Docstoc

Walk Through Guide

Document Sample
Walk Through Guide Powered By Docstoc
					The WebShield e500 Appliance
    Walk-through Guide




             1
                                       Introduction

There are two models of WebShield e500 appliance currently available, the ‘e500
ASaP’ and the ‘e500 self-managed’. This document refers exclusively to the
WebShield e500 self-managed product, referred to in this document simply as
the ‘e500’.

First off, this guide is not a technical manual. The e500 comes with several detailed manuals of
it’s own running to hundreds of pages. The intention of this guide is to give its audience a short
introduction to the e500 self-managed appliance. It is hoped that this introduction will provide
readers with enough information to illustrate how and where the e500 can be of benefit within
their own network.

The guide is divided into several sections, to allow any reader to either dive in to the relevant
section, or read through in order of increased detail. The guide aims to answer 3 simple
questions, with one section dedicated to each question:

What is the e500?

The first section looks at the e500 functionality – why would you want an e500? - what can it do
for you and your network traffic?

Where would I install the e500?

Following this, the next section looks at a number of typical network scenarios – both before and
after the e500 is included in the network, and discuses traffic flow, and the changes required to
make the e500 work in each situation.

How can I get the most out of it?

The final section is a walk through of the user interface, illustrating how the major functionality
can be put to use, and includes considerations of why you would or would not select a particular
function.




 I hope this guide will be of use. If you have any feedback or questions relating to the contents,
                       you can contact the author at jason_brown@nai.com



                                                2
                                1 - What is an e500?

The e500 is the first of a new generation of integrated hardware and software based anti-virus
gateway scanners. It is designed to intercept
Internet mail and web traffic and scan it for
malicious code, including Viruses, Trojans,
Worms, Java script and ActiveX applets. It
provides additional features such as
customizable content scanning of messages
for particular phrases, web site blocking,
automatic updating and anti-spam and anti-
relay protection. It also allows disclaimers to be appended to inbound and outbound email.

Hardware and software

The e500 is offered as an appliance; a integrated hardware and software package. The hardware
is based on a Supermicro 6010H SuperServer - with dual Pentium III 1GHz processors, 256MB
RAM and 2 17.5 GB hard drives configured with a Adaptec I2O RAID controller providing mirrored
hot-swappable drives. Full hardware details are available at http://www.supermicro.com.

The software is a Bastille-hardened Red Hat Linux 7.0 with a 2.2.16-22 kernel, loaded with
WebShield anti-virus software. Further information regarding Bastille can be obtained from
http://www.bastille-linux.org. Network Associates CyberCop Scanner has also been used to check
for common vulnerabilities. A security overview is available as a separate document which shows
“the steps taken to protect the WebShield e500 appliances from attack, and how the operating
system has been modified to increase performance, whilst protecting against change, or
subversion”.

Configuration
The e500 is configured through a browser using secure http - Internet Explorer 4.0 or later
(Windows) or Netscape Navigator 4.7 (Windows or Linux). No local access is permitted to the
appliance itself. The PC used to initially configure the e500 (by supplying it basic network
information) is connected (usually by a crossover cable) to the data port (the first network
adapter) on the e500. Once basic information has been entered, the e500 can be accessed from
any PC with the necessary information (URL, username and password) through either network
adapter, and any further configuration can then be completed.

Maintenance
The e500 is shipped fully installed and operational, but should it be necessary a bootable CDROM
is supplied to allow you to re-image the box. You can image either the complete disk or leave
your data (deferred and quarantined mail, configuration and log files) intact whilst replacing the
Operating System and WebShield software.

The e500 also has a provision to backup and restore configuration information. So should the
worst happen and you need to restore the entire system (and apply your network settings and
other configuration), this can be achieved in less than 20 minutes. Alternatively, you may wish to
simply reset a lost password to the default.




                                                3
Log files and reports can be accessed and downloaded for inclusion in other documents. Should
any service packs need to be applied to the appliance, these can be done either through a web
browser, or from a CDROM.

What does an e500 do?

