Part 1
If a company would ask me for advice on how to increase their client security, my answer would be to install a webfilter!
With a webfilter, I mean a filter that is able to blacklists malicious sites, thus preventing users access to those resources.
Removing common vulnerable client application is also a effective way to achieve higher client security. But removing Flash, Java or Reader in a corporate environment even thought it would dramatically decrease the exposure to malicious code. Is in most environments not a feasible solution due to dependencies and users expectations (at least in my experience).
A webfilter blocking users from accessing know malicious sites is in most cases transparent to the end user, except when his/her favorite blog is blocked due to infection.
When installed as a perimeter protection, it's trumps a gateway antivirus solution (yet again in my experience) the reason being, that instead of having to detect each and every one of the malicious samples found in a exploitkit on a given site. Simply denying access to that site, enables you to focus on other things than worrying about if something slipped pass your gateway AV installation(and sadly maybe even your client AV).
One could argue that a webfilter suffers from the same problem as signature based antivirus, that the malicious site has to be known in order for it to be added to the blacklist.
While this is true, I would argue that the effort to determine if a site is malicious would in most cases be much quicker than understanding a malicious sample and write a efficient signature for it (also one has to take into consideration that malware could be using polymorphic functions to evade signature based detection, which would make the effort greater for the AV analyst).
Also as mentioned above, the AV have to catch them all, if one slips through the cracks it is game over!
So .. are webfilters and oneline site checks flawless? Of course not! In reality there is a lot of things one could wish for in these solutions.
Stay tuned for part 2, where my praise for webfilter will suffer a blow =)
(but I still think that the above analyze has some merit)
/Micke
No comments:
Post a Comment