Attacks that are delivered across the network represent the largest number of recorded malware incidents. Typically, malware attacks will be launched to exploit weaknesses in network perimeter defenses to allow the malware to access host devices inside the organization’s IT infrastructure. These devices could be clients, servers, routers, or even firewalls. One of the most difficult problems your antivirus defenses face at this layer is to balance the feature requirements of the IT systems’ users with the limitations required to create an effective defense. For example, like many recent attacks, the MyDoom worm used an e-mail attachment to replicate itself. From an IT infrastructure perspective, blocking all incoming attachments is the simplest and most secure option. However, the requirements of your organization’s e-mail users may not allow this to be a viable option. A compromise must be reached that will strike a balance between an organization’s requirements and the level of risk it can accept.
Many organizations have adopted a multilayer approach to the design of their networks that uses both internal and external network structures. Microsoft recommends this approach because it directly conforms to the defense-in-depth security model.
Note: There is a growing trend to break the internal network into security zones to establish a perimeter for each one. Microsoft also recommends this approach because it helps reduce the overall exposure to a malware attack seeking to gain access to the internal network. However, for the purposes of this guide, only a single network defense is described. If you plan to use a perimeter and multiple internal networks, you can apply this guidance directly to each one.
The first network defenses for the organization are referred to as the perimeter network defenses. These defenses are designed to prevent malware from ever making it into the organization from an external attack. As discussed previously in this chapter, the typical malware attack focuses on copying files to a target computer. Accordingly, your antivirus defenses should work with the organization’s general security measures to ensure that access to the organization’s data is only available from properly authorized personnel in a secure manner (such as via an encrypted virtual private network (VPN) connection). For more information about creating a secure perimeter network design, see the Windows Server System Reference Architecture guidance on TechNet at:
Note: You should also consider any wireless local area networks (LANs) and VPNs as perimeter networks. If your organization has these technologies in place, it is important to secure them. Failure to provide this security could allow an attacker to gain direct access to your internal network (bypassing the standard perimeter defenses) to mount an attack.
For more information about securing WLANs, see the following articles on TechNet:
"Planning a Secure Wireless LAN using Windows Server 2003 Certificate Services" at:
"Securing Wireless LANs – A Windows Server 2003 Certificate Services Solution" at:
For guidance on securing VPN networks, see the following Windows Server System Reference Architecture guide on Microsoft.com:
Enterprise Design for Remote Access at:
In this guide, it is assumed that the network security design provides the organization with the required level of identification, authorization, encryption, and protection to defend against a direct intrusion from an unauthorized attacker. However, at this point the antivirus defenses are not complete. The next step is to configure the network layer defenses to detect and filter malware attacks that use permitted network communications, such as e-mail, Web browsing, and instant messaging.
Network Antivirus Configuration
There are many configurations and technologies that are specifically designed to provide network security for organizations. Although these are vital parts of an organization’s security design, this section will only focus on the areas that have a direct relationship with antivirus defense. Your network security and design teams should determine how each of the following techniques is used in your organization.
Network Intrusion Detection System
Because the perimeter network is a highly exposed part of the network, it is extremely important that your network management systems are able to detect and report an attack as soon as possible. The role of a network intrusion detection (NID) system is to provide just that: rapid detection and reporting of external attacks. Although a NID system is part of the overall system security design and not a specific antivirus tool, many of the first signs are common for both system and malware attacks. For example, some malware uses IP scanning to find available systems to infect. For this reason, the NID system should be configured to work with the organization’s network management systems to deliver warnings of any unusual network behavior directly to the organization’s security staff.
A key issue to understand is that with any NID implementation, its protection is only as good as the process that is followed once an intrusion is detected. This process should trigger defenses that can be used to block an attack, and the defenses should be constantly monitored in real-time. Only then can the process be considered part of a defense strategy. Otherwise the NID system is really more of a tool for providing an audit trail after an attack has occurred.
There are a number of enterprise-class network intrusion detection systems available to network designers. These can be stand-alone devices or other systems that integrate into other network services, such as the firewall services of the organization. For example, the Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 products contain NID system capabilities, as well as firewall and proxy services.
For a list of Microsoft ISA Server partners that offer additional NID services for ISA Server, see the Intrusion Detection page on Microsoft.com at:
Application Layer Filtering
Organizations are finding it not only useful but necessary to use Internet filtering technologies to monitor and screen network communications for illegitimate content, such as viruses. Traditionally, this filtering has been performed using the packet layer filtering provided by firewall services, which only allows filtering of network traffic based on a source or destination IP address, or a particular TCP or UDP network port. Application layer filtering (ALF) works at the application layer of the OSI networking model, so it allows the data to be examined and filtered based on its content. If ALF is used in addition to standard packet layer filtering, much greater security can be achieved. For example, using packet filtering may allow you to filter port 80 network traffic through your organization’s firewall so that it can only pass to your Web servers. However, this approach may not provide sufficient security. Adding ALF to the solution would allow you to check all data passing to the Web servers on port 80 to ensure that it is valid and does not contain any suspicious code.
