HTTP Virus Protection in the Enterprise Environment



Similar documents
T E C H N I C A L S A L E S S O L U T I O N

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Securing Data in Network Attached Storage (NAS) Environments: ServerProtect for NAS...

For additional information and evaluation copies of Trend Micro products and services, visit our website at

Privacy 101. A Brief Guide

TREND MICROTM ServerProtectTM for EMC Celerra TM

INSIDE. Malicious Threats of Peer-to-Peer Networking

ISA Server Plugins Setup Guide

Devising a Server Protection Strategy with Trend Micro

Devising a Server Protection Strategy with Trend Micro

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

Contents. Load balancing and high availability

Content Inspection Director

The Application Front End Understanding Next-Generation Load Balancing Appliances

for Small and Medium Business Quick Start Guide

Symantec Scan Engine Software Developer's Guide

Enterprise Prevention and Management of Mixed-Threat Attacks :

OfficeScan Corporate Edition 6.5

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication

InterScan Web Security Virtual Appliance

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Netsweeper Whitepaper

Global Server Load Balancing

Implementing Microsoft File Exclusions in Trend Micro OfficeScan 8.0

INSIDE. Securing Network-Attached Storage Protecting NAS from viruses, intrusions, and blended threats

Deployment Guide July-2014 rev. a. Deploying Array Networks APV Series Application Delivery Controllers with Oracle WebLogic 12c

Symantec Protection Engine for Cloud Services Software Developer's Guide

SECURE ICAP Gateway. Blue Coat Implementation Guide. Technical note. Version /12/13. Product Information. Version & Platform SGOS 6.

NetDefend Firewall UTM Services

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Addressing Big Data Security Challenges: The Right Tools for Smart Protection

The Evolution of Application Acceleration:

Array Networks & Microsoft Exchange Server 2010

Symantec Protection Suite Add-On for Hosted and Web Security

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

ProxySG ICAP Integration

Stop Spam. Save Time.

The Advantages of Security as a Service versus On-Premise Security

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

Client Server Messaging Security3

NetDefend Firewall UTM Services

Release Version 4.1 The 2X Software Server Based Computing Guide

OfficeScan. Client/Server Edition 8 for Enterprise and Medium Business

Cisco Application Networking for Citrix Presentation Server

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Trend Micro OfficeScan Best Practice Guide for Malware

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

INSTANT MESSAGING SECURITY

Intelligent, Scalable Web Security

Send technical support questions to In the United States, call the technical support team toll-free at TMSS

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Zone Labs Integrity Smarter Enterprise Security

An Oracle Technical White Paper January How to Configure the Trend Micro IWSA Virus Scanner for the Oracle ZFS Storage Appliance

Secure VoIP for optimal business communication

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Symantec AntiVirus Enterprise Edition


AKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry

Content Security Gateway Series Real-time Gateway Web Security Against Spyware and Viruses

Internet Content Adaptation Protocol (ICAP)

Types of cyber-attacks. And how to prevent them

Putting Web Threat Protection and Content Filtering in the Cloud

Deployment Guide Microsoft IIS 7.0

Clarent your choice is. Perfectly Clear. the clearer. the better. internet. telephony. solutions

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Deployment Guide. AX Series with Microsoft Office SharePoint Server

Deployment Guide May-2015 rev. a. APV Oracle PeopleSoft Enterprise 9 Deployment Guide

Cisco Application Networking for BEA WebLogic

Monitoring Forefront TMG

Deployment Guide. AX Series with Microsoft Exchange Server

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Reverse Proxy with SSL - ProxySG Technical Brief

Implementing Microsoft Office Communications Server 2007 With Coyote Point Systems Equalizer Load Balancing

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Product Brief. DC-Protect. Content based backup and recovery solution. By DATACENTERTECHNOLOGIES

Administrator's Guide

WHITE PAPER. Enhancing Application Delivery and Load Balancing on Amazon Web Services with Brocade Virtual Traffic Manager

Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication

NineStar Connect MASS MARKET INTERNET SERVICE POLICIES AND CUSTOMER INFORMATION. Policy Statement:

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

Technical White Paper BlackBerry Enterprise Server


Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

XRoads Networks Inc. HealthCare Solutions. Version 2

Transcription:

TREND MICRO INTERSCAN WEBPROTECT TREND MICRO, INC. 10101 N. DE ANZA BLVD. CUPERTINO, CA 95014 T 800.228.5651 / 408.257.1500 F 408.257.2003 WWW.TRENDMICRO.COM HTTP Virus Protection in the Enterprise Environment