The following list summarizes the functionality of the e500 appliance

Email Scanning
With over 80% of viruses introduced to the network via email, SMTP scanning is almost certainly
going to be the main reason that the e500 is deployed. SMTP scanning is entirely independent of
the mail system, so it is compatible with all SMTP mail servers, regardless of whether they are
running MS Exchange, Lotus Notes or Domino, or ACME mail.

In a typical scenario the e500 will receive inbound mail before the mail server, ensuring
everything that delivered to your mail system is clean. Conversely, all outbound mail can be
scanned by the e500 before it is sent out to the Internet.

Mail sent using the SMTP (inbound and outbound) and POP3 (inbound only) protocols can be
scanned. Internal mail (or mail sent with any protocol other than SMTP or POP3) will not be
scanned by the e500.

When SMTP mail is scanned for viruses it can also be scanned for content to ensure that any
banned words or phrases are not sent out of your network, or delivered in to it – and
quarantined if necessary. Disclaimers can be added to messages travelling in or out of your
organization, and attachments can be removed if they are too large or numerous. You can use
the anti-spam feature to block a given list of undesirables from sending mail to your recipients, or
hook in to a 3rd party real-time spammers list. The e500 can also prevent anybody you do not
specify from using your mail system as a relay.

Web Traffic Scanning

The e500 will scan http and ftp traffic downloads and uploads, according to your configuration.
In addition to preventing access to viruses, it will also filter web sites, to prevent user access to
sites you choose to block.

Virus Scanning

The e500’s primary job is to scan files which can be email attachments, conventional and mobile
code executables and scripts found on web sites, or files downloaded via ftp, for viruses and
other hostile code.

To maintain an efficient level of protection you can configure the level of scanning, (at risk files,
all files, compressed files) and configure the updating schedule (for example by specifying at
what time and on which days to update) and the type of update (signature and / or engine).
Once configured this information is retained and updating occurs as a background task requiring
no user intervention.

Log files and charts of virus activity can be viewed and saved for inclusion in reports.




                                                 4
                           2 - How does the e500 work?
So, once you’ve decided that you are interested in the functionality that the e500 can provide,
the next thing you need to decide where it is going to go? This section is going to present a
number of alternative (but typical) scenarios, and look at the options available for e500
placement, and how this will impact on traffic flow and client, proxy and Firewall configuration.
Before doing so, it is worth understanding how the e500 processes traffic.

The e500 operates as a proxy rather than a router. This fact is likely to impact where and how
the e500 is used in your network in relation to web traffic.

The main advantage of using a proxy is that the proxy only receives traffic that it needs to scan.
Other traffic is routed around the box, so that it does not load the appliance with traffic that it
does not need to process (receive, examine, route, send). This greatly improves performance.
Because the e500 does not route, it was not necessary to support complex routing functions,
which would have impacted on code complexity. During testing the single network card was more
than capable of sending and receiving all traffic that the processor was capable of scanning. The
single network interface is unlikely to limit traffic throughput.

SMTP email scanning

Scenario A – Your mail server relays mail to a firewall

Email traffic flows
from     users   mail
clients to the mail
server.    The   mail
server (1) relays all                                                                 Internet
mail to a fixed IP
address of either a
Firewall or a router                                                     2
                                                             Firewall
(2). This device (2)
takes care of mail
delivery                           Mail Server
                                                 1                                  Before




Email traffic flows from
users mail clients to
the mail server. The
mail server (1) now
relays all mail to the                                                                  Internet

e500 (2) which relays
to a fixed IP address
of either a Firewall or                                                  3
                                                              Firewall
a router (3). This
device (3) takes care                            e500
of mail delivery                                         2
                            Mail Server    1                                              After


                                                     5
Scenario B - Mail server delivers mail via DNS

Email traffic flows
from users mail
clients to the mail
server. The mail
server (1) performs                                                          Internet
a DNS lookup and
delivers mail to the
appropriate     mail                                                    2
                                                             Firewall
server, by routing
through a Firewall
or router (2).
                                Mail Server
                                                1                           Before

Email traffic flows
from users mail
clients to the mail
server. The mail
server (1) relays                                                           Internet
traffic to the e500
(2).     The   e500
performs a DNS                                                          3
                                                             Firewall
lookup and delivers
mail       to    the
                                              e500
appropriate     mail                                     2
server, by routing     Mail Server    1                                       After
through a Firewall
or                                              router                                  (3).




