test

SunScreen 3.2 Administrator's Overview

VirusWall Content Scanning

This section describes how to configure your SunScreen HTTP or SMTP proxy to use the separately-licensed TrendMicro VirusWall content scanning option. Once you have installed and configured the VirusWall product on a server platform, you can direct your SunScreen HTTP or SunScreen SMTP proxy to use it for content examination. See "VirusWall Setup Issues" for information about installing, configuring, and using VirusWall.

HTTP Proxy Access to VirusWall

Access to the VirusWall server from within the HTTP proxy is controlled by a service common object (viruswall-http)and a pair of variables (VirusWallServerHTTP and scan.0). The service object and variables are preconfigured as much as possible during installation, but the variables must be altered to activate the interface for scanning. In addition, you may need one or more access rules to allow your Screen access to the VirusWall scanner server; see "To Add an Administrative Access Rule for Remote Administration" in SunScreen 3.2 Administration Guide for more information.

The viruswall-http service common object is employed by the interface between SunScreen's HTTP proxy and VirusWall. The TCP service port defined for this object is set to that used by the default VirusWall installation.

VirusWallServerHTTP Variable

The VirusWallServerHTTP variable configures the interface between your Screen and VirusWall:

Options for the vwvalues portion of the VirusWallServerHTTP variable are:

Note -

Multiple addr items can be configured to allow the use of secondary scanning servers. Each addr item can designate address common objects by name or it can designate a naked (dotted-quad) IP address.

scan.0 Variable

The second variable, scan.0, connects the first variable to the proxy and specifies it as the first scanning facility to be used by that proxy. Because VirusWall scanning is optional, scan.0 is predefined as DISABLED. To turn on scanning, you must set the scan.0 variable to ENABLED.

For the variable scan.0, the scvalues portion is name=VirusWallServerHTTP. Note that the value of this variable is the name of the first variable.

Both variables--VirusWallServerHTTP and scan.0--are pre-defined. If you display their values from the command line configuration editor, you see:


admin% ssadm -r primary edit Initial
edit> vars print prg=scan name=VirusWallServerHTTP
PRG="scan" NAME="VirusWallServerHTTP" ENABLED
VALUES={ type="VirusWall" svc="viruswall-http" addr="viruswall-server" }
DESCRIPTION="TrendMicro HTTP scanning server(s)" 
edit> vars print prg=httpp name=scan.0 
PRG="httpp" NAME="scan.0" DISABLED VALUES={ name="VirusWallServerHTTP" }
DESCRIPTION="HTTP proxy content scanner"

HTTP Access Rules

One or more access rules may be needed to allow your Screen access to the VirusWall scanner server (see "To Add a New Rule" in SunScreen 3.2 Administration Guide.

Because VirusWall scanning is optional, and because the viruswall-server address object cannot be preconfigured during installation, the following example shows prototypical post-installation steps to enable VirusWall scanning of HTTP content:


admin% ssadm --r primary edit Initial
edit> add address viruswall-server 10.73.176.13
edit> add rule viruswall-http localhost viruswall-server ALLOW
edit> add rule www 'inside' web-scanner ALLOW PROXY_HTTP 
edit> vars add prg=httpp name=scan.0 ENABLED 
VALUES={ name=VirusWallServerHTTP } DESCRIPTION="HTTP proxy content scanner"

This example:

If content scanning has been configured, and once proxy-based content checks have been performed, the resulting content is passed to the scanner for inspection. The scanner may instruct that the content be blocked, or may alter (for example, clean viruses from) the content, or may return it unaltered. You receive scanning results (as being blocked, if so determined) that are reflected in SunScreen log entries regarding the HTTP request and its results.

SMTP Proxy Access to VirusWall

Access to the VirusWall server from within the SMTP proxy is controlled by a service common object (viruswall-smtp)and a pair of variables (VirusWallServerSMTP and scan.0). The service object and variables are preconfigured as much as possible during installation, but the variables must be altered to activate the interface for scanning. In addition, you may need one or more rules to allow SunScreen firewall access to a VirusWall scanner that is operating on a separate server platform.

The viruswall-smtp service common object is employed by the interface between SunScreen's SMTP proxy and VirusWall. The TCP service port defined for this object is set to that used by the default VirusWall installation.

