User manual ESET GATEWAY SECURITY

[. . . ] ESET Gateway Security Installation Manual and User Guide Table of contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Terminology and abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [. . . ] The remaining lines are used to configure error message reporting in the event that the parent proxy is down or becomes unreachable. To configure Squid to attempt direct connections when the parent proxy is unreachable, add the following parameters to the Squid configuration file: 18 ESET Gateway Security cache_peer 192. 168. 1. 10 parent 8080 0 no-query prefer_direct off To reread the newly created configuration, reload the ESETS daemon. 5. 3. Internet Content Adaptation configuration The Internet Content Adaptation is a well known method aimed at providing object-based content vectoring for HTTP services. It is based on the Internet Content Adaptation Protocol (ICAP) described in the RFC-3507 memo. Configuration for integrating the ICAP services is shown in Figure 5-3: Figure 5-3. Scheme of ESET Gateway Security as a ICAP server. INTERNET Proxy Cache ICAP client ESET Gateway Security Gateway User Agent Client Local Network User Agent Client User Agent Client The Proxy Cache receives the HTTP request from the User Agent and/or the response from the HTTP server and then encapsulates the message into the ICAP request. The Proxy Cache must also work in this case as the ICAP client and pass the ICAP request for the message adaptation to ESET Gateway Security, namely to a generic ESETS ICAP server - esets_icap. The module provides scanning of the encapsulated message body for infiltration. Based on the scanning result, it then provides an appropriate ICAP response which is sent back to the ICAP client, or to the Proxy Cache, for further delivery. To configure ESET Gateway Security to scan HTTP messages which are encapsulated in ICAP requests, enter the command: /usr/sbin/esets_setup Follow the instructions provided by the script. When the 'Available installations/uninstallations' offer appears, choose the 'ICAP' option to display the`install/uninstall' options. Choose `install' to automatically configure the module to listen on a predefined port and reload the ESETS daemon service. In default mode, the installer shows all steps which will be performed and also creates a backup of the configuration, which can be restored later at any time. The detailed installer utility steps for all possible scenarios are also described in appendix A of this documentation. chapter 5 Integration with Internet Gateway services 19 The second step of the ICAP configuration method is activating the ICAP client functionality within the Proxy Cache. The ICAP client must be configured in order to properly request the esets_icap for the infiltration scanning service. The initial request line of the ICAP request must be entered as follows: METHOD icap://server/av_scan ICAP/1. 0 In the above example, METHOD is the ICAP method used, 'server' is the server name (or IP address), and/av_scanistheesets_icap infiltrations scanning service identifier. 5. 4. Large HTTP Objects Handling Under normal conditions, objects are first transferred from the HTTP server (or client) to esets_http, scanned for infiltrations and then transferred to the HTTP client (or server). For large files (the large objects whose transfer time is larger than the timeout defined by the parameterlo_timeout)thisisnotanoptimalscenario­theuseragent'stimeoutsettingorthe user's impatience can cause interrupts or even canceling of the object transfer. Therefore, other methods of processing large objects must be implemented. These are described in the following two sections. Method of deferred scan With esets_http, a technique known as the `deferred scan' method of handling large files can be employed. This means that if the object transferred becomes too large, esets_http will begin to send the object transparently to an awaiting HTTP end-point, such as a client or server. [. . . ] If IPfiltering is being performed by the ipchains administration tool, an appropriate rule would be: ipchains -A INPUT -p tcp -i if0 --dport 80 \ -j REDIRECT 8080 If IP-filtering is being performed by the iptables administration tool, the rule is: iptables -t nat -A PREROUTING -p tcp -i if0 \ --dport 80 -j REDIRECT --to-ports 8080 On FreeBSD, the rule is: ipfw add fwd 192. 168. 1. 10, 8080 tcp \ from any to any 80 via if0 in On NetBSD and Solaris, the rule is: echo 'rdr if0 0. 0. 0. 0/0 port 80 -> 192. 168. 1. 10 \ port 8080 tcp' | ipnat -f - A. 2. Setting ESETS for scanning of FTP communication - transparent mode FTP scanning is performed using the esets_ftp daemon. In the [ftp] section of the ESETS configuration file, set the following parameters: agent_enabled = yes listen_addr = "192. 168. 1. 10" listen_port = 2121 Intheaboveexample, `listen_addr'istheaddressofthelocalnetworkinterfacenamedif0. Then, redirect all FTP requests to esets_ftp. [. . . ]