This section describes how to configure your SunScreen HTTP or SMTP proxy to use the separately-licensed TrendMicro VirusWall content scanning option. Once you have installed and configured the VirusWall product on a server platform, you can direct your SunScreen HTTP or SunScreen SMTP proxy to use it for content examination. See "VirusWall Setup Issues" for information about installing, configuring, and using VirusWall.
Access to the VirusWall server from within the HTTP proxy is controlled by a service common object (viruswall-http)and a pair of variables (VirusWallServerHTTP and scan.0). The service object and variables are preconfigured as much as possible during installation, but the variables must be altered to activate the interface for scanning. In addition, you may need one or more access rules to allow your Screen access to the VirusWall scanner server; see "To Add an Administrative Access Rule for Remote Administration" in SunScreen 3.2 Administration Guide for more information.
The viruswall-http service common object is employed by the interface between SunScreen's HTTP proxy and VirusWall. The TCP service port defined for this object is set to that used by the default VirusWall installation.
The VirusWallServerHTTP variable configures the interface between your Screen and VirusWall:
(Optional) sys=Screen
prg=scan
name=VirusWallServerHTTP
values={ vwvalues }
(Optional) description="descriptive text"
enabled | disabled (the initial configuration is enabled)
Options for the vwvalues portion of the VirusWallServerHTTP variable are:
type=VirusWall
svc=viruswall-http
addr=vwserver (the default is the undefined address object, viruswall-server)
(Optional) holddown=downsecs (the default is 30*60 seconds)
(Optional) maxconns=#maxconns (maximum concurrent connections; the default is 3)
(Optional) minconns=#minconns(minimum spare connections; the default is 1)
Multiple addr items can be configured to allow the use of secondary scanning servers. Each addr item can designate address common objects by name or it can designate a naked (dotted-quad) IP address.
The second variable, scan.0, connects the first variable to the proxy and specifies it as the first scanning facility to be used by that proxy. Because VirusWall scanning is optional, scan.0 is predefined as DISABLED. To turn on scanning, you must set the scan.0 variable to ENABLED.
(Optional) sys=Screen
prg=httpp
name=scan.0
values={ scvalues }
(Optional) description="descriptive text"
enabled | disabled (the initial configuration is disabled)
For the variable scan.0, the scvalues portion is name=VirusWallServerHTTP. Note that the value of this variable is the name of the first variable.
Both variables--VirusWallServerHTTP and scan.0--are pre-defined. If you display their values from the command line configuration editor, you see:
admin% ssadm -r primary edit Initial edit> vars print prg=scan name=VirusWallServerHTTP PRG="scan" NAME="VirusWallServerHTTP" ENABLED VALUES={ type="VirusWall" svc="viruswall-http" addr="viruswall-server" } DESCRIPTION="TrendMicro HTTP scanning server(s)" edit> vars print prg=httpp name=scan.0 PRG="httpp" NAME="scan.0" DISABLED VALUES={ name="VirusWallServerHTTP" } DESCRIPTION="HTTP proxy content scanner" |
One or more access rules may be needed to allow your Screen access to the VirusWall scanner server (see "To Add a New Rule" in SunScreen 3.2 Administration Guide.
Because VirusWall scanning is optional, and because the viruswall-server address object cannot be preconfigured during installation, the following example shows prototypical post-installation steps to enable VirusWall scanning of HTTP content:
admin% ssadm --r primary edit Initial edit> add address viruswall-server 10.73.176.13 edit> add rule viruswall-http localhost viruswall-server ALLOW edit> add rule www 'inside' web-scanner ALLOW PROXY_HTTP edit> vars add prg=httpp name=scan.0 ENABLED VALUES={ name=VirusWallServerHTTP } DESCRIPTION="HTTP proxy content scanner" |
This example:
Defines the address for viruswall-server
Adds a rule to allow communication between the Screen and the VirusWall scanner
Adds another rule to allow HTTP proxy traffic
Sets the ENABLED flag to turn on HTTP proxy content scanning
If content scanning has been configured, and once proxy-based content checks have been performed, the resulting content is passed to the scanner for inspection. The scanner may instruct that the content be blocked, or may alter (for example, clean viruses from) the content, or may return it unaltered. You receive scanning results (as being blocked, if so determined) that are reflected in SunScreen log entries regarding the HTTP request and its results.
Access to the VirusWall server from within the SMTP proxy is controlled by a service common object (viruswall-smtp)and a pair of variables (VirusWallServerSMTP and scan.0). The service object and variables are preconfigured as much as possible during installation, but the variables must be altered to activate the interface for scanning. In addition, you may need one or more rules to allow SunScreen firewall access to a VirusWall scanner that is operating on a separate server platform.
The viruswall-smtp service common object is employed by the interface between SunScreen's SMTP proxy and VirusWall. The TCP service port defined for this object is set to that used by the default VirusWall installation.
The VirusWallServerSMTP variable configures the interface between your Screen and VirusWall:
(Optional) sys=Screen
prg=scan
name=VirusWallServerSMTP
values={ vwvalues }
(Optional) description="descriptive text"
enabled | disabled (the initial configuration is enabled)
Options for the vwvalues portion of the VirusWallServerSMTP variable are:
type=VirusWall
svc=viruswall-smtp
addr=vwserver (the default is the undefined address object, viruswall-server)
(Optional) holddown=downsecs (the default is 30*60 seconds)
(Optional) maxconns=#maxconns (maximum concurrent connections; the default is 3)
(Optional) minconns=#minconns(minimum spare connections; the default is 1)
Note that multiple addr items can be configured, allowing the use of secondary scanning servers. Each addr item can designate address common objects by name, or may give a naked (dotted-quad) IP address.
