• No results found

HTTP Virus Protection in the Enterprise Environment

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "HTTP Virus Protection in the Enterprise Environment"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

HTTP Virus Protection in the

Enterprise Environment

(2)

TABLE OF CONTENTS Introduction

A Solution for a Seamless Caching-Security Relationship Trend Micro's new Interscan WebProtect for ICAP Conclusion

About Trend Micro

July 2002 Trend Micro, Inc.

©2002 by Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the prior written consent of Trend Micro Incorporated. Trend Micro, the t-ball logo, AppletTrap, Control Manager, eManager, GateLock, InterScan, HouseCall, InterScan VirusWall, MacroTrap, NeaTSuite, OfficeScan, PC-cillin, PortalProtect, ScanMail, ScriptClean, ScriptTrap, ServerProtect, SmartScan, TMCM, Trend Micro Content Scanning Protocol, Trend Micro Control Manager, Trend Micro CSP, Trend Micro Damage Cleanup Server, Trend Micro Damage Assessment and Cleanup Services, Trend Micro Outbreak Prevention Services, TrendLabs, Trend VCS, VirusWall, WebManager, WebProtect and WebTrap are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice.

3 4 6 9 9

(3)

INTRODUCTION

Web related security threats have made organizations understand the business consequences of an inadequate security infrastructure. Many of these organizations are rethinking existing Internet connectivity and security services. These services have evolved rapidly without the benefit of coherent architecture, resulting in complex infrastructures that were difficult to scale and manage, and in constant need of updates to plug overlooked security holes.

As technology evolves, so do computer viruses.Email and Web access, critical applications for today's connected businesses, provide a new entryway into corporate networks, the way infected floppy disks once provided an entry into corporate networks. Mixed threats, such as the recent Nimda and CodeRed worms, used both email and Web pages as transmission routes. Traditional viruses can also enter networks through the HTTP gateway when employees access personal Web email services. Virus scanning at the Internet access point plays a critical role in Web security by removing harmful content at the security perimeter - before it gets into the network. Today, one of the common barriers to adequate virus protection for Web traffic is performance. Latency is a known factor when virus scanning is introduced in a network, especially in enter-prise high traffic conditions where thousands of users are concurrently hitting the server. In recent years, caching servers have gained popularity as a means to solving the traffic con-gestion pain. The "retrieve once, serve many"methodology employed by caching servers has now expanded to include third party applications that will add value to the caching content delivery model.

This newly developed method of allowing other applications, such as virus scanning, to benefit from the improved performance and scalability model has lifted the barrier of ensuring Web traffic is protected from the onslaught of new threats. A new, open protocol has recently been introduced to allow a seamless coupling of caching and virus protection.

(4)

A SOLUTION FOR A SEAMLESS CACHING-SECURITY RELATIONSHIP

Internet Content Adaptation Protocol, or ICAP, provides a mechanism to address this need. The cohesive strategy of caching solutions utilizing ICAP and Trend Micro's best of breed virus scanning software allow for full protection across the enterprise. Configuration by the end user is not required, as the virus scanning engine fits seamlessly into the existing infrastructure, thereby eliminating the costly exercise of requiring modification at the desktop. This aspect is particularly useful in extremely large corporations, where thousands of users are affected.

ICAP HISTORY

The ICAP Forum consists of a group of caching companies with a common desire to enable communication between their caching devices and third party applications. This Forum believes that by encouraging vendors to work together, it can accelerate the availability of enterprise solutions, understand the problems that need to be addressed, and assist the standards community in the development of open standards. The end result is the creation of a host of new value-added services that are delivered at the edge of the Internet with unprecedented speed and reliability. The Forum works to promote broad acceptance of ICAP products on a worldwide basis, across enterprise, network service providers, and IT industries.

