1 Content Inspection Director High Speed Content Inspection North America Radware Inc. 575 Corporate Dr. Suite 205 Mahwah, NJ Tel International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel
2 Page Introduction - The need for content inspection The financial implication of a security breach on an organizations IT system are costly. Viruses not only represent a serious threat to ongoing operations and employee productivity, but they can shake investor confidence and undermine the corporation s ability to protect its key assets. The growing concern as to the financial implications of such viruses, coupled with the fact that virus activity is expected to increase by 22% in , contributes to the growing need for content security products. While the concept of content security is being widely adopted, its mere installation does not guarantee immunity to viruses, as is demonstrated by a Computer Crime and Security survey. In the survey 90% of the organizations reported to have deployed anti-virus devices in their networks. However, 85% of these organizations were exposed to viruses. The reported financial loss due to these virus attacks, in 2002 was $49,979,000. Translating to an average loss of $283,000 per organization. This document outlines how organizations can manage the ever-increasing security risk while obtaining maximum protection of the organization s assets and preventing the losses associated with virus attacks CSI/FBI Computer Crime and Security Survey Richard Power, Spring 2002
3 Page The challenge High quality content inspection for high throughput networks Content security devices are process heavy devices and therefore are limited in their capacity (less than 5 Mbps throughput). When content security products are used in busy networks with highspeed Internet connections, bottlenecks occur because inspection for malicious or inappropriate content slows down traffic. The requirement is to provide an organization s network with full content inspection while sustaining high throughput. There are three different aspects to this challenge: 1. Performance - Accelerating content inspection without compromising security 2. Scalability & high availability - Scaling up to accommodate high throughput environments while ensuring high availability 3. Optimization Providing multi-vendor anti-virus gateways that can be used to provide best of breed content inspection for each traffic type. The nature of Internet traffic The three main types of Internet traffic include: HTTP SMTP FTP Web Surfing While most Internet traffic today consists of three aforementioned protocols HTTP is the most time sensitive. Web surfing is practically a real time activity, and users expect their web pages to load as fast as possible. At the same time, web pages have become increasingly more complex and can contain a variety of active content. When content security products are used in busy networks with high-speed Internet connections, HTTP traffic bottlenecks occur because inspection for malicious or inappropriate content adds latency to traffic. FTP and SMTP Traffic In addition to heavy HTML pages, FTP and SMTP traffic can also be strenuous on high capacity Internet connections. Vast amounts of large archive files (such as ZIP) and many large messages with multiple attachments can add to the already high stress of HTTP packet inspection. Most messages today are HTML based and are being scanned along with the attached files. Keyword scanning adds even more overhead.
4 Page The Solution - Content Inspection Director Meeting the performance challenge Maximum security requires that the available capacity of content inspection devices will match the traffic volumes on the organization s network. Limited or inadequate capacity, as was demonstrated in the survey of Computer Crime and Security may have severe financial implications. Content Inspection Director address the performance challenge from two different perspectives: Increasing the content inspection capacity Accelerating the operation of content inspection & anti-virus devices Increasing content inspection capacity Aggregating several content inspection devices into a farm and load balancing between them provides the ability to manage greater capacity than can be dealt by a single device. For example, deployment of 10 anti-virus gateways will increase the content inspection capacity by factor of 10. Accelerating content inspection speed Deployment of CID with its pre-screening algorithm enhances content inspection speed by 500%. The pre-screening algorithm allows for differentiating between trusted and not trusted content. While non-trusted content is forwarded for inspection by content inspection devices such as antivirus gateways, trusted content bypasses the inspection devices. Since 80% of the Internet content is trusted content, offloading trusted content from anti-virus devices accelerate inspection speed by factor of five. Internet content security products inspect files arriving by HTTP traffic, most of which are regarded as absolutely safe (Trusted Content) and incapable of containing any malicious content. Most of the HTTP elements are files identifiable by their respective MIME types. Trusted content, such as images (GIF, JPG) and video/audio (MP3, MPEG, AVI), can thus easily be recognized. The figure below shows the flow of trusted and non-trusted HTTP traffic. Anti-virus HTTP FTP Mail Non-Trusted Content Content Inspection Director Trusted Content Figure 1:Flow of trusted and non-trusted HTTP content