VirusWallServerSMTP Variable

The VirusWallServerSMTP variable configures the interface between your Screen and VirusWall:

Options for the vwvalues portion of the VirusWallServerSMTP variable are:

Note that multiple addr items can be configured, allowing the use of secondary scanning servers. Each addr item can designate address common objects by name, or may give a naked (dotted-quad) IP address.

scan.0 Variable

The second variable, scan.0, connects the first variable to the proxy and specifies it as the first scanning facility to be used by that proxy:

For the variable scan.0, the scvalues portion is name=VirusWallServerSMTP. Note that the value of this variable is the name of the first variable.

Both variables--VirusWallServerSMTP and scan.0--are pre-defined. If you display their values from the command line configuration editor, you would see:


admin% ssadm -r primary edit Initial
edit> vars print prg=scan name=VirusWallServerSMTP
PRG="scan" NAME="VirusWallServerSMTP" ENABLED
VALUES={ type="VirusWall" svc="viruswall-smtp" addr="viruswall-server" }
DESCRIPTION="TrendMicro SMTP scanning server(s)" 
edit> vars print prg=smtpp name=scan.0 
PRG="smtpp" NAME="scan.0" DISABLED VALUES={ name="VirusWallServerSMTP" }
DESCRIPTION="SMTP proxy content scanner"

SMTP Access Rules

One or more access rules may be needed to allow your Screen access to the VirusWall scanner server.

Because VirusWall scanning is optional, and because the viruswall-server address object cannot be preconfigured during installation, the following example shows prototypical post-installation steps to enable VirusWall scanning of SMTP content:


admin% ssadm --r primary edit Initial
edit> add address viruswall-server 10.73.176.13
edit> add rule viruswall-smtp localhost viruswall-server ALLOW
edit> add rule smtp 'inside' mail-server ALLOW PROXY_SMTP 
edit> vars add prg=smtpp name=scan.0 ENABLED 
VALUES={ name=VirusWallServerSMTP } 
DESCRIPTION="SMTP proxy content scanner"

If content scanning has been configured, and once the aforementioned proxy-based content checks have been performed, the resulting content is passed to the scanner for inspection. The scanner may instruct that the content be blocked, or may alter (for example, clean viruses from) the content, or may return it unaltered. You receive scanning results (as being blocked, if so determined) that are reflected in SunScreen log entries regarding the SMTP request and its results.

VirusWall Setup Issues

This section discusses the general issues of using SunScreen in conjunction with the VirusWall content scanning option once you have set up and configured your SunScreen HTTP or SMTP proxy.

Currently, SunScreen interoperates with VirusWall, version 3.32, for the Lucent Managed Firewall specifically. Only this version contains the necessary interface protocol that allows SunScreen to use the scanning facilities of VirusWall for HTTP or SMTP content. Aside from representing some hardware and software duplication issues, it also creates some additional security risks that you must minimize.

Windows environments are apt to imbed the need to run the Internet Explorer (IE) Web browser and can further require you to run Active-X as well as enable other executable content within the browser. Because Active-X and its kindred effectively run as root on an Administration Station, the potential for security compromise is immediately obvious. To minimize the potential for viral infection of the VirusWall platform, restrict the access that platform has to net traffic to the extent possible.

This restriction takes two forms:

Place VirusWall on its own, separate SunScreen interface to effect physical isolation of the VirusWall platform. Should your system be compromised, this isolation defeats the possibilities that VirusWall:

To effect access restrictions, your system only needs to interact with other hosts in the following ways:

Only the first three access paths are mandatory for the scanning operation of the product, and only the first five access paths are mandatory for full operation of the product.

Note -

It is recommended that you not use this system for any other purpose.

For you to effect the above security environment, contact TrendMicro for a definitive list of servers to which your VirusWall server needs access. Also, you can request written disclosures or privacy policies regarding all interactions between the VirusWall server you are deploying and TrendMicro's servers.

Once the Viruswall and related software is fully loaded, consult your product documentation or TrendMicro technical support for any questions regarding VirusWall configuration settings or options.

To test the access paths from the HTTP or SMTP proxy, browse the Web or cause inbound email to flow through your VirusWall-enabled SunScreen proxy. The SunScreen logs contain annotation of the added scanning activities.

Also, set LOG_SESSION on the rules to enable the downloading of pattern files from TrendMicro, and any other outbound connections you elect to allow for optional paths. More detailed information about pattern downloads can be obtained from the VirusWall configuration facilities (either Windows application or browser based).