                                                     6
HTTP web scanning

In order to scan http downloads (and uploads) you need to introduce the e500 in to the browser
process. Before adding an e500 to your environment users will either browse transparently or via
a proxy or series of proxies (which may be before and / or at the firewall). Somewhere in this
process you must introduce the e500 so that all http traffic passes through this before it reaches
users browsers. The next section will look at some of the typical scenarios and the changes that
need to be made to accommodate the e500.

Scenario A - Users browse transparently

The user (1) enters a
URL which is resolved to
an IP address. This is
routed      through     a
Firewall or Router (2) to    1                                                              Internet
the web site on the
Internet
                                                            Firewall   2                 Before



Option 1 – clients use
the e500 as a proxy
server. The user (1)
enters a URL, which is
                                                                                            Internet
resolved to an IP
address. This request is     1
passed to the e500 (2),
which connects through                                      Firewall   3
a Firewall or Router (3)
to the web site on the                     2
Internet                                             e500
                                                                                            After




Changes required

The users web browser must be set to use the
e500 as an http proxy. This is the simplest
option to enable, but may not be suitable where
a large number of clients exist and no means of
automatically modifying workstations is available.      Setting a proxy server in Internet Explorer




                                                7
Option 2 – Firewall
Handoff. The user (1)
enters a URL, which is
resolved to an IP
address. This request      1                                                          Internet
is passed to the
Firewall as part of a
routed         network
                                                        Firewall   2
connection (2). The                  3
Firewall redirects this
request to the e500                            e500                                   After
(3).     The      e500
connects to the web site through the Firewall.



Changes required

The firewall must be configured to hand off the http request from clients to the e500 and to
transparently route the http request from the e500 to the Internet. This can usually be done
through the use of policies at the firewall (one policy for clients IP address range and one policy
for the e500). This should work without any further complications where the clients have the
Firewall set as a default gateway. Where this is not the case, this may need to be altered. Other
changes may be required depending on the options available at the Firewall.




                                                 8
Scenario B - Users browse via a proxy server

The user (1) enters a URL, which is resolved to an IP address. The client (1) connects to your
proxy (2) because
the     users  web
browser is set to
use your proxy as      1
the http proxy.                                                                  Internet
Your     proxy  (2)
connects to the                                    3
requested        IP
                                                     Firewall
address by making
a routed network           2
connection via a                                                               Before
firewall or router            Proxy Server
(3)




Option 1 – The
                         1
e500 behind your
proxy server. The
user (1) enters a                                                                 Internet
URL,     which     is
resolved to an IP
address. The client
(1) connects to                                       Firewall 4
your    proxy    (2)
because the users                         e500     3
web browser is set
                        Proxy Server 2
                                                                                    After
to use your proxy
as the http proxy. Your proxy (2) hands off to the e500 (3). The e500 connects to the requested
IP address by making a routed network connection via a firewall or router (4).

Changes required

Your proxy is configured to use the e500 as a handoff host




                                               9
Option 2 – The e500 in front of your proxy server. The user (1) enters a URL, which is
resolved to an IP
address. The client
(1) connects to the
e500 (2) because the    1
                                                                           Internet
users web browser is
set to use it as the
http proxy. The e500
(2) hands off to your                                   Firewall 4
proxy server (3).
Your proxy server
connects    to    the   2
                            e500
                                         Proxy Server
                                                      3                     After
requested IP address
by making a routed network connection via a firewall or router (4).

There are several good reasons not to use this design – (i) the proxy server is not protected by
the e500, (ii) the e500 scans requests every time they are retrieved from the proxy server and
(iii) if you are logging user access, all requests will appear to come from the e500.


