How to safely connect a Windows machine that CAN'T have anti-virus (due to real time demands) to the internet via a Windows machine that is protected?

I have a Windows-based machine that cannot have anti-virus installed due to the performance impact that would have on the machine's role as the controller in a live radio studio mixing console. This setup is a commercially available system not one I am building myself.

I believe the question has value beyond the application in broadcast radio, for other domains that need deterministic real-time performance - or as close to that as possible.

I have found anti-virus software can use a significant amount of CPU-cycles/processing power particularly when updating virus definitions and then installing them. In fact I've observed machines lock-up/freeze for several seconds why the definitions are updated following their download.

The expected slow-down/freezing during anti-virus updates is unacceptable in a radio studio environment as it would result in unresponsiveness of the console, resulting in "dead air" - silence on air and a bewildered presenter. Ant-virus updates occur as soon as they are made available and its preferable to install them as soon as possible but this is unpredictable.

The machine needs to be connected the internet so that:

Remoting: it can be controlled remotely using VNC for station management or some presenters working from home
Streaming: it can stream the broadcast to an off-site internet radio streaming server for internet -based listeners
FTP: it can accept files, e.g. pre-recorded radio shows, reports, music for automated playout or use in a live show. Also for logging presenter output, for download by station management for review
Local Networking with other on-site studio machines and office machines that are connected to the internet

Presenters will not use a web-browser or email on this machine, they use another machine. So the need for internet is for essential management reasons.

So I propose to connect it to the internet, without anti-virus installed and Windows Updates to be scheduled manually at off-peak times, via another machine that filters traffic and scans it for viruses. How could this be done?

therobyouknow

Posted 2010-01-10T15:30:55.480

Reputation: 3 596

1I honestly can't see this getting infected even if you just stick it online without doing anything else. – Phoshi – 2010-01-10T15:34:07.923

Thanks everyone for the useful answers - I've read through most. When I have some more time I'll finish reading through and investigate your suggestions further and follow up back here with an accepted answer. For the time being - thankyou! – therobyouknow – 2010-01-12T13:01:01.203

Answers

I would use a hardware firewall to protect the machine from both the Internet access and intranet access. I hardware firewall will give you reliability and speed.

I would start with the machine having all the traffic blocked and then only allow those IP address, ports, protocols and directions that are needed for it to work. For example, if there will be no web surfing, then I wouldn't add a rule to open port 80 out. If you have a remote administrator, I would allow the ports for VNC in from their IP address. The same for FTP. This way if you aren't talking from the right IP address you are blocked. Also, if someone tries to go out on the machine and check their email they are blocked.

I would also set these rules up for the rest of the intranet. I would only create rules to allow communication to those computers/ports/protocols needed. This way if a machine on the intranet gets compromised, it will have a harder time to spread to the unprotected machine.

Basically, this machine would be in a DMZ configuration.

I would also run Spybot Search & Destroy and SpywareBlaster and immunize the machine. There is no real time cost to this because it isn't a scan, but just a configuration setting. All this does is basically blacklist ActiveX controls and bad sites in the Hosts file. This can prevent a machine from being infected by preventing some bad things from being executed. Of course, you would have to allow via the hardware firewall the ability for the machine to update. You can do this manually or white list those sites.

The firewall you choose should be able to alert you of problems. I would flag some rules to see if anyone is attempting to do anything they shouldn't (i.e. checking email, surfing the web, someone attempting access to the FTP port (especially if left on the default ports)). I use a Zywall which has all the above features, but there are many companies. One thing you should consider is hardware firewall have specifications on throughput. You want to get a firewall that can process the information fast enough.

The remote users could also VPN in to some firewalls, that way you don't have to publicly expose some things like VNC or FTP.

Also, some VNC software will allow you to use certificates to authenticate. This could help because it will allow better security because no username/password to guess and the end user could run the software and it would just work (less for the end user to remember). If not, I recommend using Keepass and having it generate a high entropy password that would be difficult for machines to break.

I hope these tips help.

(Also, because this is a business critical machine, I would image the system so if something did happen, you could get back to a known good state.)

Scott McClenning

Posted 2010-01-10T15:30:55.480

Reputation: 3 519

I would add a bit stronger warning to the above answer, absolutely no blanket allow rules. Deny all, and allow traffic one IP+port+protocol combination at a time. No taking shortcuts with wildcards. – Stephanie – 2014-08-22T21:01:14.070

+1 I think this maybe the accepted answer. Though I forgot to say I have limited budget and probably couldn't afford a router-based solution. I'll read all of the answers and do some further reseach and then follow up. – therobyouknow – 2010-01-12T12:54:14.870

If budget is tight, with an old PC you may be able to use something like SmoothWall http://www.smoothwall.org/, but I suggested hardware because speed and reliability. That said, we all must live in our budget and perhaps a software firewall will work. If you can get some time to test before production that always helps, but sometimes we aren't given that either. Good luck.

– Scott McClenning – 2010-01-12T16:54:45.613

I've accepted this answer because it is most comprehensive, includes budget considerations and makes a good point about imaging the hard drive. Also, other posters here have given answers that are not mentioned here so I have credited them with upping their scores. Thanks everyone. – therobyouknow – 2010-01-13T16:53:14.037

A computer that's isolated enough from the network can't be infected.

As long as you don't share its hard disks, that you uninstall any Microsoft or third-party that listens on TCP/UDP ports (such as IIS), and that there's only one safe working application, then there's no way that it can be infected.

Conclusion: Antivirus is not required.