ICAP ARCHITECTURE

The ICAP 1.0 architecture is a very robust system that is intended to be useful for many applications. The caching device is the "ICAP client" while the third party application is referred to as the "ICAP server". Requests can be modified as well as responses. Redundant, load-balanced farms of ICAP servers can be used for increased performance and scalability. It also has a mechanism that can allow IT administrators to configure the caching device to route requests and responses to different ICAP service farms. Much work has been done to make modified content cacheable when appropriate.

The protocol is focused on providing simple object-based content vectoring for HTTP services. A lightweight protocol for executing a "remote procedure call" on HTTP messages, it allows ICAP clients to pass HTTP messages to ICAP servers for various types of transformation or other processing ("adaptation"), like virus scanning. The server executes its transformation service on messages and sends back responses to the client, usually with modified messages. The adapted messages may be either HTTP requests or HTTP responses.

ICAP provides a simple procedure to vector content between caches and network-based applications servers. It has already been adopted by a wide range of vendors, and it enables caching customers to implement third party applications with minimal changes to their existing network architectures.

(5)

The principal advantages of ICAP include:

· Scalability: Multiple ICAP servers can be set up to service requests and responses from a single cache

· Open standard: Third party vendors can develop specific applications which can provide additional value-added services at the caching gateway. · Efficiency: It is more efficient than adding an additional Web proxy per

service, because all Web traffic is piped through the caching server and any necessary requests/responses can be redirected to the appropriate ICAP server.

Some key features of ICAP

· Load balancing by ICAP clients for multiple instances of ICAP servers. Algorithms are provided for least-used, round robin balancing across servers for improved performance and failover protection.

· Chunked transfer encoding for ICAP response and request between ICAP client and server. Encapsulated headers are not chunked.

· ICAP requests allow 204 No Content responses return by the ICAP server. (That is, it sends 204 status headers without sending the body content). This

Figure 1: Trend Micro Interscan WebProtect for ICAP

(6)

feature implementation might be different between the vendors of ICAP client.

· Preview feature allows an ICAP server to see the beginning of a transaction, then decide based on whatever action the administrator set up, if it wants to opt-out of the transaction early instead of receiving the remainder of the request message.

· The ISTag ("ICAP Service Tag") response-header field provides a

way for ICAP servers to send a service-specific "cookie" to ICAP clients that represent a service's current state. The cookie is composed of a 32-byte-maximum alphanumeric string of data (not including the null character). · ICAP server has the ability to decide, after configuration by the administrator,

the Maximum ICAP connections through options response headers. For more information on ICAP, please visit www.i-cap.org.

TREND MICRO'S NEW INTERSCAN WEBPROTECT FOR ICAP

Interscan WebProtect for ICAP provides best of breed antivirus technology for caching solutions that utilize the ICAP 1.0 protocol. This new product solves the issue of performance impact due to Web traffic virus scanning by taking advantage of ICAP's performance and scalability features. Users who have previously experienced latency introduced by a more traditional antivirus scanning methods, will enjoy the benefits of the tightly integrated caching and virus protection.

· Helps protect Web traffic for viruses and other malicious code such as CodeRed and Nimda at the caching gateway

· Ensures protection against increased threats exposed by use of Web-based email · Improves performance and reduces network bandwidth usage

· Scalable for even the largest enterprises

ICAP SERVER

The ICAP server listens on the ICAP service port; the default is 1344. Child processes in the ICAP server are able to handle the connections from ICAP clients. The minimum and maximum number of connections are configurable by the administrator. Once the child process obtains the connection it will handle the ICAP request/response in pairs.

(7)

The ICAP server follows a request/response protocol similar in semantics and usage to HTTP 1.1.

As in HTTP1.1, a single transport connection will be re-used for multiple request/response pairs. Requests are matched up with responses by allowing only one outstanding request on a transport connection at a time.

ICAP Parser

HTTP Parser

ICAP Process Flow

Incoming ICAP Request

...01010001010

Scanning

ICAP Composer

Outgoing ICAP Response

11010101...