Changes required
• The users web browser must be set to use the e500 as an http proxy
• The e500 is configured to use your proxy as a handoff host



Option        3     –
Firewall Handoff.          1
The user (1) enters
a URL, which is                                                                     Internet
resolved to an IP
address. The client
(1) connects to
your    proxy     (2)                                 Firewall 3
because the users
web browser is set
to use your proxy
as the http proxy.        Proxy Server 2
                                               e500  4                                After
This request is passed to the Firewall as part of a routed network connection (3). The Firewall
redirects this request to the e500 (4). The e500 connects to the web site through the Firewall.

Changes required
The firewall must be configured to hand off the http request from your proxy to the e500 and to
transparently route the http request from the e500 to the Internet. This can usually be done
through the use of policies at the firewall (one policy for your proxy server IP address and one
policy for the e500). This should work without any further complications where the proxy server
has the Firewall set as a default gateway. Where this is not the case, this may need to be
altered. Other changes may be required depending on the options available at the Firewall and
proxy server.




                                              10
                  3 - Configuring the e500 step-by-step

Getting started

Physically installing the e500

Plug in the power cord and switch on the e500. You can connect a monitor to the video output to
confirm the appliance has booted. You should see a screen similar to this.



    Red Hat Linux Release 7.0 (Guinness)
    Kernel 2.2.16-22smp on a 2-processor i686
    Local Configuration Update not allowed !
    To configure this E500, connect a Web Browser to the following address

    https://10.1.1.108 on the First Network Interface using a class C subnet
    webshielde500 login:




Configuring the e500

The e500 is configured via a web browser (either Internet Explorer 4.0 or above running on
Windows, or Netscape Navigator 4.7 running on Windows or Linux).

Connect a crossover cable between your machine and the
e500. Connect the cable to the 1st network card, the e500
management port.

Temporarily configure your machine to have an address on the 10.1.1.0
network, (e.g. 10.1.1.100)                                                LAN 1        LAN 2

The e500 is accessed via secure http - the IP address is initially set to 10.1.1.108. (Once the
initial configuration has been entered, the
e500 will be given an IP address on your
network, and accessible from machines on
your LAN.)

                                               Depending on your browsers’ security settings
                                               browsing to the above URL may cause a Security
                                               Alert to be issued– select Yes to proceed.



                                                     Note that the 2nd network card, the
                                                     management port is usually reserved
                                                     for use when there may be a problem
                                                     accessing the 1st card. Under normal
                                                     circumstances you would not need to
                                                     use the 2nd network card.




                                              11
This will then either present you with a log on screen or request you install the Java 2 runtime
environment (version 1.3.1).

JRE is required to access the e500 graphic
user interface, so run the setup.exe, and
reboot if required.




Once JRE is installed you will
be prompted to allow the
Java applet to run.

If you select Grant this
Session you will need to do
this each time you log on to
the     appliance.   Selecting
Grant always will prevent this
dialog from being displayed
in future.


                                           Once you have a log on screen enter the username
                                           and password.

                                           The default username is e500

                                           The default password is e500changeme

                                                     If you lose the password, the
                                                     recovery disk shipped with the
                                                     appliance has an option to reset
                                                     the password to the factory default
                                                     of e500changeme.




                                              12
This will take you to the System Configuration page, when you can set up the basic networking
parameters.




Basic network configuration

Once you have logged on the e500 you should carry out initial configuration, which will allow you
to carry out further configuration from you standard network address. You now need to supply
basic networking information to the e500 so that it can participate on your network.

Once the following section of information has been entered the e500 will be accessible from your
LAN, and be able to receive traffic. You will need to configure it further to scan and deliver that
traffic.

                                            You need to supply the e500 hostname and DNS
                                            domain name (for example for myE500.myorg.com
                                            you would use myE500 as the hostname and
                                            myorg.com as the domain name), along with a DNS
                                            server IP address and Default gateway address.


