• No results found

Content Inspection Director

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Content Inspection Director"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

North America

Radware Inc.

575 Corporate Dr. Suite 205 Mahwah, NJ 07430

Tel 888 234 5763

International

Radware Ltd.

22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel 972 3 766 8666

www.radware.com

Content Inspection Director

High Speed Content Inspection

(2)

Content Inspection Director – White paper

Date: September 18, 2002

Page 2

-Introduction - The need for content inspection

The financial implication of a security breach on an organizations IT system are costly. Viruses not only represent a serious threat to ongoing operations and employee productivity, but they can shake investor confidence and undermine the corporation’s ability to protect its key assets.

The growing concern as to the financial implications of such viruses, coupled with the fact that virus activity is expected to increase by 22% in 20021, contributes to the growing need for content

security products.

While the concept of content security is being widely adopted, its mere installation does not guarantee immunity to viruses, as is demonstrated by a Computer Crime and Security survey. In the survey 90% of the organizations reported to have deployed anti-virus devices in their networks. However, 85% of these organizations were exposed to viruses. The reported financial loss due to these virus attacks, in 2002 was $49,979,000. Translating to an average loss of $283,000 per organization.

This document outlines how organizations can manage the ever-increasing security risk while obtaining maximum protection of the organization’s assets and preventing the losses associated with virus attacks.

(3)

Content Inspection Director – White paper

Date: September 18, 2002

Page 3

-The challenge –

High quality content inspection for high throughput networks

Content security devices are process heavy devices and therefore are limited in their capacity (less than 5 Mbps throughput). When content security products are used in busy networks with high-speed Internet connections, bottlenecks occur because inspection for malicious or inappropriate content slows down traffic. The requirement is to provide an organization’s network with full content inspection while sustaining high throughput.

There are three different aspects to this challenge:

1. Performance - Accelerating content inspection without compromising security 2. Scalability & high availability - Scaling up to accommodate high throughput

environments while ensuring high availability

3. Optimization – Providing multi-vendor anti-virus gateways that can be used to provide best of breed content inspection for each traffic type.

The nature of Internet traffic

The three main types of Internet traffic include: • HTTP

• SMTP • FTP

Web Surfing

While most Internet traffic today consists of three aforementioned protocols HTTP is the most time sensitive. Web surfing is practically a real time activity, and users expect their web pages to load as fast as possible. At the same time, web pages have become increasingly more complex and can contain a variety of active content.

When content security products are used in busy networks with high-speed Internet connections, HTTP traffic bottlenecks occur because inspection for malicious or inappropriate content adds latency to traffic.

FTP and SMTP Traffic

In addition to heavy HTML pages, FTP and SMTP traffic can also be strenuous on high capacity Internet connections. Vast amounts of large archive files (such as ZIP) and many large email messages with multiple attachments can add to the already high stress of HTTP packet inspection. Most email messages today are HTML based and are being scanned along with the attached files. Keyword scanning adds even more overhead.

(4)

Content Inspection Director – White paper

Date: September 18, 2002

Page 4

-The Solution - Content Inspection Director

Meeting the performance challenge

Maximum security requires that the available capacity of content inspection devices will match the traffic volumes on the organization’s network. Limited or inadequate capacity, as was demonstrated in the survey of Computer Crime and Security may have severe financial implications.

Content Inspection Director address the performance challenge from two different perspectives: • Increasing the content inspection capacity

• Accelerating the operation of content inspection & anti-virus devices

Increasing content inspection capacity

Aggregating several content inspection devices into a farm and load balancing between them provides the ability to manage greater capacity than can be dealt by a single device. For example, deployment of 10 anti-virus gateways will increase the content inspection capacity by factor of 10.

Accelerating content inspection speed

Deployment of CID with its pre-screening algorithm enhances content inspection speed by 500%. The pre-screening algorithm allows for differentiating between trusted and not trusted content. While non-trusted content is forwarded for inspection by content inspection devices such as anti-virus gateways, trusted content bypasses the inspection devices. Since 80% of the Internet content is trusted content, offloading trusted content from anti-virus devices accelerate inspection speed by factor of five.

Internet content security products inspect files arriving by HTTP traffic, most of which are regarded as absolutely safe (Trusted Content) and incapable of containing any malicious content. Most of the HTTP elements are files identifiable by their respective MIME types. Trusted content, such as images (GIF, JPG) and video/audio (MP3, MPEG, AVI), can thus easily be recognized.

The figure below shows the flow of trusted and non-trusted HTTP traffic.

Figure 1:Flow of trusted and non-trusted HTTP content

Trusted Content Non-Trusted

Content

Anti-virus

Mail

FTP

Content Inspection Director

HTTP

(5)

Content Inspection Director – White paper

Date: September 18, 2002

Page 5

-The optimization challenge – Best of breed content inspection

Creating farms of content inspection devices not only increase the content inspection capacity, but also allows for the redirection of traffic based on file type and/or application. In this manner, delay-sensitive content, is redirected to a strong anti-virus device, while content of applications that are less delay-sensitive e.g. SMTP, is forwarded to a different device. This method utilizes content inspection resources more efficiently and provides end users faster response time. Another benefit of this method is that best of breed content inspection devices can be deployed to handle specific traffic types e.g. SMTP, HTTP, FTP, zip files, gif images, etc.

It is important to note that Content Inspection Director is fully compatible with all types of content inspection and anti-virus devices. For example McAfee, Trend Micro, Aladdin etc..

Speeding up HTML inspection

The HTML/XML page is the most important element of the HTTP traffic since all other elements on the page, such as images, are retrieved after the browser analyzes it. Fast inspection and delivery of the HTML pages ensures that the client browser will start downloading all other elements as fast as possible.

