The internet plays a prevailing role in today’s workplace, and its use continues to grow – from personal web-based email, to the growing popularity of public instant messaging (IM). Despite the benefits the web provides for employees, including convenience and accessibility, its use has opened a back door for viruses to bypass existing email anti-virus security measures and infect the network.
The layered model for email anti-virus security today might lead one to infer there is sufficient protection in place to stop most viruses, with anti-virus software running on email servers, file servers and desktops. However, a closer look shows that frequent, widespread virus threats such as Sasser, Sober and Bagle are continuing to evade these well-established layers of defense via web channels that remain unsecured on many networks. These unsecured channels include web email use, instant messaging communications and file downloads via the common web browser. Organizations are falling victim to infections through these open back doors because, unlike the multiple layers of virus protection for email traffic, organizations tend to rely solely on desktop virus protection to fend off web-based threats – a strategy that quickly fails when thousands of desktops are not quickly updated during an outbreak, and when advanced viruses disable desktop anti-virus software before an update can be installed.
So why aren’t large enterprises deploying a layer of web anti-virus security at the internet gateway to stop these threats? The answer is simple: Existing web anti-virus solutions for the internet gateway do not have the performance to keep up with the “real-time” nature of web traffic.
Unlike the store-and-forward nature of email, the web is a real-time medium where users expect to see real-time results with every click of the mouse. When an anti-virus solution is installed that slows down web traffic response times, users complain and present the IT department with the challenge of compromising between impeding the business process, and the security required by the business. And with so many business processes today relying on the web, the latter is most often sacrificed.
The products that have offered web anti-virus have failed because they employ traditional methods of virus scanning that prove effective for email traffic, yet provide inadequate levels of performance and increased latency on the flow of web traffic. This increased latency typically occurs: 1) when an anti-virus product attempts to scan all of the Web objects within the Web traffic, even those not susceptible to virus infection; 2) when web anti-virus is packaged with some form of email virus scanning, and simultaneously activated with the Web scanning process to create an additional hindrance on the performance of the web scanning process; and 3) when web anti-virus solutions unnecessarily scan the same web objects multiple times, generating additional processing by the device, and resulting in increased latency on web traffic.
So what can be done? A new architecture that includes integrating anti-virus scanning technology with proxy appliance technology will enable organizations to deploy a very necessary layer of web anti-virus security.
By design, proxy appliances are capable of handling large amounts of web traffic at wire speeds, providing administrators with fine-grain insight and control over users on the internet. Integrating the web-object handling power and caching of a proxy appliance with a dedicated anti-virus scanning appliance, organizations can leverage the proxy as the “brains” of the operation, and the anti-virus scanning engine as the “brawn.” Here’s how it works.
As a “middle-man” between users on the network and the internet, the proxy appliance is the key to the equation – terminating web communications to determine which web objects are susceptible to virus infection. Only questionable objects identified by the proxy are sent to a separate anti-virus scanning appliance, which effectively acts as a high-performance “coprocessor” for the proxy appliance, tasked with the sole responsibility to scan “web” objects as quickly as possible.
Once scanned, the anti-virus scanning appliance sends clean content back to the proxy appliance where it is then cached and served up immediately to subsequent requesting users. With anywhere from 30 to 50 per cent of web objects being cacheable, this “scan once, serve many” approach is the crucial element to deliver the adequate levels of performance and latency for web traffic virus scanning.
Web traffic and web-based virus threats are increasing on enterprise networks. Just like the layered anti-virus approach that has proven successful for email infrastructures, organizations must architect a layered Web anti-virus model. An architecture that integrates a proxy appliance with an anti-virus appliance will enable organizations to turn the “deplorable” situation of today into a “deployable” web anti-virus solution.
Nigel Hawthorn is marketing and channel director for Blue Coat EMEA