The e500 has 2 network interface cards. The first is used to receive,
process (scan) and forward on mail and web traffic, and the second as an Data Port
optional management port. Set the first interface to
an IP address to which you will send, and from
which you will receive, web and mail traffic. This
interface has a default IP address of 10.1.1.108, (in
addition to any IP address you set). You can disable
this default address if required. (This may be
necessary if you already use an IP address of 10.1.1.108 or a 10.1.1.0 network address
anywhere on your LAN).



                                               13
Note that you cannot configure the e500 as a router, all scanned traffic is received from and
directed back through the data port.

                           After initial configuration, and once the e500 is participating in your
Management Port            LAN, you would not normally use the management port. Any further
                                            configuration can be performed through the data port.
                                            You can either disable this port, or configure it to
                                            allow for access independent of your LAN.



The e500 processes traffic
on only one port. Since
data could originate from
either the internal or
external network, these
must be defined so that the e500 understands in which direction traffic is travelling, (and so
which rule-set to apply)

Add the network addresses of all internal networks to the list. Internal networks are all networks
where clients PC’s or Mail servers (that will use the e500) are based. By default outside networks
are defined as all networks not specified as Inside networks (using *).

You can choose to specify a DNS domain name here, but be aware that this needs to be
resolvable in most cases by an internal DNS server. If any machines within this domain are on
another network (e.g. a mail server for the domain may reside in a DMZ), then you must specify
these exceptions in the outside networks list.

Once you have configured the internal network details, you may need to add external networks
or nodes. In a typical situation you would add the IP address of your firewall (since any traffic
originating from this machine is entering your network) - anything not listed as internal is
assumed to be external indicated by an asterix(*).

Suppose you are hosting
multiple domains with common
names (e.g. sales.acme.com,
prod.acme.com,
mktg.acme.com. You could
represent all these domains as
*.acme.com.

However, if you have a remote branch office in Dallas you might want to add this domain to the
list of external networks – any traffic originating from ACME in Dallas would now be treated as
external.
                                   By default the e500 is configured to accept traffic from all 4
                                   scanned protocols, Internet Email (SMTP), POP3 mail, and
                                   HTTP and FTP web traffic. Deselect the protocols you do not
                                   wish to scan here. If you deselect a protocol, the proxies
                                   associated with that protocol will be stopped. Therefore, if you
                                   are scanning HTTP and SMTP, and decide to turn off HTTP
                                   scanning, no HTTP traffic will flow through the e500, and
you will need to redirect requests.




                                               14
If you wish to stop AntiVirus scanning for any protocol, turn off both inbound and outbound
scanning for that protocol.


Next set the time zone in which the e500 will reside,
along with the current time and date in that time
zone.

Finally,


Wait for a couple of minutes, and check the e500 – the display should have changed to reflect
the IP address set above.

    Red Hat Linux Release 7.0 (Guinness)
    Kernel 2.2.16-22smp on a 2-processor i686
    Local Configuration Update not allowed !
    To configure this E500, connect a Web Browser to the following addresses
    https://192.168.100.1 on the First Network Interface
    https://10.1.1.108 on the First Network Interface using a class C subnet
    https://10.1.2.108 on the Second Network Interface using a class C subnet
    mye500 login:




You should now be able to remove the crossover cable and connect the e500 to your live
network. Connect the first network card to your network (the data port). You can connect the
second network card to your network, but it is not required. You can ping the e500 to check it is
responding correctly.

Network logon

Once you have connected the e500 on to you live network, you can log in to it via a browser.
You now have a choice of both IP address and network port. Assuming you have not disabled
any of the default IP addresses you can connect to the e500 by…

https:// <the fully qualified hostname specified above>         (1st network interface)

https:// <the IP address you specified above>                   (1st network interface)

https://10.1.1.108                                              (1st network interface)

https://10.1.2.108                                              (2nd network interface)

…assuming both network interfaces are connected, and that the host name is resolvable to an IP
address.

It is recommended that you use the data port (1st interface) for all configuration, and leave the
2nd interface unconnected.




                                                15
Once you have a log on screen enter the username (e500) and password (e500changeme unless
you have already changed it).

Page Selection - you will now see a different screen, with a number of links down the left side.
By default the System Status screen is displayed. From here you can navigate to any section, and
the configuration pane will change to reflect this.

On all subsequent pages, the graphic to the right of the main heading will refer to
the relevant e500 configuration page and the link you need to follow to access this
page.




                                                                                      Help




                                                               Configuration
                                                                  pane
              Page
             Selection

Configuration Pane – as you select different pages from the links on the left, the main pane
will change to reflect the new options available.

Help - In the top right corner you have three icons.         will discard changes made on this
page only;       displays the e500 adobe acrobat format manual;        brings up the online help
system.
There is a comprehensive help system available online, which contains sections on the products
main features, and a useful ‘How to…’ section. The three links in the top right corner will open
                                                            and close the Contents window
                                                            shown below, and move back and
                                                            forward in the help system.




                                              16
At the bottom of the screen there are three buttons that affect the current browser session




Log off will log off the current browser session – you will not be prompted to save settings.

Apply All Changes will send all changes to the appliance. Note that if you have made changes on
other pages (but not applied them yet) then these will be applied in addition to the changes
made on the current page.

Cancel all changes will remove all changes from the current browser window, and all other
windows where changes have been made, without applying the changes


Changing the password

Enter and confirm the change – this is changed
immediately and does not require you to use the
Apply All Changes button.


Updating to the latest Anti-Virus signature files

Next,      update       the
signature and engine file
(if required) to the latest
version. Click on the
Anti-Virus Automatic
Updating        link     as
shown. Once the e500
is on your live network,
with               Internet
connectivity you should
be able to connect to
the Network Associates
ftp site and update both
the DATs and engine file
to the latest versions.




Check version number

Check on the System Status page for the current
version and then select ‘Update Now’ from the
Automatic Updating page.




                                                17
Check the FTP download site is showing the correct information to allow
an update to take place. If you have a proxy server between the e500
and the Internet, enter the server and username details required to pass
through the proxy, and select the FTP update schedule. Select the
Update .DAT and Update engine check boxes and click Update now.

The e500 will now connect to the ftp site, download a control file, which it then uses to
determine what needs to be updated. Once this has been determined, it will then download all
the required files and complete the update. This process may take a few minutes (depending on
connection speed). Assuming both a DAT and Engine update, this should involve about 5 MB of
traffic.


At the System Status page confirm the version has been updated. Either the DAT
or both DAT and Engine version numbers should
change and confirm the e500 has Internet
connectivity. New DATs are available at least weekly
(and more frequently during outbreaks), whilst
engines are produced as required. However for the
initial update both DAT and Engine should be updated.



Setting update schedule

You can now configure the scheduler to automatically check for updates. It is recommended that
the appliance is updated daily, so set the schedule to update at midnight each day. You have 2
options here

–   Updating DATs only will ensure that the e500 has the correct signatures to detect all known
    viruses. If you choose not to update the engine then viruses that are found may not be able
    to be removed. It is also possible that very new viruses may not be detectable (since they
    may require the new engine to be enable detection)

–   Update Engine and DATs will ensure you have the very latest protection available. You may
    decide to upgrade the engine as soon as it is made available, or may wait to allow in-house
    testing before updating this executable.

Local update

You can choose to perform a local update or DAT, Engine or Extra DAT if required.

Installing other software

You can
also
easily
install
Service
Packs and Hotfixes as required (from either a URL or local file on your workstation) or install or
remove the ePolicy Orchestrator agent. These will be issued by McAfee on an as required basis.




                                               18
Setting Scanner Options

Which files to scan?




The primary argument for scanning inbound files is to prevent machines on your network from
becoming infected. The primary argument for scanning outbound files is to prevent users on your
network from infecting others networks.

Whilst the safest option is to select High, this will impact on the performance of the e500, since it
will be doing more work than at either of the 2 lower levels. The table below lists files that will be
scanned with each option.

