Wednesday, September 10, 2003

Why the blackbox approach is not a good idea...

If you've been following my rants of late, you can guess where this one is going....

Even taking into account the inertia inherent in corporate thinking, it looks like that management might be realizing that blindly trusting in vendor software might not be a good thing.

For any system to be truly reactive, it must be adaptive. This means that you not only have to have the software, you need the trained personnel. A big plus is having a system that is easily "adapted" to meet situational needs. Unfortunately this counts out just about every piece of commercial software as it's API (or underpinnings) is closed (proprietary).

To date, the most successfully resistant system that I've witnessed in action was a hybrid *nix/MS mix in which the system administrators constantly (let me say it again, CONSTANTLY) monitored their servers and actively responded to new situtations. While the end-point was an Exchange server, immediately upstream was a Unix-based Sendmail server which "protected" the Exchange box from viruses (TWO scanners) and UBE (SpamAssassin). All of this was tied together with various Perl scripts which allowed the entire system to be twisted to meet the situational needs of just about any virus attack.

With the Aplore virus, this system protected it's 30k+ customers within the first ten minutes of the spike in traffic. None of the customers had to go offline until their anti-virus vendors came up with new signatures files. Rather the heroic efforts of "Steve" (manually deleting infected files on the store-and-forward server while the coder was coming up with a solution) allowed our customers' servers to stay online while other organizational systems were taken offline to protect themselves. The anti-virus vendor came up with new signature files about 36 hours later.