Content Analysis

GCSX No 19.1 Content Analysis

The organisation MUST identify and isolate malicious software (at least viruses, macros, dangerous file types, mobile code and spyware)

GCSX No 19.2 Content Analysis

Content analysis of all incoming and outgoing data MUST including virus checking emails and attachments is performed at the gateway and host

GCSX No 19.3 Content Analysis

It is RECOMMENDED that the gateway and hosts use content analysis software from different vendors

GCSX No 19.4 Content Analysis

It is RECOMMENDED that Organisations filter against a white list of allowed attachment file types

GCSX No 19.5 Content Analysis

Any data introduced through removable media MUST be subject to content analysis.  It is recommended that this data is subject to the same level of content analysis as incoming email 

---

Network Vulnerability Scanning

There is quite a range of Vendors products that could add an additional layer of scanning at the gateway (Network Boundary).

Many Enterprise Firewalls will have the ability to scan for Malicious content such as those listed in the vulnerability list above with a third party Software utility coming from mainline vendors or by using Open Source AV software. 

 Check Point UTM range have the ability to scan for vulnerabilities using application level scanning and added OEM signatures from companies like Kaspersky.,

 Stonesoft specialise in High Availability Security Appliances including Firewalls, IDS/IPS and SSL VPN in both hardware and virtual appliances. 

Networking and security solutions from Juniper Networks helps consolidate network security issues for small, medium and large enterprises

 The MSA security appliance from Celestix is specifically designed for network security, running a hardened version of Microsoft ISA Server 2006.

 SonicWALL provides firewall products with unified threat management services such as network anti-virus, anti

Network Boundary or Gateway Appliances are often used as an additional layer of security and put inline or out of band to add additional scanning ability when the firewall is unable to include the additional security. 

 

---

Network Access Control Partners

 CounterACT limits non-compliant device access to specified resources, thus enabling users to remain productive while their device-compliance violations are addressed. For example, if a user device is found to have an out-of-date anti-virus (AV) definition file, it can be moved to a VLAN, allowing the user to access email and Internet while blocking the device from other critical resources. CounterACT can then work with existing services to provide guided remediation and/or cue the AV server to auto-update a specific device. Once remediation is complete and the device is found to be in compliance, complete access to the production network may be granted or restored.

CounterACT integrates with a number of remediation services, including patch management, anti-virus, anti-spyware, vulnerability management, and more. These third-party integrations allow CounterACT to orchestrate and automate the process of correcting policy violations. For example, if a device misses a critical patch, CounterACT detects the policy violation and automatically cues the patching engine (Microsoft WSUS or SMS) to update the specific system. Often this can be done without the user’s involvement, retaining update report information for future security audits.