User manual NOD32 ESET GATEWAY SECURITY FOR LINUX/BSD/SOLARIS

[. . . ] ESET Gateway Security Installation Manual and User Guide Linux, BSD and Solaris Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. 1 Main functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. 2 Key features of the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. [. . . ] This is because some parts of the already transferred data can contain executable, dangerous code. For this reason, ESET developed a modified version of the deferred sca n technique, known as the ‘partial scan’ technique. Partial scan technique The pa rtia l sca n technique has been developed as an additional safeguard to the deferred sca n method. The principle of the pa rtia l sca n technique is based on the idea that the scanning time of a large object is negligible compared to the overall processing time of the object. This concept is especially evident with large object HTTP transfers, as significantly more time is needed to transfer the object than to scan it for infiltrations. This assumption allows us to perform more than one scan during a large object transfer. To enable this technique, the parameter ‘lo_pa rtsca n_ena bled’ is entered in the [http] section of the ESETS configuration file. This will cause large objects to be scanned for infiltrations during transfer in predefined intervals, while the data which has already been scanned is sent to an awaiting end-point such as a client or server. This method ensures that no infiltrations are passed to the computer whose user agent has requested the large infected object, because each portion of the sent data is already verified to be safe. It has been proven that in common circumstances where the speed of the gateway’s local network connection is higher than the speed of the gateway connection to the Internet, the total processing time of a large object transfer using the pa rtia l sca n technique is approximately the same as when the standard deferred sca n method is used. 12 5. 5 ESETS plug-in filter for SafeSquid Proxy Cache In previous sections we described the integration of ESET Gateway Security with HTTP and FTP services using esets_http and esets_ftp. The methods described are applicable for the most common user agents, including the well known content filtering internet proxy SafeSquid. http://www. safesquid. com However, ESET Gateway Security also offers an alternative method of protecting Gateway services, using the esets_ssfi. so module. 5. 5. 1 Operation principle The esets_ssfi. so module is a plug-in to access all objects processed by the SafeSquid proxy cache. Once the plug-in accesses the object, it is scanned for infiltrations using the ESETS daemon. If the object is infected, SafeSquid blocks the appropriate resource and sends the predefined template page instead. The esets_ssfi. so module is supported by SafeSquid Advanced version 4. 0. 4. 2 and later. Please refer to the esets_ssfi. so(1 ) man pages for more information. 5. 5. 2 Installation and configuration To integrate the module, you must create links from the SafeSquid modules directory to the appropriate installation locations of the ESET Gateway Security package. In the following examples, it is assumed that SafeSquid is installed on a Linux OS in the ‘/ opt/safesquid’ directory. If SafeSquid 4. 2 or later is installed, enter the following commands: mkdir /opt/safesquid/modules ln -s @LIBDIR@/ssfi/esets_ssfi. so /opt/safesquid/modules/esets_ssfi. so ln -s @LIBDIR@/ssfi/esets_ssfi. xml /opt/safesquid/modules/esets_ssfi. xml If an earlier version is installed, enter the following commands: mkdir /opt/safesquid/modules ln -s @LIBDIR@/ssfi/esets_ssfi. so /opt/safesquid/modules/esets_ssfi. gcc295. so ln -s @LIBDIR@/ssfi/esets_ssfi. xml /opt/safesquid/modules/esets_ssfi. xml /etc/init. d/safesquid restart To complete the SafeSquid plug-in installation, first logon to the SafeSquid Web Administration Interface. Select the Config menu from the main interface page and browse Select a Section to Config ure until you find ESET Gateway Security. Click Submit and create the a ntivirus profile for the ESET Ga tew a y Security section by clicking the Add button at the bottom. Define the below parameters within the list that appears and click Submit. Remember to save the Safesquid configuration by clicking the Sa ve setting s button. Comment: ESET Gateway Security Profiles: antivirus The SafeSquid plug-in is operational immediately after installation, but additional fine tuning should be performed. [. . . ] In the [http] section of the ESETS configuration file, set the following parameters: agent_enabled = yes listen_addr = "192. 168. 1. 10" listen_port = 8080 In the example above, ‘listen_a ddr’ is the address of the local network interface named ‘if0’. The next step is to redirect all HTTP requests to esets_http. If IP-filtering is being performed by the ipchains administration tool, an appropriate rule would be: ipchains -A INPUT -p tcp -i if0 --dport 80 -j REDIRECT 8080 If IP-filtering is being performed by the iptables administration tool, the rule is: iptables -t nat -A PREROUTING -p tcp -i if0 --dport 80 -j REDIRECT --to-ports 8080 On FreeBSD, the rule is: ipfw add fwd 192. 168. 1. 10, 8080 tcp from any to any 80 via if0 in On NetBSD and Solaris, the rule is: echo 'rdr if0 0. 0. 0. 0/0 port 80 -> 192. 168. 1. 10 port 8080 tcp' | ipnat -f - 9. 2 Setting ESETS for scanning of FTP communication - transparent mode FTP scanning is performed using the esets_ftp daemon. In the [ftp] section of the ESETS configuration file, set the following parameters: agent_enabled = yes listen_addr = "192. 168. 1. 10" listen_port = 2121 In the example above, ‘listen_a ddr’ is the address of the local network interface named ‘if0’. [. . . ]