Kevin wrote: > Ray Lillard wrote:
2. Open source virus tools like ClamAV use an independent database that is often updated sooner than Norton et.al. and is often more comprehensive.
The last time I actually researched the signature release history of AV vendors (Clam/Trend/McAfee/Symantec(Norton), was a couple of weeks after Sasser. No one vendor showed a clear lead in getting "production" signatures out when a new worm hit.
I based my remark on anecdotal experience and have never tried to formally study the question. Hearing that the popular tools are as good as the open source ones is also a good thing.
For larger enterprises you will most likely have a corporate contract with the major vendors, they will often push out a quick-and-dirty signature within hours of the initial outbreak, long before a final "production ready" signature is distributed to the general public.
None of the domains I administrate have the benefit of a corporate support contract.
My preferred mail arrangement for small offices (I have built others) looks like this:
Unfiltered Internet | V MTA (sendmail/graylisting) RELAY
^^^^Why not add DNSBL here?
Not a bad idea.
| V Firewall (tunnel) | V MTA (sendmail/ClamAV) LOCAL_DELIVERY | V Workstations (Norton/virus blocking) (Thunderbird/spam filter)
Those Windows users who insist on using Outlook just have to eat the remaining spam.
And if you are slightly paranoid, the Internet-facing MTA is a vetted non-sendmail MTA (Postfix, qmail, etc), the firewall connection between the publicly visible MTA and the internal delivery agent is capable of enforcing RFC-compliant SMTP.
And I'm not just saying "use something other than sendmail on the outermost edge" because I am all too aware of the long history of remotely exploitable sendmail vulnerabilities, but also because if you are going to "chain" transports for security, you gain the most by using different MTAs for the "outside" and the "inside". Otherwise a script kiddie bearing a "0day sendmail on openBSD on intel" sploit who compromises your internet-facing ("RELAY" in the diagram) server won't delay long in using the firewall-evading tunnel to use the same tool to take over the internal ("LOCAL_DELIVERY") host.
I agree that using a different MTA outside than inside is a good thing. Whether goal that is achieved by using a different program (e.g. postfix instead of sendmail), a different h/w architecture, a different compiler or a different OS, matters little (assuming good choices are made).
I don't see how multiple choices from the above list provide significantly more security than one choice, although compiler differences might be the weakest of the lot.
Also, Sendmail has tightened up a lot in recent years.
Kevin Kadow
(P.S. And the _truly_ paranoid do not detail the complete range their security precautions to [EMAIL PROTECTED] Let's just say it involves a two different processor architectures and a really fast serial link).
Some of us paranoids have real enemies.
1. I never post from any domain I administrate. 2. Don't assume I detailed every thing I know and do.
;-)
Ray
