Beating the Spim-Spam Man

It’s time to wage the battle against viruses and spam—and win.

Are your users asking IT to please do something about spam? What about spim (spam via instant messaging)? Were your campus network services on the ropes after that last malevolent virus attack? If your answer to any of these questions is “yes” (or even, “huh?”), read on for proven methods to avert or at least mitigate these types of risks.

Threat Level Orange

Heard this one lately? “Spam is ubiquitous and merely an annoyance, so users might as well get used to it.” If only that were true! Today, attachments to spam messages are the primary technique by which viruses and other malware (malicious software) are spread. Further, some hackers “aim” spam dumps at particular mail servers to flood them with messages, thus taking them out of service. Such attacks have also been used as a means to sneak into networks. Although the server no longer responds to e-mail messages at that point, it may still be vulnerable to IP or operating systems attacks.

Another potentially severe threat is that of viruses entering the network from unexpected angles. Too many campuses (and other entities) have suffered severe virus damage because all their antivirus protections were centralized at the incoming Internet access point, while a virus rode into the network on a “trusted” laptop system (after entering the laptop via the user’s home Internet connection). Methods of entry include e-mail attachments (including attachments to spam, as noted), downloaded software, instant messaging attachments, and direct transfers, including via USB flash drives, floppies, and CD media. And here’s one that could keep you up at night: a virus masquerading as an attached MP3 file. Maybe it hasn’t happened yet, but imagine how fast something like that could spread through your network. What’s a CIO to do?

Prevention and Risk Mitigation

A multilevel approach considering all potential malware entry points will provide your campus with the most effective protection. Tools in your box include communications with users, judicious use of policies and enforcement, and specialized training for network administrators, as well as more tangible options such as focused software and hardware.

Level 1: Communications. Ask your user community to assist you in protecting the network everyone depends upon. First, communicate to them the ways in which malware can infiltrate the system, and show them how to avoid perils at the desktop. Then, inform users how to report suspicious attachments and spam issues. If you don’t have a full help desk, at least create a special e-mail box for such reports, and have support personnel check it at least twice daily.

Within the IT department, train two people as defenders against spam and malware, and if you have someone in charge of network security, have those people report to that officer. A little money spent on training g'es a long way toward ensuring uptime for your network. Require these individuals to keep up on CERT advisories (www.cert.org/advisories) and other trustworthy sources of threat information.

Level 2: Policy and Enforcement. Your campus Acceptable Use Policy (AUP) likely includes provisions about users causing damage to the network. Make sure your user community is well aware of this, and of any legal recourse available to the institution if you identify an attacker. Also be sure you have administrative support authorizing you to pursue such cases when feasible.

Level 3: Network Boundary. This is typically where Internet1 service enters and exits the campus. In general, one wants to intercept data traffic that has been designed to cause problems (“bad actor” traffic) before it has a chance to spread. There are both software and hardware solutions available. Many firewall companies now offer add-on software to combat virus infiltration. Plus, there are hardware appliances whose sole purpose is to filter out spam and malware. (See “Taking Action” right, for information about a specific appliance-based solution adopted by two universities.) One caveat: Nearly all spam-fighting systems require a fair amount of “tuning” or “teaching” in the first few weeks. Be sure to build this time into your implementation schedule.

Level 4: Servers. Mail servers are the next point of possible damage. If incoming spam hasn’t already been stopped at the boundary, it will pause here as the mail server (or servers) store and route items to be delivered. Many spam filters are designed to be run directly on a mail server, and while generally effective, they also reduce the overall mail-processing capacity of that machine by using processor cycles for their own purposes. Heed this best practice: If you plan to add spam filtering at this level, be sure to run a pilot on a non-production mail server first. Some incompatibilities have been found between various operating systems and applications.

Level 5: User Desktops and Laptops. This is where most campus IT folks surrender, because it’s notoriously difficult to manage all the disparate devices out there. Yet, it is this scenario that is also one of the largest threat potentials. Today, there are feasible methods to combat the virus threat at this level, assuming one has the support of the campus. These systems/packages typically are offered on a per-user basis, and cost from $40 to $100 per license (depending on quantity). Examples include Symantec Antivirus Corporate Edition (Norton is now owned by Symantec) (enterprisesecurity.symantec.com), McAfee Active Virus Defense (www.mcafeesecurity.com), Sophos Anti-Virus (www. sophos.com), and TrendMicro (www.trendmicro.com).

A relatively new technique to ensure compliance is to compel users’ systems (on login) to first access a security system, which checks the system for antivirus software and which will deny full network access if that software is not present and/or updated. Some of these solutions can also download the latest antivirus version to the non-compliant system. Cisco Systems ( www.cisco.com) calls its version the “Network Admission Control.” Other network manufacturers have similar programs, though differently titled. Here’s another best practice: For presentation systems in classrooms, logically isolate those network ports, and ask users to bring only media/data, rather than their own laptops.

Taking Action

Not long ago, two universities were inundated with spam and knew they needed to act: At Washburn University (KS), Interim Co-Director of Information Technology Bob Stoller confessed, “Spam was overwhelming us,” and Interim Interim Director of Information Services Jason Lamar at Ohio Wesleyan University (OH) admitted, “We knew we needed more virus and particularly spam protection for our campus e-mail users, but we also wanted to find a solution that didn’t strain our budget.” Both of these universities recently implemented the Barracuda Spam Firewall from Barracuda Networks (www.barracudanetworks.com).

OWU deployed the model 400 (up to 10,000 active e-mail users) in early June 2004, with Lamar noting that implementation of the system “is about as close to ‘plug and play’ as you can get.” Stoller, at Washburn, agreed, reporting, “We had it running in a test setup within 15 minutes.” Based on the model purchased, OWU and Washburn each paid less than $10,000, which included up to five years of updates.

Both administrators agree there is relatively little care and feeding required by the systems. Says Lamar: “Barracuda Networks will automatically and transparently push virus and spam definition updates to the appliance on either an hourly or daily basis. The appliance will also notify you via e-mail when a new firmware update has been released and can be installed, which must be done manually through the Web interface.” Stoller points out that “firmware updates come out every few months, and have been for the most part pain-free. Point and click to install.”

Though the two administrators at different schools had been equally as dubious about finding an affordable way to effectively combat spam, was the search for their perfect solution worth it? Lamar puts it plainly: “It has single-handedly transformed our campus e-mail systems.”

comments powered by Disqus