ISA Server can provide ALF on data packets as they pass through an organization’s firewall. Web browsing and e-mail can be scanned to ensure that content specific to each does not contain suspicious data, such as spam or malware. The ALF capability in ISA Server enables deep content analysis, including the ability to detect, inspect, and validate traffic using any port and protocol. For a list of vendors who make filters to enhance the security and interoperability for different protocols and Web traffic, see the Partner Application Filters page on Microsoft.com at:
For a detailed description of how ALF works in ISA Server 2000, see the Introducing the ISA Server 2000 Application Layer Filtering Kit page at:
Content scanning is available as a feature in more advanced firewall solutions or as a component of a separate service, such as e-mail. Content scanning interrogates data that is being allowed to enter or leave an organization’s network via valid data channels. If content scanning is performed on e-mail, it generally works with e-mail servers to check e-mail for particular characteristics, such as attachments. This technique can scan and identify malware content in real time as the data passes through the service. There are a number of partners who work with Microsoft to provide enhanced security features to both Microsoft Exchange Server and ISA Server, such as real-time antivirus content scanning.
For more details on partner antivirus products available for Microsoft Exchange Server 2003, see the Microsoft Knowledge Base article, "823166 "Overview of Exchange Server 2003 and Antivirus Software" on Microsoft.com at:
For a list of Microsoft partners who have developed content scanning products for ISA Server, see the Partners page on Microsoft.com at:
Another option that may be available to network administrators is URL filtering, which you can use to block problem Web sites. For example, you could use URL filtering to block known hacker Web sites, download servers, and personal HTTP e-mail services.
Note: The major HTTP e-mail service sites (such as Hotmail and Yahoo) provide antivirus scanning services, but there are many smaller sites that do not provide antivirus scanning at all. This is a serious problem for an organization’s defenses, as such services provide a route directly from the Internet to clients.
Network administrators can use two basic approaches for URL filtering:
Block lists. The firewall checks a predefined list of problem sites before allowing the connection. Users are allowed to connect with sites that are not specifically on the block list.
Allow lists. This approach only allows communications with sites entered on a predefined list of Web sites that has been approved by the organization.
The first approach relies on an active process of identifying Web sites that may be a problem and adding them to the list. Because of the size and variable nature of the Internet, this approach requires either an automated solution or significant management overhead, and is generally only useful for blocking a small number of known problem sites instead of providing a comprehensive protection solution. The second approach provides greater protection because its restrictive nature makes it possible to control the sites available to users of the system. However, unless the correct research is done to identify all sites that users require, this approach may prove too restrictive for many organizations.
Microsoft ISA Server supports the manual creation of both of these lists using its Site and Content Rules. However, enhanced and automated solutions are available from Microsoft partners that work directly with ISA Server to ensure URLs can be blocked or allowed as required with a minimum of management overhead. A list of these solutions is available from the Microsoft Internet Security and Acceleration Server Partners URL Filtering page on Microsoft.com at:
Both these approaches will only provide protection while a client is inside the organization’s defenses. This protection will not be available when a mobile client connects directly to the Internet while out of the office. which means your network will be susceptible to a possible attack. If a URL filter solution is required for mobile clients in your organization, you should consider using a client-based defense system. However, this approach can lead to a significant management overhead, especially in environments with large numbers of mobile clients.
Another technique you can use to secure networks is to establish a quarantine network for computers that do not meet your organization’s minimum security requirements.
Note: This technique should not be confused with the quarantine feature available in some antivirus applications, which moves an infected file to a safe area on the computer until it can be cleaned.
A quarantine network should restrict, or even block, internal access to your organization’s resources, but provide a level of connectivity (including the Internet) that will allow temporary visitors’ computers to work productively without risking the security of the internal network. If a laptop from a visitor is infected with malware and connects to the network, its ability to infect the other computers on the internal network is restricted by the quarantine network.
An approach similar to this has been successfully applied to VPN-type remote connections for some time. VPN clients are diverted to a temporary quarantine network while system tests are performed. If the client passes the tests, for example by having the required security updates and antivirus signature files, they are granted access to the organization’s internal network. If the client does not meet these requirements they are either disconnected or allowed access to the quarantine network, which can be used to obtain the necessary updates to pass the tests. Network designers are now looking at this technology to help improve security on internal networks.
For more information on this technique, see the Planning for Network Access Quarantine Control page of the Microsoft Windows Server 2003 Deployment Kit on Microsoft.com at:
ISA Server Feature Pack
If your organization uses ISA Server 2000, Microsoft also recommends using the additional features provided in ISA Server Feature Pack 1. This free add-on provides additional security features that you can use to improve the security of communications (including e-mail) across the firewalls in your network defenses. The features that you can use to improve your antivirus network defenses include:
Anenhanced SMTP filter. This feature helps filter e-mail messages with increased reliability and security. The filtering is based on the name, size, or extension of an attachment, as well as the sender, domain, keyword, and any SMTP command and its length.
Anenhanced Exchange remote procedure call (RPC) filter. This feature protects Outlook e-mail communication to Exchange Server computers over untrusted networks without requiring you to set up a VPN. To achieve this, the following extra features are also included in ISA Server Feature Pack 1:
UrlScan 2.5. This tool helps stop malicious Web requests at the ISA Server computer before they can enter the network and access a Web server.
Outlook Web Access (OWA) Wizard. You can use this wizard to quickly and easily configure ISA Server to help protect an OWA deployment.
RPC Filter Configuration Wizard. You can use this wizard to only allow a precise level of access to RPC services on the internal network instead of all RPC traffic.
To obtain the feature pack, see the How to Obtain Feature Pack 1 page on Microsoft.com at:
For more information about using these features to secure a perimeter ISA Server firewall, see the ISA Server Feature Pack 1 page on Microsoft.com at: