Main Nav

Message from jamesfurstenberg@ferris.edu

Seems like a lot of folks fall on one side of the fence or the other;

Side 1;   Do not have it - do not technically feel the need for it .
Side 2 -  Have it deployed and are using it .


Just wondering if you;

1. Have it?  or feel it is warranted?
2. What product  are you using ?  
3. Would you recommend the solution you are using?
4. Any performance impact ?




Thank you.

Jim Furstenberg |IT Security Analyst  
CEH

"In God we trust, all others bring data."    W. Edward Demmings
_____________________________________________________
Ferris State University
330 Oak St  | Big Rapids, MI 49307
Office: 231.591.5335
Mobile: 231.645.5821
EFax: 888.396.6269
Technical support
or call 231-591-4822 local
or toll free 877-779-4822

Comments

Message from ahockett@warnerpacific.edu

Jim,

 

We’re running our Ubuntu servers on 10.04.4 LTS.

 

To your questions:

 

1.)    No.  Depending on the web application.  Server hardening > AV on Linux for a majority of deployments.

2.)    We have a license for Symantec AV for Linux we are looking into using depending on the web application. (IE Attachments, File structure hosting of files etc.)

3.)    Unknown at this time.

4.)    Again, unknown.

 

IMO, running some sort of HIDS (we run OSSEC) along with a strong software firewall for iptables and general stack hardening is the best remedy for *Nix boxes.

 

-Aaron Hockett

Warner Pacific College

Network and Web services Engineer

 

Message from hhoffman@ip-solutions.net

PCI standards require A/V on servers that process transactions... it's more and more likely those servers are running a *nix variant. Otherwise, a samba server then sure... otherwise??? Cheers, Harry On 06/22/2012 12:54 PM, Jim Furstenbrg wrote: > Seems like a lot of folks fall on one side of the fence or the other; > > Side 1; Do not have it - do not technically feel the need for it . > Side 2 - Have it deployed and are using it . > > > Just wondering if you; > > 1. Have it? or feel it is warranted? > 2. What product are you using ? > 3. Would you recommend the solution you are using? > 4. Any performance impact ? > > > > > Thank you. > > *Jim Furstenberg |IT Security Analyst*** > CEH > > "In God we trust, all others bring data." W. Edward Demmings > _____________________________________________________ > *Ferris State University* > 330 Oak St | Big Rapids, MI 49307 > Office: 231.591.5335 > Mobile: 231.645.5821 > EFax: 888.396.6269 > _Technical support_ > or call 231-591-4822 local > or toll free 877-779-4822
Message from win-hied@bradjudy.com

One of the common rules of thumb I have used is: does the server/application allow for user-uploaded content?  If so, then there should be AV at least on that function. 

 

As mentioned, there are other mitigating technologies that might be more useful like HIDS, file integrity checks, quality log monitoring, regular vulnerability scanning, etc. 

 

Brad Judy

 

Message from valdis.kletnieks@vt.edu

On Fri, 22 Jun 2012 13:11:21 -0400, Harry Hoffman said: > PCI standards require A/V on servers that process transactions... it's > more and more likely those servers are running a *nix variant. Does it *require* A/V, or is it "A/V or compensating controls"?
Message from hhoffman@ip-solutions.net

Hmm, I don't know about whether or not those requirements (5.1 and 5.2) allow for compensating controls. Let's ask a QSA, I expect no less then 3 answers ;-) On 06/22/2012 02:12 PM, Valdis Kletnieks wrote: > On Fri, 22 Jun 2012 13:11:21 -0400, Harry Hoffman said: >> PCI standards require A/V on servers that process transactions... it's >> more and more likely those servers are running a *nix variant. > > Does it *require* A/V, or is it "A/V or compensating controls"?
From my ISA training last fall, the only control that cannot use a compensating control is external ASV scanning. So, yes, you can compensate for A/V on a system using tools already mentioned. -- Kerry Havens >

Kaiten , Rexob , Alaeda, Bad Bunny, Binom, Bliss, Brundle-Fly, The Bukowski Project, Diesel, The Kagob Virus,  MetaPHOR,  Nuxbee, OSF.8759,  Podloso,  Rike,  RST,  Satyr, Staog,  VIT,  Winter, Lindose,  Wit,  ZipWorm,  Net-worm.linux.adm,  Adore, The Cheese Worm, Devnull,  Kork, Lapper, The L10n Worm, The Mighty Worm, Millen, Ramen, The Slapper Worm, SSH Bruteforce <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Louis
Weber State University

On 6/22/2012 at 10:54 AM, in message <OF3C3747B4.66BF3A59-ON85257A25.005CE25B-85257A25.005CE434@ferris.edu>, Jim Furstenbrg <JamesFurstenberg@FERRIS.EDU> wrote:
Seems like a lot of folks fall on one side of the fence or the other;

Side 1;   Do not have it - do not technically feel the need for it .
Side 2 -  Have it deployed and are using it .


Just wondering if you;

1. Have it?  or feel it is warranted?
2. What product  are you using ?  
3. Would you recommend the solution you are using?
4. Any performance impact ?




Thank you.

