So I got hold of a BCM Security document from our nortel rep today after I was talking to him about this topic. I also got the "hardened the kernal" thing from him. It appears that is the way that nortel puts it in the document. BUT, there is never a definitive answer about whether it is bullet-proof, just less likely to get a virus. There is also some description on how to scan your BCM for viruses if desired. I wish I could attach the doc for you to read, but here are parts of it:
The BCM is a communications platform and a closed system that is tuned to the specific performance requirements of a converged communications server. Since no additional software is installed onto a BCM by an end user, it is protected from many common types of malware (viruses and Trojan horses) that embed themselves in the software that get installed on other open systems. The software that is shipped with the BCM has been pre-scanned for malware.
***Note the "many" bit, not all.***
4.8 Virus Scanning Software
Virus scanning software is used on the BCM software loads before they are distributed to customers. The BCM does not embed any virus-scanning software on the platform because of the performance impact these types of applications may have on the BCM’s real-time operation and the ensuing requirement for network access for frequent virus data file updates. A hardened server is well protected from viruses since the hardening measures provide a good barrier to virus infections. Proper system configuration and user practices are an effective virus defense. In order for anti-virus software to intercept and prevent a virus infection, the virus specific data files must be available and installed prior to exposure, which may not be achievable. However, if desired, it is possible to run the virus-scanning software remotely when the BCM hard drives are mounted. Refer to section 7 for further details.
***Interesting that the biggest reason is for not putting virus scanning software on the box is because of performance, not because it isn't needed.***
7 Virus Scanning on BCM
7.1 Introduction
During the design and engineering phase of the BCM, two virus checking software packages are used to verify that the product is built in a secure environment. Since the BCM is a closed system, the BCM is significantly less susceptible to on-site virus infections than an average file or applications server. Nevertheless, a virus scan can be performed on the mounted drives of the BCM if a virus has been detected within the corporate network and there is a need to verify all equipment as per business practices.
7.2 Requirements
Since the BCM is a closed, embedded system with precisely tuned performance, there are particular requirements that need to be adhered to during a virus scan. Do not install anti-virus software directly onto the BCM since doing this can adversely disrupt the integration of BCM applications and services, or cause some components to fail. Virus scans on the BCM must be performed through remotely mapped drives. Select virus scanning software capable of scanning remotely mapped drives. The common anti-virus applications from Sophos, Norton and McAfee all have this capability. In addition, a Windows NT 4.0, Windows 2000 Professional or XP client PC is required to run the software. Virus scans should be performed during off-hours; this will minimize system resource impact.
7.3 Virus Detection
If a virus is detected during a remote scan of the BCM’s hard drives, please do not attempt to remove any files yourself since this may adversely affect the operation of the BCM. Please contact your next level of support (distributor or Nortel Networks Technical Support) for assistance in dealing with the infected files.
***I like section 7.3!!! There are other parts of the doc that are pretty good too. If you want it drop me a line at
simonthetallguy at yahoo.ca
Simon
