Hi there, long-time Nanog lurker network engineer with a (maybe off-topic) question related to network architecture solutions to fight the spyware/greyware problem. I was wondering if anyone might have any experience deploying anti-spyware solutions which reside on HTTP Proxies. Several products claim to be able to detect spyware on the wire such as ISS, SonicWall, Fortinet, Astaro, BlueCoat. However, I am concerned about the performance, especially since they have to use an AntiVirus product on the back-end (heavy processing). Curious what the user experience might be, how effective any of these solutions are in really catching spyware, and any other operational experiences from engineers employing any of these solutions out in the field (not from vendors, please) that may help narrow down the choices. Thanks for any input.
Apologies up-front if this really is off topic, but my experience with
proxies and security, in general, might be of value in this case.
I use an HTTP proxy to help identify, block and report Spyware. I'm using
a squid proxy with a SquidGuard blacklist which I update more so than the
community does.
As spyware hits our network here, I find their entries in the squid access
log and add the entries to the blacklist. The trouble is, I'm just one
guy doing it when I can. Perhaps
it would be of value to form a community that updates a centralized
database (or just a flat text file, like squidguard does) which identifies
and blacklists websites, domains and urls
which contain viruses/phishers/malware content? I would most certainly be
interested in working on a project like that.
However, much like my opinion on mitigating SPAM, I'm not convinced this
is any sort of catch-all solution. I manage malware protection, the same
way I manage SPAM protection. A slew of 2-5 mechanisms which work
together to bring the best results whilst still maintaining the least
number of false positives possible.
So, got some free time? I'd gladly start a project/database/website to
put a malware blacklist database together. The key to it being
successful, is unanimous decisions on what is blocked and what is not.
Again, if this is off-topic, my apologies.
Speaking of which, can someone re-point me to document that explains what
is and is not considered to be on-topic? 
Tim Rainier
Information Services, Kalsec, INC
trainier@kalsec.com
Two Bit <two.bit7@gmail.com>
Sent by: owner-nanog@merit.edu
09/23/2005 03:17 PM
Please respond to
Two Bit <two.bit7@gmail.com>
To
nanog@merit.edu
cc
Subject
HTTP Proxies used for Fighting Spyware: Feedback
Hi there, long-time Nanog lurker network engineer with a (maybe off-topic)
question related to network architecture solutions to fight the
spyware/greyware problem. I was wondering if anyone might have any
experience deploying anti-spyware solutions which reside on HTTP Proxies.
Several products claim to be able to detect spyware on the wire such as
ISS, SonicWall, Fortinet, Astaro, BlueCoat. However, I am concerned about
the performance, especially since they have to use an AntiVirus product on
the back-end (heavy processing). Curious what the user experience might
be, how effective any of these solutions are in really catching spyware,
and any other operational experiences from engineers employing any of
these solutions out in the field (not from vendors, please) that may help
narrow down the choices. Thanks for any input.
So, got some free time? I'd gladly start a project/database/website to
put a malware blacklist database together. The key to it being
successful, is unanimous decisions on what is blocked and what is not.
perhaps a vendor neutral format file and a few tools to make
squidguard/bluecoat/blah filters? 
Again, if this is off-topic, my apologies.
Speaking of which, can someone re-point me to document that explains what
is and is not considered to be on-topic?
this seemed on topic.
perhaps a vendor neutral format file and a few tools to make
squidguard/bluecoat/blah filters?
That's the point. The filters I maintain are simply flat text files that
SquidGuard looks at. It's very fast, too.
I'll put something together this weekend.
Tim Rainier
Information Services, Kalsec, INC
trainier@kalsec.com
"Christopher L. Morrow" <christopher.morrow@mci.com>
09/23/2005 03:56 PM
To
trainier@kalsec.com
cc
nanog@merit.edu
Subject
Re: HTTP Proxies used for Fighting Spyware: Feedback
So, got some free time? I'd gladly start a project/database/website to
put a malware blacklist database together. The key to it being
successful, is unanimous decisions on what is blocked and what is not.
perhaps a vendor neutral format file and a few tools to make
squidguard/bluecoat/blah filters?
Again, if this is off-topic, my apologies.
Speaking of which, can someone re-point me to document that explains
what
is and is not considered to be on-topic?
this seemed on topic.
hurray, perhaps anti-malware-proxy.sourceforge.net ? and people can cvs
updated files at will? (perhaps even adding changes via cvs as well even?)
-Chris