement, but not as large. I have daily guest [dozens], with vlans and dhcp they can access the internet, but have absolutely no access or cause damage to any of the internal resources.
-
centos@911networks.com -
David Thompson -
Drew Weaver -
eric@austinconventioncenter.com