However, I see Windows Updates as being a far greater danger to such a vital machine, as there's always the chance that it will break your Windows installation. I would set Windows Updates to "check but let me choose when", and make sure to take a backup of the system before. It would help in this case for the system disk to contain only system and applications, with data being stored on another disk/partition. This way, you can take an image backup of the system disk before applying the Windows Updates once a month and be sure in case of problem of being able to restore a working system.

harrymc

Posted 2010-01-10T15:30:55.480

Reputation: 306 093

1I completely agree with the comment about Windows Updates being potentially dangerous. The times I have seen company servers knocked out of action because of "simple" updates. Gotta love Patch Tuesday... gulp. – Kez – 2010-01-10T16:47:14.407

ezwi: Contrast that with the large number of Windows machines that are part of a botnet due to not being sufficiently patched (it's almost never 0-days). :-) – Joey – 2010-01-11T12:25:53.957

@Johannes Rössel: Windows Updates should be done regularly, but with precaution and having an escape route. A backup in the form of a system-disk image is maybe enough of a precaution to allow automatic updates. If a problem arrives, the image can be restored and updated manually. The procedure given in my answer is for others maybe an overkill. – harrymc – 2010-01-11T12:36:24.237

Agree with both comments! The lesser of two evils really, isn't it :) – Kez – 2010-01-11T23:07:28.330

+1 Thanks. I'd certainly like to agree with this. By isolation I think we mean closing any unused ports and not allowing an executable to be transmitted to the machine and actually run. Also turning off the ability to run anything remotely or unauthorised ftp/telnet usage to place things on the machine. – therobyouknow – 2010-01-12T12:56:40.457

Closing unused ports is not absolutely necessary if nobody is listening on them ... – harrymc – 2010-01-12T15:34:21.423

I wouldn't bother. Antivirus doesn't help too much so long as you're not opening dodgy email attachments or downloading a lot of executable files. For example, Steve Gibson of Security Now don't run any antivirus.

Having a router between the computer and the internet is far more important.

Iain

Posted 2010-01-10T15:30:55.480

Reputation: 4 399

Agreed. I have gone long periods of time without using anti-virus. As long as you are careful what sites you go on and dont open attatchments from emails trying to sell you viagra you should stay virus free. Now though, I use Microsoft Security Essentials just because its free and not naggy like most anti-virus programs. – Connor W – 2010-01-10T15:51:38.263

I haven't used an antivirus for over 2 years - never got a virus (At least, I assume I haven't. I keep check of what's running and loading, and occasionally scan with a non-realtime scanner like A² or Clamwin) – Phoshi – 2010-01-10T16:31:41.037

Thanks. I'll look this up and get back with my findings. – therobyouknow – 2010-01-12T12:57:18.927

If you want to be safe, I would recommend you take a look at Microsoft Security Essentials. It is a very fast and small anti virus program and it works very well.

I used to use no antivirus and was safe for many years, but the fact is, MSE and some others (if you do a bit of research) take up next to no hard drive space, under 50MB of memory, and very low cpu cycles, if you want to be safe, there really isn't a reason not to use it.

Quite frankly, any machine that would slow down due to (any) anti virus program, I would say that in this day and age, should not be relied upon for a serious production environment anyway.

After this, you may want to look at simply using the Windows Firewall and block everything other than required ports.

Lastly, your radio program, you may want to go to task manager and increase the priority so it gets a higher share of CPU time.

William Hilsum

Posted 2010-01-10T15:30:55.480

Reputation: 111 572

Nice tip with the process priority there. – Nathaniel – 2010-01-11T00:21:01.750

I agree. Nice tip +1 – therobyouknow – 2010-01-12T12:59:10.160

run your web-related applications virtualized (e.g. in a sandbox).

as a more drastic approach, you may deepfreeze the system partition, this way the system cannot be damaged (accidentally or otherwise) and will be in its pristine state after a restart.

however, i wouldn't go entirely without anti-virus software since the machine is connecting to FTP-servers. not that a virus could possibly affect a deepfrozen system, just for sanitary reasons i suggest regular (scheduled or manually) scans with A-sqaured command line scanner, at least covering the download folder, A-squared is the extremely fast and accurate and doesn't have a noticeable impact on the system performance during a scan. no on-access or realtime protection will bog down the system.

Molly7244

Posted 2010-01-10T15:30:55.480

Reputation:

+1 by the way for this answer. Thanks for the tip on deepfreeze and on A-squared scanner. The scanner could be useful, even though light on resources, to run off peak as part of another solution. – therobyouknow – 2010-01-13T16:55:33.517

If it is not possible to install any antivirus software, even something as lightweight as Panda Cloud Antivirus which does not have definition updating, you would be best investing in a dedicated hardware firewall with content filtering subscription. This will ensure that all packets are scanned for nasties before they enter your internal network, regardless of the method they are being transmitted.

An example list of such hardware firewalls with rough costs can be found here. There is also a handy product selector on SonicWALL's website to give you an idea of what products may be suitable.

Kez

Posted 2010-01-10T15:30:55.480

Reputation: 15 359

I'm puzzled as to how effective an anti-virus can be without definition updates as this is the nature of the beast: Anti-virus protection needs to be up-to-date. But I'll read about it and get back to you. – therobyouknow – 2010-01-12T12:58:23.433

Antivirus is generally the last line of defense. A good firewall is more important in stopping infections that could occur without any user intervention. If a hardware firewall is not an option, Windows Firewall is better than nothing, and would of course have to be configured to allow access to the desired network apps.

Graham Powell

Posted 2010-01-10T15:30:55.480

Reputation: 136