2 TABLE OF CONTENTS 3 Introduction 4 A Solution for a Seamless Caching-Security Relationship 6 Trend Micro's new Interscan WebProtect for ICAP 9 Conclusion 9 About Trend Micro July 2002 Trend Micro, Inc. 2002 by Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the prior written consent of Trend Micro Incorporated. Trend Micro, the t-ball logo, AppletTrap, Control Manager, emanager, GateLock, InterScan, HouseCall, InterScan VirusWall, MacroTrap, NeaTSuite, OfficeScan, PC-cillin, PortalProtect, ScanMail, ScriptClean, ScriptTrap, ServerProtect, SmartScan, TMCM, Trend Micro Content Scanning Protocol, Trend Micro Control Manager, Trend Micro CSP, Trend Micro Damage Cleanup Server, Trend Micro Damage Assessment and Cleanup Services, Trend Micro Outbreak Prevention Services, TrendLabs, Trend VCS, VirusWall, WebManager, WebProtect and WebTrap are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice.

3 INTRODUCTION Web related security threats have made organizations understand the business consequences of an inadequate security infrastructure. Many of these organizations are rethinking existing Internet connectivity and security services. These services have evolved rapidly without the benefit of coherent architecture, resulting in complex infrastructures that were difficult to scale and manage, and in constant need of updates to plug overlooked security holes. As technology evolves, so do computer viruses.email and Web access, critical applications for today's connected businesses, provide a new entryway into corporate networks, the way infected floppy disks once provided an entry into corporate networks. Mixed threats, such as the recent Nimda and CodeRed worms, used both email and Web pages as transmission routes. Traditional viruses can also enter networks through the HTTP gateway when employees access personal Web email services. Virus scanning at the Internet access point plays a critical role in Web security by removing harmful content at the security perimeter - before it gets into the network. Today, one of the common barriers to adequate virus protection for Web traffic is performance. Latency is a known factor when virus scanning is introduced in a network, especially in enterprise high traffic conditions where thousands of users are concurrently hitting the server. In recent years, caching servers have gained popularity as a means to solving the traffic congestion pain. The "retrieve once, serve many"methodology employed by caching servers has now expanded to include third party applications that will add value to the caching content delivery model. This newly developed method of allowing other applications, such as virus scanning, to benefit from the improved performance and scalability model has lifted the barrier of ensuring Web traffic is protected from the onslaught of new threats. A new, open protocol has recently been introduced to allow a seamless coupling of caching and virus protection.

4 A SOLUTION FOR A SEAMLESS CACHING-SECURITY RELATIONSHIP Internet Content Adaptation Protocol, or ICAP, provides a mechanism to address this need. The cohesive strategy of caching solutions utilizing ICAP and Trend Micro's best of breed virus scanning software allow for full protection across the enterprise. Configuration by the end user is not required, as the virus scanning engine fits seamlessly into the existing infrastructure, thereby eliminating the costly exercise of requiring modification at the desktop. This aspect is particularly useful in extremely large corporations, where thousands of users are affected. ICAP HISTORY The ICAP Forum consists of a group of caching companies with a common desire to enable communication between their caching devices and third party applications. This Forum believes that by encouraging vendors to work together, it can accelerate the availability of enterprise solutions, understand the problems that need to be addressed, and assist the standards community in the development of open standards. The end result is the creation of a host of new value-added services that are delivered at the edge of the Internet with unprecedented speed and reliability. The Forum works to promote broad acceptance of ICAP products on a worldwide basis, across enterprise, network service providers, and IT industries. ICAP ARCHITECTURE The ICAP 1.0 architecture is a very robust system that is intended to be useful for many applications. The caching device is the "ICAP client" while the third party application is referred to as the "ICAP server". Requests can be modified as well as responses. Redundant, load-balanced farms of ICAP servers can be used for increased performance and scalability. It also has a mechanism that can allow IT administrators to configure the caching device to route requests and responses to different ICAP service farms. Much work has been done to make modified content cacheable when appropriate. The protocol is focused on providing simple object-based content vectoring for HTTP services. A lightweight protocol for executing a "remote procedure call" on HTTP messages, it allows ICAP clients to pass HTTP messages to ICAP servers for various types of transformation or other processing ("adaptation"), like virus scanning. The server executes its transformation service on messages and sends back responses to the client, usually with modified messages. The adapted messages may be either HTTP requests or HTTP responses. ICAP provides a simple procedure to vector content between caches and network-based applications servers. It has already been adopted by a wide range of vendors, and it enables caching customers to implement third party applications with minimal changes to their existing network architectures.