Y N

SCAN

ICAP Server

Figure 2:

Process Flow of Trend Micro's Interscan WebProtect for ICAP

(8)

ICAP PARSER

The ICAP request comes in three sections: ICAP header, HTTP request, and HTTP response. The ICAP Parser separates and keeps the ICAP request message then passes the HTTP portions on to the HTTP Parser

HTTP PARSER

The HTTP Parser looks at the HTTP request header. Based on how the administrator has set up WebProtect, the message can either be passed on to the Scanning Class for virus scanning, or it can be sent directly to the ICAP Response Composer.

SCANNING CLASS

The Scanning Class utilizes Trend Micro's Virus Scanning API (VSAPI) to scan the HTTP body. Only the HTTP body is scanned.

ICAP RESPONSE COMPOSER

The ICAP Composer gathers information from the ICAP Parser, HTTP Parser, and the Scanning Class in creating an ICAP response. If data was not scanned, the response would be generated from the HTTP response section of the ICAP request. If data was scanned, the response would be generated from the Options Response Class. ICAP responses can vary according to the configuration settings.

(9)

CONCLUSION

The increase of Web traffic in the corporate environment introduces a new level of exposure to a variety of viruses, such as Code Red and Nimda. The popularity of personal Web-based email has driven users to access their accounts at work, thereby opening the door to threats arriving into the corporate network via HTTP or FTP-over-HTTP traffic.

Trend Micro's Interscan WebProtect for ICAP provides best of breed antivirus technology within the caching environment, utilizing ICAP to alleviate latency and bandwidth constraints typically introduced by scanning functionality.

ABOUT TREND MICRO

Trend Micro provides centrally controlled server-based virus protection and content filtering products and services. By protecting information that flows through Internet gateways, email servers, and file servers, Trend Micro allows companies and service providers worldwide to stop viruses and other malicious code from a central point before they ever reach the desktop. Trend Micro's corporate headquarters is located in Tokyo, Japan, with business units in North and South America, Europe, Asia, and Australia. Trend Micro's North American headquarters is located in Cupertino, CA. Trend Micro's products are sold directly and through a network of corporate, value-added resellers and service providers. Evaluation copies of all of Trend Micro's products may be downloaded from its award-winning Web site, http://www.trendmicro.com/.

References

Download now ( PDF - 9 Page - 55.15 KB )

Related documents

Virtualizing Gateway Security

The Trend Micro™ InterScan™ Messaging Security Virtual Appliance is VMware Ready validated to complement virtualized environments with comprehensive email protection at the

Trend Micro PC-cillin Internet Security 2006

(For a list of processes to allow, see Answer ID 19139 titled “What processes do I need to allow through my firewall to ensure that Peachtree will operate correctly?” in the

CORE COURSES & OPTIONAL COURSES

Her research interests include issues in Chinese communication, comparative media systems, social impact of new communication technologies, and media effects.. Zhao’s

Complete User Protection

• Deep Security, Enterprise Security Suite, Enterprise Data Protection, OfficeScan, Control Manager and Mobile Security and Device Management?.

Symantec Security Information Manager Version 4.7

Trend Micro Control Manager (TMCM) Trend Server Protect Information Server Trend Interscan Messaging Security Suite Trend Scanmail. Trend

GRUPO ANTOLIN. around the world

Grupo Antolin (Headquarters) Grupo Antolin – Alava Grupo Antolin – Ara Grupo Antolin – Aragusa Grupo Antolin – Ardasa Grupo Antolin – Autotrim Grupo Antolin – Dapsa Grupo

Libro Vudo de Adrian (1)

Algunas personalidades populares también se consideran Ogoú. Ogoú Dessalines viene a la mente aquí. Ogoú Otros son rectas Ginen. Algunos Ogoú se consideran Petro , o para ser servido

ICICI Prudential Project report

the features of an investment in a cumulative deposit scheme with that of an insurance product. Policy-holders are required to pay a one-time premium based on a target sum assured. At