Anti-Virus/Anti-Malware Software Rendered Useless without Outbound SSL Inspection
An ISAserver.org member wrote to me about a problem last week after I posted an announcement about a new Celestix offering that includes Kaspersky AV and anti-malware on the box. The advantage of putting Kaspersky on the Celestix ISA firewall is that the Celestix ISA firewall can inspect the contents of the session between your internal clients and external servers and block malware before it has a chance to enter and infect your network.
Inline anti-malware is a great thing. Why? Because you can't always depend on endpoint security. Users might disable their AV and anti-malware software, the AV or anti-malware software might not be updated, or the AV or anti-malware software on the clients might have been corrupted by other malware or by the user's attempts to get around it.
In contrast, the ISA firewall administrator is responsible for maintaining the ISA firewall and the AV and anti-malware solution and can assure that the software is updated, current and uncorrupted. Most of us can agree that there is no replacement for in-line network AV and anti-malware devices when it comes to a comprehensive defense in depth plan.
The problem with this scenario, as mentioned by our good ISAserver.org member, is that when there is an SSL connection between the internal client and external server, then the AV and anti-malware software is totally helpless at providing protection. The reason for this is that the ISA firewall, out of the box, does not perform outbound SSL inspection. Once the SSL connection is established between the client and external server, the contents of the communication is hidden within an SSL tunnel, similar to what you see when an internal user establishes a VPN connection to a remote network.
There's a reason why we don't allow outbound VPN connections to a remote network. You have no idea how secure the remote network is, you have no idea what security controls they've placed on that remote network. If you can't trust that network, you can't trust that a direct tunnel to that network isn't going to suck down all sort of viruses and malware into your network, completely hidden from the AV and anti-malware protections that you've implemented at the firewall.
So, if you don't allow VPN connections for valid security reasons, why would you allow SSL connections? Did you know that much of today's malware takes advantage of SSL connection to hide from your firewall controls, so that it can download more malware from attackers' Web servers? How are you going to protect your network from this gaping SSL security hole?
If you're using an ISA firewall the solution is easy. While we don't have outbound SSL inspection available out of the box, you can get the ClearTunnel add on to provide this vitally important security. ClearTunnel breaks open the outbound SSL tunnel so that your ISA firewall can inspect the session and clean out the malware before it makes it to your client computers and spreads to other clients and servers on your network.
To learn more about ClearTunnel, check out my article at http://www.isaserver.org/tutorials/Product-Review-Collective-Software-ClearTunnel.html
To get more information about ClearTunnel from Collective Software, check out http://www.collectivesoftware.com/Products/ClearTunnel
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)