Antivirus scanning at VPN endpoints



  • I really really really like PFsense and would love to implement here at our school. It is logical, easy to setup and use but in my humble opinion lacks an important feature and that is antivirus.

    I realise there is a HAVP package in progress but what about protecting your network from the nasties at the end of your VPN tunnels? We offer VPN to staff at home at present but I can't do this with PFsense because there is nothing to prevent the nasties of the home computers infecting our network.

    Is there anything in the pipeline? How, are others getting around this?

    G.



  • As has been pointed out a number of times, antivirus scanning at the border is ineffective and the wrong answer.  There are far better solutions to antivirus scanning.



  • I'll disagree.  Antivirus scanning at the border only is ineffective, but as part of a comprehensive solution, it can help.

    However, you should never allow an untrusted host or network unrestricted access to your network.  I'd suggest instead that when staff VPN in they are connected to a restricted network that only gives them access to a Windows Terminal Server (or similar technology).  If you appropriately secure that host then your risk goes down significantly.



  • Antivirus scanning at the gateway is extremely slow, and extremely easy to circumvent.  There are plenty of ways you can protect your network using pfSense, putting an AV client on it and trying to look inside every stream for malicious content isn't one of them.



  • I see anti-virus as a supplement to low-budget systems (all in one). Or as a separate pfSense-based proxy server for scanning (and i use this in bridge).


Locked