Jim Furstenberg |IT Security Analyst  
CEH

"In God we trust, all others bring data."    W. Edward Demmings
_____________________________________________________
Ferris State University
330 Oak St  | Big Rapids, MI 49307
Office: 231.591.5335
Mobile: 231.645.5821
EFax: 888.396.6269
Technical support
or call 231-591-4822 local
or toll free 877-779-4822
Message from valdis.kletnieks@vt.edu

On Fri, 22 Jun 2012 16:06:05 -0600, Louis APONTE said: > Kaiten , Rexob , Alaeda, Bad Bunny, Binom, Bliss, Brundle-Fly, The > Bukowski Project, Diesel, The Kagob Virus, MetaPHOR, Nuxbee, OSF.8759, > Podloso, Rike, RST, Satyr, Staog, VIT, Winter, Lindose, Wit, > ZipWorm, Net-worm.linux.adm, Adore, The Cheese Worm, Devnull, Kork, > Lapper, The L10n Worm, The Mighty Worm, Millen, Ramen, The Slapper Worm, > SSH Bruteforce That's all you can find? After well over a *decade* of fairly heavy Linux use in the server world? Meanwhile, signature updates for Windows boxes run into the dozens of megabytes... Or you can look at the *actual* threat model against most Linux boxes, which involves mostly hacking attacks rather than viruses, and all the countermeasures for that - everything from iptables network filtering to SELinux hardening to... lots of other stuff that's not antivirus. And the funny thing is that those things *also* protect against viruses by minimizing the attack surface, while AV software doesn't protect against much of anything except viruses. Or look at it differently - by the time the malware has gotten onto the box far enough for A/V software to deal with it, it means your security has *already* been breached. A/V software is a smoke alarm - it tells you something is on fire, and is a last line of defense. But when it goes off, you're wishing that the combustion hadn't started in the first place...
Thank you Valdis for writing:
A/V software is a smoke alarm - it tells you something is on fire, and is a
last line of defense. But when it goes off, you're wishing that the combustion
hadn't started in the first place...
 
I like this analogy,  we also need to mention that "if" your Linux box is dealing in Windows file handling you will be a carrier.
This is certainly what we see with Mac's. I would urge this carrier aspect be seriously reviewed by anyone, if your box moves stores or handles Windows files.
 
la

On 6/22/2012 at 10:07 PM, in message <43718.1340424443@turing-police.cc.vt.edu>, Valdis Kletnieks <valdis.kletnieks@VT.EDU> wrote:
On Fri, 22 Jun 2012 16:06:05 -0600, Louis APONTE said:
> Kaiten , Rexob , Alaeda, Bad Bunny, Binom, Bliss, Brundle-Fly, The
> Bukowski Project, Diesel, The Kagob Virus,  MetaPHOR,  Nuxbee, OSF.8759,
> Podloso,  Rike,  RST,  Satyr, Staog,  VIT,  Winter, Lindose,  Wit,
> ZipWorm,  Net-worm.linux.adm,  Adore, The Cheese Worm, Devnull,  Kork,
> Lapper, The L10n Worm, The Mighty Worm, Millen, Ramen, The Slapper Worm,
> SSH Bruteforce

That's all you can find?  After well over a *decade* of fairly heavy Linux use
in the server world?  Meanwhile, signature updates for Windows boxes run into
the dozens of megabytes...

Or you can look at the *actual* threat model against most Linux boxes, which
involves mostly hacking attacks rather than viruses, and all the
countermeasures for that - everything from iptables network filtering to
SELinux hardening to... lots of other stuff that's not antivirus.

And the funny thing is that those things *also* protect against viruses by
minimizing the attack surface, while AV software doesn't protect against much
of anything except viruses.

Or look at it differently - by the time the malware has gotten onto the box far
enough for A/V software to deal with it, it means your security has *already*
been breached.

A/V software is a smoke alarm - it tells you something is on fire, and is a
last line of defense.  But when it goes off, you're wishing that the combustion
hadn't started in the first place...

"5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists." If you are not using AV then you can either: 1) Develop and implement compensating controls to address the intent of the requirement 2) Demonstrate that the OS (and the particular configuration of that OS) is not "commonly affected by malicious software" Here is the PCI SSC Guidance for this requirement: "There is a constant stream of attacks using widely published exploits, often "0 day" (published and spread throughout networks within an hour of discovery) against otherwise secured systems. Without anti-virus software that is updated regularly, these new forms of malicious software can attack and disable your network. Malicious software may be unknowingly downloaded and/or installed from the internet, but computers are also vulnerable when using removable storage devices such as CDs and DVDs, USB memory sticks and hard drives, digital cameras, personal digital assistants (PDAs) and other peripheral devices. Without anti-virus software installed, these computers may become access points into your network, and/or maliciously target information within the network. While systems that are commonly affected by malicious software typically do not include mainframes and most Unix systems (see more detail below), each entity must have a process according to PCI DSS Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly. If another type of solution addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement. Trends in malicious software related to operating systems an entity uses should be included in the identification of new security vulnerabilities, and methods to address new trends should be incorporated into the company's configuration standards and protection mechanisms as needed. Typically, the following operating systems are not commonly affected by malicious software: mainframes, and certain Unix servers (such as AIX, Solaris, and HP-Unix). However, industry trends for malicious software can change quickly and each organization must comply with Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly." Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor Principal Consultant Trustwave bpenn@trustwave.com +1 (678) 685-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not neccessarily reflect the opinions of Trustwave.
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.