Virus/Malware/Spyware Network Security Solutions

I have a somewhat abstract network security question.  I am newly administering networks on two separate locations with around 60 nodes each and have been working to enhance their network security.  I know this encompasses too many areas to go into in a single topic, so I am looking for advice in the area of virus/spyware/malware etc. security.

Currently I have upgraded both networks to Symantec Endpoint Protection 11 for all servers and clients.  I have been doing further research in virus protection and many experts recommend multiple solutions to better protect a network from attack.  For instance, I recently ran into a couple virus attacks which completely bypassed Symantec Endpoint Protection and had to be found and removed manually.  I know this is an issue which can never be protected against fully, but it seems there are solutions which will greatly enhance network security.  One obvious addition is a hardware firewall for both networks which I am currently in the process of obtaining and installing.  For this reason, I would like to narrow this focus down to purely the network software.  My question is this&

What combination of network protection software would you recommend to be placed on both Server and Client machines?  I.E., would you recommend using a malware and/or spyware product in parallel with Symantec Endpoint Protection?  And even though I am utilizing Symantec Endpoint Protection currently, I would also like to hear if you have had better results with other solutions in network environments since others may be needing this and for my own reference when doing future upgrades.  Also, please expound if you feel I have left off other key concerns pertaining to this focus.

My largest concern is experienced issues when combining products of this nature since many of their securities overlap and will cause conflicts, which I have seen many times in the past.  Please add any knowledge you have as to why the proposed solutions are preferable to increase mine and other readers understanding in the area.  Lastly, as is the case in nearly all organizations, cost is an issue.  So if some of the ideal solutions are quite costly, a secondary recommendation for a similar but more cost effective solution would be greatly appreciated.

Thank you in advance for the help and I look forward to hearing from the experts in this area.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Limiting to software, and not getting into the SPAM question that combines nicely with edge defense....

1)  The best protection is a multi-layer defense in addition to user training.  Layer 1 -- external entry point (Internet, e-mail).  For this a SMTP & web proxy edge server with antivirus / antimalware software or an applicance such as Barracuda.  Edge device may be all the bells and whistles, or simply anti-virus.  Layer 2 -- internal entry point (workstations).  For this layer a network antivirus / anti-malware software solution such as Symantec.  Anti-malware is important at this layer, since dealing with adware / spyware is a major factor is IT today.  Layer 3 -- server and filestore protection.  For this layer a anti-virus software package that works with servers (if you manage your severs properly you will not need anti-malware at this layer except for TS / Citrix where users have access).

2)  Each layer should use different software, and all layers should use top rated software.  The reason for this is because one vendor may update for a specific threat more quickly than another.  By having multiple solutions in place you are more likely to catch / localize the virus at one of the defense layers.

3)  Don't try running multiple overlapping software packages on any given machine (e.g. Symantec and  Kaspersky).  If, however, your anti-virus does not also do anti-malware then you would want to add an anti-malware solution in parallel.  Fortunately, anti-virus software is finally catching up to the need of integrated anti-malware.

4)  Training and response -- just like your Disaster Recovery plan you don't want to wait until you get a virus before you start figuring out what to do.  Even with top-notch anti-virus you may still get hit somewhere down the line.  In a large organization you will want a virus response team.  In a small organization you may be the "team".  Users should be trained as well on safe computing practices (for example, don't follow that link that says "your system is infected, follow this link to download anti-virus software").

Now find an organization that actually does all three layers, appropriate training, and pre-development of the plan.  Some do, but most do not primarily because of cost / complexity.  More frequently you will find a 2 layer defense -- an edge server primarily for nasties in e-mail and a a single anti-virus package on every system and server.  Even more frequently is the 1 layer defense -- antivirus on workstations and servers.  Then of course you have all the gamblers out there who don't have even a proper 1 layer protection.

What is enough becomes the business question.  When I put on my security hat I have to say a proper 3 layer defense is the right strategy.  When I stick on my business cap a complete 1-layer defense (by complete I mean good anti-virus and anti-malware deployed to every network server and workstation) may be a sufficient cost / risk balance.  In all honesty, I have only been in two companies where IS got green-light to implement a full 3 layer anti-virus solution.  Both instances we were high exposure so the cost was well worth lowering risk.

Running different anti-virus on your servers than your workstations is not much cost, nor does it increase complexity much (other than figuring out where to put your management console for the workstations).  But honestly, the incremental protection provided here is rather small as well.  Getting a good edge device in place is where you will get more bang for buck (this wraps me around to anti-SPAM that I said I'd ignore....most of your good edge devices / software packages are going to provide capability  both anti-virus and anti-SPAM).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FeraghAuthor Commented:
Thanks for the detailed and informative reply.  That answers many of my questions quite nicely.  You are right in that the companies will most definitely not spring for the cost of the 3 layer solutions, but I will definitely be using several of the suggestions stated above.  I especially like the idea of varying the software makes between the client and server levels.

A couple follow up questions for you.  Have you found any anti-virus/malware products to work better for clients and others for servers?  In my case, both client and servers are Microsoft, namely Windows XP Pro and Windows Server 2003.  I am also curious to know more on your thoughts on anti-spam.  We currently use an anti-spam product from GFI for one company and the other has yet to impletement one.  And are you talking more than just a software based anti-spam client.  The mail client I am using is Exchange 2003.

Thanks again for the help.
Anti-SPAM....Brightmail is the best solutions I've ever used.  If your network is small you can get away with loading it directly on the Exchange server.  But the better approach (and the only good approach in larger networks) is to set up Brightmail on a seperate system (btw, this applies to GFI also).  Currently I am using a Barracuda appliance, which also works well.  Takes a bit more maintenance than Brightmail, and I cannot get it "locked down" as much as Brightmail without getting false positives.  I have never used GFI, but it does get good reviews (from my understanding it is utilizing the same technology Barracuda uses).  Brightmail and Barracuda offer anti-virus, as does GFI if I remember correctly from last time I read a product brief for GFI.

Anti-virus probably gets more into the esoteric discussions.  Symantec anti-virus is obviously a leader in market-share, and I've had no complaints on their anti-virus (thought I strongly recommend against their Internet Security Suite product).  McAfee is getting good reviews, but I have had problems in the past with them.  I am using AVG right now with good success (you will find that AVG does not get top-spot on reviews though).  I've also used Fprot on servers many years ago, but their ratings have slipped since I used it last.

My current opinion on Anti-virus is that basically any of the "top 5" products are about the same, and any of the "top 10" will give you about equally good protection.  This, of course, can be the topic of very vigorous debate!

For servers, you do want to be sure that you are using a product specifically designed to run on servers, and from a company that has been around for awhile.  I have used Symantec, Fprot, McAfee, AVG, and a handful of others on servers.  Fprot is the only one that caused problems...I had to tweak it because "out of the box" killed performance on one of our apps.  I also once had a customer blow up a server once when they uninstalled Symantec, and I had to go in and manually clean up the registry for them.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.