       Scanner settings                      File Type                      Compressed Files
            High                              All files                          Yes
           Medium                        Standard file types                     Yes
            Low                          Standard file types                      No

Standard file types (current at March 2001) are 001, 002, 286, 386, ??_, <BLANK>, 3GR,
ACM, ADD, ADE, ADN, Test, ADP, ADT, APC, APP, ARC, ARJ, ASD, ASP, ASX, AVB, AVC, AX?,
BAS, BAT, BIN, BO?, BTM, CAB, CBT, CC?, CDR, CHM, CLA, CMD, CNV, COM, CPL, CPT, CRT,
CSC, CSY, D?B, DAT, DEB, DEV, DIF, DL?, DOC, DOT, DRV, DW?, EML, EXE, FMT, FO?, GMS,
GZ?, HDI, HLP, HT?, ICE, IM?, INF, INI, INS, ISP, JS?, JSE, JSE, LIB, LNK, LZH, MB?, MD?, MDB,
MDE, MHT, MOD, MPD, MPP, MPT, MRC, MS?, MSC, MSG, MSI, MSO, MSP, MST, NWS, OBD, OBJ,
OBT, OBT, OBZ, OCM, OCX, OFN, OFN, OFT, OLB, OLE, OPA, OPO, OV?, PCD, PCI, PDB, PDR,
PHP, PIF, PLG, POT, PP?, PPS, PPT, PRC, PRG, PRO, PWZ, QLB, QPW, QTC, RAR, REG, ROM,
RTF, SCF, SCP, SCR, SCT, SHB, SHS, SHT, SIS, SMM, SYS, TAR, TAR, TD0, TD0, TGZ, TLB, TSK,
TSP, URL, VBE, VBS, VBX, VIR, VOM, VS?, VSD, VSS, VWP, VXD, VXE, WBK, WIZ, WK1, WK4,
WKS, WLL, WMD, WMS, WMZ, WP?, WPC, WPD, WPT, WRI, WS?, WSC, WSF, WSH, WSI, X32,
XL?, XLA, XLB, XLL, XLM, XLS, XLT, XLW, XML, XSL, XTP, XX?, ZIP, ZL?.

Compressed files (4150 engine) include the following compression formats include ARC, Arj,
CAB, Crypt, COM, BZIP, DIET, GZIP, ICE, LHA, LH6, LH7, LZEXE, LZH, MS, PKLITE, RAR, TAR,
Tele, DISK, WINZIP, ZIP

Enable heuristic scanning?




Viruses can be detected either through matching their file signature or their behavior. The
advantage of matching file signature is that an exact match can be made, and very few false
alarms occur. Signature scanning is always used. The advantage of additionally matching



                                                 19
behavior is that previously unknown viruses (where no signature exists) can be detected, but at
the risk of possible false alarms. ViruLogic positive and negative heuristics within the Engine help
eliminate false alarms, but they can still occur. You should also be aware that heuristic scanning
will increase scanning times. If you are scanning compressed files you should only use heuristics
with care.

On detecting a virus?
The three options here are separately configurable for inbound and outbound traffic




–       Attempt to clean (and if this fails discard the infected file)
–       Attempt to clean (and if this fails quarantine the infected file)
–       Discard the infected file

Protocols to scan?

The performance of the e500 will depend to an extent on the protocols you choose the send to
the e500 to scan. Typically you will scan SMTP traffic via the e500. You may also choose POP3
and web traffic, but you must consider the effect of scanning these additional protocols. A white
paper detailing SMTP and HTTP performance data obtained from an e500 will be available as the
product is released. This document, or benchmarking performed within your own environment
should be used before determining if you can use the e500 to scan all the desired protocols.
When initially configuring the e500, you may want to configure it to scan only what you consider
the most important protocol (typically SMTP mail) and once you are satisfied with the
performance add additional protocols and monitor the effect of this on the appliance.



    If you determine that the volume of traffic within your network precludes scanning through a
    single e500, you may wish to consider some alternatives to a single box.

    Examples of alternatives include:

    -    one box for inbound, and one for outbound
    -    one for SMTP and one for other protocols
    -    use of a dedicated load-balancing device as a front end to multiple appliances.




