VirusWall Setup Issues

This section discusses the general issues of using SunScreen in conjunction with the VirusWall content scanning option once you have set up and configured your SunScreen HTTP or SMTP proxy.

Currently, SunScreen interoperates with VirusWall, version 3.32, for the Lucent Managed Firewall specifically. Only this version contains the necessary interface protocol that allows SunScreen to use the scanning facilities of VirusWall for HTTP or SMTP content. Aside from representing some hardware and software duplication issues, it also creates some additional security risks that you must minimize.

Windows environments are apt to imbed the need to run the Internet Explorer (IE) Web browser and can further require you to run Active-X as well as enable other executable content within the browser. Because Active-X and its kindred effectively run as root on an Administration Station, the potential for security compromise is immediately obvious. To minimize the potential for viral infection of the VirusWall platform, restrict the access that platform has to net traffic to the extent possible.

This restriction takes two forms:

• Physical network isolation

• VirusWall Internet access restriction

Place VirusWall on its own, separate SunScreen interface to effect physical isolation of the VirusWall platform. Should your system be compromised, this isolation defeats the possibilities that VirusWall:

• Denies the system a position of unfettered access to other systems

• Limits the potential to exploit various security holes found in NT server installations

• Could view traffic that might otherwise flow past it

To effect access restrictions, your system only needs to interact with other hosts in the following ways:

• Inbound access from the SunScreen firewall using it for content filtering

• Outbound name service (for example, DNS) access to resolve hostnames

• Outbound access to the TrendMicro server(s) from which it periodically downloads pattern files

• (Optional) Inbound access from your browser clients to the VirusWall scanner's Web server to allow you to retrieve (infected) content being held by the scanner

• (Optional) Outbound access to your SMTP server(s) through which the TrendMicro server(s) sends notification messages

• (Optional) Outbound access to other TrendMicro servers to browse TrendMicro's online documentation

• (Optional) Inbound access from a browser for remote administration of the VirusWall server

Only the first three access paths are mandatory for the scanning operation of the product, and only the first five access paths are mandatory for full operation of the product.

It is recommended that you not use this system for any other purpose.

For you to effect the above security environment, contact TrendMicro for a definitive list of servers to which your VirusWall server needs access. Also, you can request written disclosures or privacy policies regarding all interactions between the VirusWall server you are deploying and TrendMicro's servers.

Once the Viruswall and related software is fully loaded, consult your product documentation or TrendMicro technical support for any questions regarding VirusWall configuration settings or options.

To test the access paths from the HTTP or SMTP proxy, browse the Web or cause inbound email to flow through your VirusWall-enabled SunScreen proxy. The SunScreen logs contain annotation of the added scanning activities.

Also, set LOG_SESSION on the rules to enable the downloading of pattern files from TrendMicro, and any other outbound connections you elect to allow for optional paths. More detailed information about pattern downloads can be obtained from the VirusWall configuration facilities (either Windows application or browser based).