The second variable, scan.0, connects the first variable to the proxy and specifies it as the first scanning facility to be used by that proxy:
(Optional) sys=Screen
prg=smtpp
name=scan.0
values={ scvalues }
(Optional) description="descriptive text"
enabled | disabled (the initial configuration is disabled)
For the variable scan.0, the scvalues portion is name=VirusWallServerSMTP. Note that the value of this variable is the name of the first variable.
Both variables--VirusWallServerSMTP and scan.0--are pre-defined. If you display their values from the command line configuration editor, you would see:
admin% ssadm -r primary edit Initial edit> vars print prg=scan name=VirusWallServerSMTP PRG="scan" NAME="VirusWallServerSMTP" ENABLED VALUES={ type="VirusWall" svc="viruswall-smtp" addr="viruswall-server" } DESCRIPTION="TrendMicro SMTP scanning server(s)" edit> vars print prg=smtpp name=scan.0 PRG="smtpp" NAME="scan.0" DISABLED VALUES={ name="VirusWallServerSMTP" } DESCRIPTION="SMTP proxy content scanner" |
One or more access rules may be needed to allow your Screen access to the VirusWall scanner server.
Because VirusWall scanning is optional, and because the viruswall-server address object cannot be preconfigured during installation, the following example shows prototypical post-installation steps to enable VirusWall scanning of SMTP content:
admin% ssadm --r primary edit Initial edit> add address viruswall-server 10.73.176.13 edit> add rule viruswall-smtp localhost viruswall-server ALLOW edit> add rule smtp 'inside' mail-server ALLOW PROXY_SMTP edit> vars add prg=smtpp name=scan.0 ENABLED VALUES={ name=VirusWallServerSMTP } DESCRIPTION="SMTP proxy content scanner" |
If content scanning has been configured, and once the aforementioned proxy-based content checks have been performed, the resulting content is passed to the scanner for inspection. The scanner may instruct that the content be blocked, or may alter (for example, clean viruses from) the content, or may return it unaltered. You receive scanning results (as being blocked, if so determined) that are reflected in SunScreen log entries regarding the SMTP request and its results.
This section discusses the general issues of using SunScreen in conjunction with the VirusWall content scanning option once you have set up and configured your SunScreen HTTP or SMTP proxy.
Currently, SunScreen interoperates with VirusWall, version 3.32, for the Lucent Managed Firewall specifically. Only this version contains the necessary interface protocol that allows SunScreen to use the scanning facilities of VirusWall for HTTP or SMTP content. Aside from representing some hardware and software duplication issues, it also creates some additional security risks that you must minimize.
Windows environments are apt to imbed the need to run the Internet Explorer (IE) Web browser and can further require you to run Active-X as well as enable other executable content within the browser. Because Active-X and its kindred effectively run as root on an Administration Station, the potential for security compromise is immediately obvious. To minimize the potential for viral infection of the VirusWall platform, restrict the access that platform has to net traffic to the extent possible.
This restriction takes two forms:
Physical network isolation
VirusWall Internet access restriction
Place VirusWall on its own, separate SunScreen interface to effect physical isolation of the VirusWall platform. Should your system be compromised, this isolation defeats the possibilities that VirusWall:
Denies the system a position of unfettered access to other systems
Limits the potential to exploit various security holes found in NT server installations
Could view traffic that might otherwise flow past it
To effect access restrictions, your system only needs to interact with other hosts in the following ways:
Inbound access from the SunScreen firewall using it for content filtering
Outbound name service (for example, DNS) access to resolve hostnames
Outbound access to the TrendMicro server(s) from which it periodically downloads pattern files
(Optional) Inbound access from your browser clients to the VirusWall scanner's Web server to allow you to retrieve (infected) content being held by the scanner
(Optional) Outbound access to your SMTP server(s) through which the TrendMicro server(s) sends notification messages
(Optional) Outbound access to other TrendMicro servers to browse TrendMicro's online documentation
(Optional) Inbound access from a browser for remote administration of the VirusWall server
Only the first three access paths are mandatory for the scanning operation of the product, and only the first five access paths are mandatory for full operation of the product.
It is recommended that you not use this system for any other purpose.
For you to effect the above security environment, contact TrendMicro for a definitive list of servers to which your VirusWall server needs access. Also, you can request written disclosures or privacy policies regarding all interactions between the VirusWall server you are deploying and TrendMicro's servers.
Once the Viruswall and related software is fully loaded, consult your product documentation or TrendMicro technical support for any questions regarding VirusWall configuration settings or options.
To test the access paths from the HTTP or SMTP proxy, browse the Web or cause inbound email to flow through your VirusWall-enabled SunScreen proxy. The SunScreen logs contain annotation of the added scanning activities.
Also, set LOG_SESSION on the rules to enable the downloading of pattern files from TrendMicro, and any other outbound connections you elect to allow for optional paths. More detailed information about pattern downloads can be obtained from the VirusWall configuration facilities (either Windows application or browser based).