On Box or Off Box Anti-virus?

We've discussed the importance of anti-virus (anti-malware) scanning in other posts on this blog, so I won't go over that ground again, just suffice it to say you don't have enough protection if you aren't doing anti-malware scanning on your Secure Web Gateway. Today I'm going to tackle a slightly different question, and that's where the anti-virus scanner should go. There's two schools of thought on this one. Some vendors recommend running the anti-malware engine directly on the Secure Web Gateway, while other vendors recommend running a separate anti-malware box, using a protocol called ICAP to transfer data between the Secure Web Gateway and the anti-malware device.

The question is which one of these is right for your environment? The question really has to do with size. For smaller organizations where you have limited bandwidth to the internet and smaller numbers of users, having anti-malware on your Secure Web Gateway probably doesn't affect the performance of the box significantly, so running the anti-malware directly on box is probably the right answer in terms of performance, lower costs, and less use of rack space.

For larger organizations, with larger bandwidth requirements and large numbers of users that are taxing the Secure Web Gateway, you really want to keep the anti-malware separate. It has the added benefit of making sure your Secure Web Gateway is delivering web pages as quickly as possible to time-sensitive end-users. It may seem like there's an added cost due to having to purchase additional anti-malware systems, but in actuality you're probably buying the same amount or less boxes than having the anti-malware on-box. The performance drop by having the anti-malware on box would easily double or more your box requirements.

So if you're a larger organization, and response time for web pages is key due to the mission critical nature of your web applications, then remember, keeping the anti-malware off box is probably the right answer. If you're a smaller organization and aren't taxing your Secure Web Gateway, then you can probably run your anti-malware on box.