Security Control Enforcement Points

Six points on a network should be protected against e-mail-borne viruses. As pictured in the illustration below, the six points are (clockwise from bottom): workstations, file servers, Exchange servers, mail-scanning servers, backup servers, and firewall content scanners.

Ideally, workstations, laptops, and telecommuters should be running Windows 2000 using the NT File System, Office 2000, Outlook 2000 with the latest security patch, no primary local data storage (mobile users should use Windows 2000’s offline file synchronization feature), and a virus scanner utility with Outlook e-mail scanning. The file server should run a server version of a virus scanner utility and should limit users’ “write” access to only their personal and workgroup files. The Exchange server should run a virus-scanning utility designed especially for Exchange and should run Exchange’s ISScan utility as needed to purge new viruses from the e-mail store. A mail scanner checks incoming and outgoing Internet (SMTP) e-mail before forwarding the processed mail to or from an Exchange server. Backup servers are the key to repairing damaged data or systems. Some organizations may use a firewall content scanner in lieu of a mail scanner to check incoming messages for viruses. The firewall content scanner scans all inbound Internet traffic using Content Vector Protocol and passes it back to the firewall for further processing and routing.