5 Page The optimization challenge Best of breed content inspection Creating farms of content inspection devices not only increase the content inspection capacity, but also allows for the redirection of traffic based on file type and/or application. In this manner, delaysensitive content, is redirected to a strong anti-virus device, while content of applications that are less delay-sensitive e.g. SMTP, is forwarded to a different device. This method utilizes content inspection resources more efficiently and provides end users faster response time. Another benefit of this method is that best of breed content inspection devices can be deployed to handle specific traffic types e.g. SMTP, HTTP, FTP, zip files, gif images, etc. It is important to note that Content Inspection Director is fully compatible with all types of content inspection and anti-virus devices. For example McAfee, Trend Micro, Aladdin etc.. Speeding up HTML inspection The HTML/XML page is the most important element of the HTTP traffic since all other elements on the page, such as images, are retrieved after the browser analyzes it. Fast inspection and delivery of the HTML pages ensures that the client browser will start downloading all other elements as fast as possible. Redirecting HTML/XML content to a dedicated content inspection machine or farm of machines, greatly improves overall performance. Speeding up archived files inspection Archived (usually compressed) files, which are typically large, can also be identified by their MIME type. Redirecting archived files to a dedicated content inspection machine can further reduce load. HTTP Anti-virus Mail FTP message Content Inspection Director Figure 2: Non-trusted SMTP traffic is sent to a dedicated SMTP anti-virus farm
6 Page Scalability and high availability Anti-virus gateways are placed on the path to the network. Therefore failure in the anti-virus gateway will lead to loss of Internet connectivity, translating to expensive down time cost. The advanced health monitoring mechanism of Radware s Content Inspection Director guarantees that content is directed only to resources which are fully operational, thus ensuring high availability of all content inspection devices and preventing loss of Internet connectivity and expensive down time. Creating farms of content inspection devices allows users to easily add more content inspection devices if the need for greater capacity arises. Content inspection devices are added transparently without service interruption or down time.
7 Page Other features Web filtering Internet access is necessary for many employees, however abuse of this access can waste network bandwidth, decrease productivity and expose an organization to legal liability. Web filtering tools can be used to prevent employees from visiting objectionable sites, or from downloading unauthorized or illegal software. Web filtering tools usually rely on an extensive database. These databases consist of millions of sites pre-screened by professionals to determine their content. Due to the nature of the Internet, updates to the database are done frequently. When working with Content Inspection Director a predefined list of authorized sites can be defined. When a request is made for a site that is not on the list, Content Inspection Director will forward this request to the Web filtering device to verify whether the request should be granted. All other requests will be directed either to the local cache servers, or to the Internet. Flow management Flow management allows for the sequential load balancing of several server farms, each providing a different service. Different flow management policies can be set based on source and destination address, traffic type and physical port. For example, consider the following diagram: Anti-virus Cache URL Filtering Students Content Inspection Director Professors Figure 2: University example of professors flow management policy In the above example there are three farm clusters and two groups of users: students and professors. For each of these groups a different flow policy has been defined. Figure 2 outlines flow of professors traffic. The HTTP requests generated by professors are first directed to the cache farm, for improved performances. If the content does not exist on the cache, then it is retrieved from the Internet. On the return path, Content Inspection Director examines the content of the returned file and based on the mime type, as explained earlier, decides whether this is a trusted content that can be sent directly to the users, or if it should be sent for inspection to the anti-virus gateway.
8 Page Students requests on the other hand, as seen in figure 3, are first sent for inspection by the Web filtering tool. If the requested site is a legitimate site, the request will be forwarded to cache servers and then to the anti-virus gateway, in a similar manner to what has been described above. Anti-virus Cach URL Filtering Students Content Inspection Director Professors Figure 3: University example of students flow management policy Summary The Content Inspection Director is the first product that enables high-capacity Internet content security for enterprises as well as xsp. The following are the main benefits: 500% increase in content inspection speed. Aggregation of content inspection devices into farms allows to increase the capacity and volumes of inspected traffic. Secure web access with no latency while maintaining the best content security possible. Web page content is analyzed in real-time to prevent any malicious content or scripts from entering the network. Areas that were traditionally bottlenecks are eliminated. Distribution of content based on protocols e.g. HTTP, FTP and SMTP and file type, improves content inspection speed and ensures that no malicious traffic can slip into the network. Scalable architecture with Gigabit connectivity accommodates the needs of high capacity networks. As the need arises more inspection machines can be transparently added to the farm. Health monitoring and traffic redirection provide high availability. If one of the Content Inspector machines fails, the Content Inspection Director will make sure the traffic will be routed to another machine. Full compatibility with all types of content inspection devices and anti-virus gateways including McAfee, Trend Micro, Aladdin. Flow management permits sequential load balancing of several server farms, each providing a different service. Different content inspection policies can be assigned based on source, destination and traffic type.