The threat of damaging computer viruses and the need for good antivirus software are greater than ever. Many organisations have already learned the painful and costly reality of leaving their networks unprotected against viruses.
Once you are on board with the idea of implementing a thorough antivirus strategy, it's time to discuss how best to accomplish it within your infrastructure
A network infrastructure can traditionally be divided into three distinct layers that require virus protection
- Layer 1--Internet (SMTP) gateways
- Layer 2--Servers (messaging, application, file and print, etc.)
- Layer 3--Clients (desktops and laptops)
However, with the burgeoning explosion of handheld devices, I think it is prudent for companies to incorporate a fourth layer into the equation, as well:
- Layer 4--PDA devices (specifically Palms and/or Pocket PCs.)
I don't believe anyone would dispute the merits of protecting layers 2 and 3. What often gets missed is the first layer. This is really the most important layer. Almost all viruses are being spread via the Internet, either by way of email transfer or Web browsing. Theoretically, if you can secure the first layer so that viruses cannot enter the organisation, then protecting layers 2 and 3 is practically unnecessary. I say 'in theory' because in practice there are more ways to become infected than simply the Internet, and the technology to protect against new Web-based viruses is still rather immature.
Let's take a look at virus protection for each of these four layers.
Layer 1: Internet
gateways
The first layer of protection should really encompass two
components,rules-based policy enforcement and virus scanning.
By having
rules-based policy enforcement, we can create rules to block viruses, based on
known content (e.g., I LOVE YOU in the subject line), even before the antivirus
manufacturers have released a signature. In addition, rules can be applied to
look for old viruses that may be perhaps reclassified as hoaxes. For example,
some antivirus manufacturers have classified the COKEGIF.EXE "virus" as merely a
hoax, and their virus engines no longer block messages containing the
attachment.
By having virus protection at the first layer, organisations
can trap and block viruses at perhaps one or two gateways for the entire
company. Once a virus has entered, a company must rely on the server agents to
take over. They are then forced to scan and cure the virus for many servers vs.
one gateway. If for some reason the virus slips past the server layer, the
business is then forced to rely on antivirus software at the client layer, which
will involve potentially hundreds or thousands of nodes. Simple math dictates
that stopping the virus immediately at the first layer is the most effective
solution.
If a company doesn't manage its own Internet gateway, it's left
torely on its Internet service provider (ISP) to provide protection. If the ISP
does not offer antivirus service or if it charges too much, switching service
providers should be considered.
Regardless of who provides the service,
accurate and timely reporting is necessary. When the AnnaK virus was in the
main, our organisation blocked over 300 occurrences within the first few hours.
This reporting was useful for two reasons. First, it validated the expense of
installing and operating the Internet antivirus software and ensured its
continued funding and support from senior management. Second, it helped us
identify who the sources of the viruses were. This enabled us to pinpoint and
tighten up the virus vulnerabilities found with several of our business
partners.
