For some content delivered through the HTTP or HTTPS protocol, the anti-virus scanning may not be feasible. For example, you may want to prevent videoconferences from being scanned for viruses to avoid any increase in latency. Exceptions to scanning can be made by matching the traffic with an Inspection rule that disables anti-virus in its options.
Using Virus Scanning
Integrated Scanning vs. Content Inspection Server
In branch-office-type environments where there may be no skilled administrators, a centrally managed virus scanning solution on the same hardware with the firewall makes maintenance easier than having separate equipment. Virus scanning is needed when there is direct Internet connectivity at the site (instead of only VPN connectivity to a central site where the traffic can be scanned centrally).
However, virus scanning directly on the firewall is not practical in high-traffic environments. The amount of data gathered for virus scanning is large, since files must be inspected as a whole to prevent any part of the infected content from passing through. Storing and scanning files significantly increases the demand for resources as the volume of traffic grows. In high-traffic environments, a separate content inspection server (CIS) integrated with the firewall is a more economical and flexible solution than a UTM device. For additional information, see External Content Inspection (page 155)
Limitations of Virus Scanning on Clusters
Firewall/VPN clusters that are correctly licensed can be used for virus scanning. However, there are some restrictions that apply. Since the data being inspected is not synchronized between the nodes, connections that are undergoing virus scanning at the time of a fail-over are dropped when the fail-over occurs and must be reopened by the applications.
C HA PT E R 17
E XTERNAL C ONTENT I NSPECTION
Content inspection means analyzing traffic for malicious content. You can integrate an external content inspection server with the firewall.
The following sections are included:
Overview to Content Inspection (page 156)
Configuration of Content Inspection (page 157)
Using Content Inspection (page 159)
Example of Content Inspection (page 160)
Overview to Content Inspection
Content inspection allows you to inspect the FTP, SMTP, and HTTP protocols in IPv4 traffic for malicious content. Content inspection includes a wide range of ways to check traffic - many of which you can use in a simpler way by integrating an external content inspection server with your firewall. The integration involves setting up your firewall to redirect traffic to an external content inspection server. The main benefit in using the firewall to redirect traffic to a separate content inspection server is that the redirection works transparently: the communicating hosts need no additional proxy configuration when the redirection is done for them at the firewall.
Content inspection servers are most typically used for virus scanning and content filtering, but the available applications are not limited to those. Using an external content inspection server allows you to expand the capabilities of the firewall with virtually any type of content screening to perform tasks, for example, stripping certain types of attachments out of e-mail messages without blocking the message itself. This type of anti-virus checking is available directly on the firewall as well (as part of the StoneGate UTM solution), but an external content inspection server is a better option in medium to high throughput environments (see Integrated Scanning vs. Content Inspection Server (page 153) for some guidelines).
Illustration 17.1 Content Inspection Server Redirection
The illustration above shows how a client’s connection to a server is redirected from the firewall to the content inspection server. Connections arriving at the firewall are checked against the firewall’s policy. Access rules determine which connections are redirected to the defined content inspection server for inspection. The content inspection server then handles the traffic
according to its policies. Finally, the content inspection server opens a connection through the firewall and onwards to the original destination. Replies are received with the content inspection server’s IP address, so those are also redirected to the content inspection server for screening.
The content inspection server is used as a transparent proxy, so the client and server are not aware of the redirection and they require no additional configuration. The firewall uses NAT (network address translation) to forward the connections to the external content inspection server.
Client Server
Content Inspection Server Firewall
Configuration of Content Inspection
FTP, SMTP, and HTTP traffic can be redirected to content inspection servers for inspection. This is done with the help of Protocol Agents.
Illustration 17.2 Elements for Content Inspection Server Redirection
The illustration above shows how content inspection server redirection is configured. A custom Service element and a content inspection server (CIS) element are needed. A Service redirects connections for content inspection when one of the existing default Protocol elements of the type Protocol Agent is attached to the Service. The Service element contains a parameter that defines which content inspection server inspects the connection. The Service can be inserted to any number of Access rules in the Firewall Policy to select traffic to be redirected to the content inspection server. There can be several different Services for content inspection server
redirection, if you have several content inspection servers.
The Protocol Agent redirection allows using the content inspection server as a transparent proxy, thus requiring no additional configuration on the client machines. The redirection is fully transparent to both the client and the server. The Protocol Agent translates the destination address automatically to the content inspection server’s address to redirect the traffic. The content inspection server then functions as a proxy by establishing the forward connection to the actual destination address.
In addition to translating the real destination address to the content inspection server address for redirection, the source address is also translated for handling the content inspection server redirection on the firewall. The translated source address can be any address that is routed back from the content inspection server to the firewall (so that replies are correctly handled).
Further address translation can be applied to the connection from the content inspection server to the communications destination.
Default Elements
A Protocol of the type Protocol Agent is needed for content inspection server redirection. All Protocol Agents are always default elements. There are three Protocol Agents that can redirect connections to a content inspection server:
•FTP for file transfer protocol file transfers.
•HTTP for hypertext transport protocol connections used in Web browsing.
Firewall Firewall
Policy Service
Protocol Agent
CIS Server
Configuration Workflow
The following sections provide an overview to the configuration tasks. Detailed step-by-step instructions can be found in the Online Help or the Administrator’s Guide PDF.