Redirecting HTML/XML content to a dedicated content inspection machine or farm of machines, greatly improves overall performance.

Speeding up archived files inspection

Archived (usually compressed) files, which are typically large, can also be identified by their MIME type. Redirecting archived files to a dedicated content inspection machine can further reduce load

.

Figure 2: Non-trusted SMTP traffic is sent to a dedicated SMTP anti-virus farm

Content Inspection Director

E-mail message

Anti-virus

Mail FTP

HTTP

(6)

Content Inspection Director – White paper

Date: September 18, 2002

Page 6

-Scalability and high availability

Anti-virus gateways are placed on the path to the network. Therefore failure in the anti-virus gateway will lead to loss of Internet connectivity, translating to expensive down time cost.

The advanced health monitoring mechanism of Radware’s Content Inspection Director guarantees that content is directed only to resources which are fully operational, thus ensuring high availability of all content inspection devices and preventing loss of Internet connectivity and expensive down time.

Creating farms of content inspection devices allows users to easily add more content inspection devices if the need for greater capacity arises. Content inspection devices are added transparently without service interruption or down time.

(7)

Content Inspection Director – White paper

Date: September 18, 2002

Page 7

-Other features

Web filtering

Internet access is necessary for many employees, however abuse of this access can waste network bandwidth, decrease productivity and expose an organization to legal liability. Web filtering tools can be used to prevent employees from visiting objectionable sites, or from downloading unauthorized or illegal software.

Web filtering tools usually rely on an extensive database. These databases consist of millions of sites pre-screened by professionals to determine their content. Due to the nature of the

Internet, updates to the database are done frequently.

When working with Content Inspection Director a predefined list of authorized sites can be defined. When a request is made for a site that is not on the list, Content Inspection Director will forward this request to the Web filtering device to verify whether the request should be granted. All other

requests will be directed either to the local cache servers, or to the Internet.

Flow management

Flow management allows for the sequential load balancing of several server farms, each providing a different service. Different flow management policies can be set based on source and destination address, traffic type and physical port.

For example, consider the following diagram:

Figure 2: University example of professors flow management policy

In the above example there are three farm clusters and two groups of users: students and professors. For each of these groups a different flow policy has been defined.

Figure 2 outlines flow of professors’ traffic. The HTTP requests generated by professors are first directed to the cache farm, for improved performances. If the content does not exist on the cache, then it is retrieved from the Internet. On the return path, Content Inspection Director examines the content of the returned file and based on the mime type, as explained earlier, decides whether this is a trusted content that can be sent directly to the users, or if it should be sent for inspection to the anti-virus gateway.

Anti-virus

Students

Professors Cache URL Filtering

(8)

Content Inspection Director – White paper

Date: September 18, 2002

Page 8

-Students’ requests on the other hand, as seen in figure 3, are first sent for inspection by the Web filtering tool. If the requested site is a legitimate site, the request will be forwarded to cache servers and then to the anti-virus gateway, in a similar manner to what has been described above.

Figure 3: University example of students flow management policy

Summary

The Content Inspection Director is the first product that enables high-capacity Internet content security for enterprises as well as xSP.

The following are the main benefits:

500% increase in content inspection speed.

• Aggregation of content inspection devices into farms allows to increase the capacity and volumes of inspected traffic.

• Secure web access with no latency while maintaining the best content security possible. Web page content is analyzed in real-time to prevent any malicious content or scripts from entering the network. Areas that were traditionally bottlenecks are eliminated.

• Distribution of content based on protocols e.g. HTTP, FTP and SMTP and file type, improves content inspection speed and ensures that no malicious traffic can slip into the network. • Scalable architecture with Gigabit connectivity accommodates the needs of high capacity

networks. As the need arises more inspection machines can be transparently added to the farm.

• Health monitoring and traffic redirection provide high availability. If one of the Content Inspector machines fails, the Content Inspection Director will make sure the traffic will be routed to another machine.

• Full compatibility with all types of content inspection devices and anti-virus gateways including McAfee, Trend Micro, Aladdin.

• Flow management permits sequential load balancing of several server farms, each providing a different service. Different content inspection policies can be assigned based on source, destination and traffic type.

Professors Anti-virus

Students

Cach URL Filtering

Figure

Figure 1:Flow of trusted and non-trusted HTTP content
Figure 2: University example of professors flow management policy
Figure 3: University example of students flow management policy

References

Download now ( PDF - 8 Page - 179.55 KB )

Related documents

E0110 Foundations of Emergency Management Train-the E0110 Foundations of Emergency Management Train-the

[r]

Novel hemotropic mycoplasmas are widespread and genetically diverse in vampire bats

the 16S rRNA gene among the hemoplasma genotypes detected in common vampire bats 697. (Desmodus rotundus) with other hemotropic

Composite undergraduate clinical examinations: how should the components be combined to maximize reliability?

We have also shown the impact of the different test structures on the composite reliability. When candidate scores were weighted according to the number of test items, the

FIA On3 Player Digital Media Player and Library

• Growth of multimedia networks (video streaming to multiple devices in the home and distributing music content from Internet).. • Content as a driver (Internet is the

Orlando VA Medical Center s Pharmacy Residency Program Preceptor Profiles

Alicia Decker received her Doctor of Pharmacy degree from University of Florida in 2003 and completed an ASHP-accredited Primary Care Pharmacy Practice Residency with the Orlando

IronMail Secure Gateway Software Version Security Target April 27, 2006 Document No. CipherTrust E2-IM4.0.0

The Content Filtering queue scans the message contents for specific text or attachment types, which are considered malicious or inappropriate for circulation by the TOE. The

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

• Content Security Policy – Used to mitigate XSS and content injection attacks... Managing