Quote:
Originally Posted by heroine
...In this case, may I know,How does cryptographic protection (at the TCP/IP layers or at the application layer) affect a firewall's ability to protect against viruses?
Your average firewall doesn't have anti-virus features built into it. *But*, this really depends on your firewall, what proxy features are built in, etc. This is not a simple area, it's one that touches on many aspects of information security.
If you have an encrypted zip/rar/whatever archive file being downloaded via your proxy, then I know of no products which will attempt to decrypt these and inspect them. Some proxy products such as WEBSweeper/MAILSweeper can be configured to block/quarantine/notify on detection of such files, but actual inspection is very difficult, if not impossible (depending on the algorithm used, key space, etc).
If you have a SSL connection to a website (let's say your online banking site) then strictly speaking the connection and its contents are secured from inspection (including AV checking) between the bank's servers and your desktop PC. Some firewalls (such as Bluecoat) support SSL interception whereby when you connect to the bank site, you actually connect to the firewall proxy service by SSL then it connects by SSL to the bank. It can then operate as a "man in the middle" and "see" the data in the clear, thereby being able to pass the intercepted data into whatever content filters you need. I found a brief article outlining the procedure (not my site!)
here.
IPSEC & SSL VPNs etc are also problematic for content scanning. I suggest reading some books on Security engineering and network security for in-depth advice on all these topics.
In short, your best bet is to adopt a layered defence approach by not relying on your firewall as a single point of control. Security needs to be applied to all devices/nodes/interfaces across your network, from your routers and mail servers to your print servers and workstations. AV protection should not be limited to your web proxy, it should be on every desktop and server in addition to an approved standardised OS build with restricted permissions and system policies configured to only permit the software, file types, network traffic and users which you have explicitly specified. This should all be supported with regular log monitoring and having appropriate procedures in place to deal with incidents that arise.
Nick