5 The principal advantages of ICAP include: Scalability: Multiple ICAP servers can be set up to service requests and responses from a single cache Open standard: Third party vendors can develop specific applications which can provide additional value-added services at the caching gateway. Efficiency: It is more efficient than adding an additional Web proxy per service, because all Web traffic is piped through the caching server and any necessary requests/responses can be redirected to the appropriate ICAP server. Figure 1: Trend Micro Interscan WebProtect for ICAP Some key features of ICAP Load balancing by ICAP clients for multiple instances of ICAP servers. Algorithms are provided for least-used, round robin balancing across servers for improved performance and failover protection. Chunked transfer encoding for ICAP response and request between ICAP client and server. Encapsulated headers are not chunked. ICAP requests allow 204 No Content responses return by the ICAP server. (That is, it sends 204 status headers without sending the body content). This

6 feature implementation might be different between the vendors of ICAP client. Preview feature allows an ICAP server to see the beginning of a transaction, then decide based on whatever action the administrator set up, if it wants to opt-out of the transaction early instead of receiving the remainder of the request message. The ISTag ("ICAP Service Tag") response-header field provides a way for ICAP servers to send a service-specific "cookie" to ICAP clients that represent a service's current state. The cookie is composed of a 32-bytemaximum alphanumeric string of data (not including the null character). ICAP server has the ability to decide, after configuration by the administrator, the Maximum ICAP connections through options response headers. For more information on ICAP, please visit www.i-cap.org. TREND MICRO'S NEW INTERSCAN WEBPROTECT FOR ICAP Interscan WebProtect for ICAP provides best of breed antivirus technology for caching solutions that utilize the ICAP 1.0 protocol. This new product solves the issue of performance impact due to Web traffic virus scanning by taking advantage of ICAP's performance and scalability features. Users who have previously experienced latency introduced by a more traditional antivirus scanning methods, will enjoy the benefits of the tightly integrated caching and virus protection. Helps protect Web traffic for viruses and other malicious code such as CodeRed and Nimda at the caching gateway Ensures protection against increased threats exposed by use of Web-based email Improves performance and reduces network bandwidth usage Scalable for even the largest enterprises ICAP SERVER The ICAP server listens on the ICAP service port; the default is 1344. Child processes in the ICAP server are able to handle the connections from ICAP clients. The minimum and maximum number of connections are configurable by the administrator. Once the child process obtains the connection it will handle the ICAP request/response in pairs.

7 ICAP Process Flow Incoming ICAP Request...01010001010 Outgoing ICAP Response 11010101... ICAP Server ICAP Parser Figure 2: Process Flow of Trend Micro's Interscan WebProtect for ICAP HTTP Parser SCAN N ICAP Composer Y Scanning The ICAP server follows a request/response protocol similar in semantics and usage to HTTP 1.1. As in HTTP1.1, a single transport connection will be re-used for multiple request/response pairs. Requests are matched up with responses by allowing only one outstanding request on a transport connection at a time.

8 ICAP PARSER The ICAP request comes in three sections: ICAP header, HTTP request, and HTTP response. The ICAP Parser separates and keeps the ICAP request message then passes the HTTP portions on to the HTTP Parser HTTP PARSER The HTTP Parser looks at the HTTP request header. Based on how the administrator has set up WebProtect, the message can either be passed on to the Scanning Class for virus scanning, or it can be sent directly to the ICAP Response Composer. SCANNING CLASS The Scanning Class utilizes Trend Micro's Virus Scanning API (VSAPI) to scan the HTTP body. Only the HTTP body is scanned. ICAP RESPONSE COMPOSER The ICAP Composer gathers information from the ICAP Parser, HTTP Parser, and the Scanning Class in creating an ICAP response. If data was not scanned, the response would be generated from the HTTP response section of the ICAP request. If data was scanned, the response would be generated from the Options Response Class. ICAP responses can vary according to the configuration settings.

9 CONCLUSION The increase of Web traffic in the corporate environment introduces a new level of exposure to a variety of viruses, such as Code Red and Nimda. The popularity of personal Web-based email has driven users to access their accounts at work, thereby opening the door to threats arriving into the corporate network via HTTP or FTP-over-HTTP traffic. Trend Micro's Interscan WebProtect for ICAP provides best of breed antivirus technology within the caching environment, utilizing ICAP to alleviate latency and bandwidth constraints typically introduced by scanning functionality. ABOUT TREND MICRO Trend Micro provides centrally controlled server-based virus protection and content filtering products and services. By protecting information that flows through Internet gateways, email servers, and file servers, Trend Micro allows companies and service providers worldwide to stop viruses and other malicious code from a central point before they ever reach the desktop. Trend Micro's corporate headquarters is located in Tokyo, Japan, with business units in North and South America, Europe, Asia, and Australia. Trend Micro's North American headquarters is located in Cupertino, CA. Trend Micro's products are sold directly and through a network of corporate, value-added resellers and service providers. Evaluation copies of all of Trend Micro's products may be downloaded from its award-winning Web site, http://www.trendmicro.com/.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information