Use the Profile link to configure the division of resources
between the 4 protocols.




                                                      20
Once an option is selected on this page, it will impact the resource settings found on each
configuration page




Listeners – this is the number of instances of the protocol proxy listening for traffic. Increasing
the value increases the amount of transfers that the appliance can handle in parallel, but may
degrade the performance of other proxies.

Connections – this limits the number of connections per proxy listener.

Amount of memory - the appliance can allocate an area of memory for virus scanning. When
this size is exceeded, messages are written to disk, which is slower than memory access.

When initially configuring the e500 choose the option that most suits your environment. You can
then modify the settings once you have a baseline to work from.

Saving configuration and logging information
Before you go any further with configuration, it is worth creating a backup copy of the
configuration information you have entered so far.
                                                                                 In the event
                                                                                 that you need
                                                                                 to      restore
                                                                                 software to the
appliance, you can easily recover configuration settings by using a recent backup. Make
configuration backups regularly, after any significant change to the e500 settings. You can also
save recent log files here.

Configuring email Scanning – SMTP

This section discusses how you can configure the appliance to receive and deliver email, and
looks at the additional functionality that is available. There are numerous configuration options
available, so the options covered will be limited to the most common used.




                                               21
Configuring in which direction to scan and which port to listen on (configuration)




To disable email scanning but allow email through your system, deselect both boxes above.


Receiving and delivering mail
The e500 may scan mail sent from your network to the Internet, mail sent from the Internet to
your network, or both.

Inbound mail. You must redirect the mail to the e500. This can usually be achieved by
changing the address to which the Firewall, Router or ISP is delivering mail (from the mail
server’s IP address to that of the e500). If mail is usually relayed from a Firewall or router to the
mail server, change this so that mail is relayed to the e500.

Before implementing the e500 it is likely that email is either

(i)     forwarded from a Firewall, router or ISP directly to your mail server or

(ii)    delivered via a DNS lookup to your mail server

After implementation –

If mail is forwarded (as i above), then modify the
forwarding device (Firewall etc.) to forward to the e500.
Then configure local domains to forward mail destined for
your domain(s) directly to the appropriate mail server(s).

If mail is delivered (as ii above), then modify the DNS MX
record to point to your e500. Then configure either local domains to forward mail destined for
your domain(s) directly to the appropriate mail server(s), or allow delivery by DNS. This second
option should only be considered when you DNS server is an internal DNS server with the correct
mail domains configured. If you use an external DNS server this will cause a mail loop
and mail will be sent back to the e500. Using DNS rather than local domain’s will slow mail
delivery and increase network traffic since a DNS lookup will be performed, so should only be
considered when a large number of internal mail domains are being hosted.

In the example opposite sales.acme.com receive
the majority of email, so their mail domain and
server is specified first.

Acme.com has 2 servers that can handle incoming
email – both of these are specified. The second
server will only receive mail if the first server is
unavailable.

Finally RandD.acme.com hardly ever receives email, so is placed at the bottom of the list.




                                                 22
Outbound mail. You must redirect outbound mail to the e500. This can usually be achieved by
setting the mail server to relay all outbound mail to the e500 IP address.

Before implementing the e500 it is likely that email is either

(i)     relayed to a Firewall, router or ISP for delivery, or

(ii)    delivered by your mail server performing a DNS lookup
        and delivering it directly (ii).

After implementation -

If mail is relayed (as i above), then modify the mail server
to relay to the e500, and the e500 to relay to wherever
the mail server was previously sending mail (fallback
relay)


If mail is delivered (as ii above), then modify the mail server
to relay to the e500, and the e500 to deliver using DNS

You can use any combination of delivery methods for inbound
or outbound mail, but delivery is tried in order: local domains,
DNS and fallback relays.


Quarantined Mail

Quarantined messages may have been quarantined for 2 possible reasons –

(i)     they are infected with a virus and you have chosen to clean them but this has failed and
        secondary action is to quarantine
(ii)    the message has been blocked due to the message triggering a rule set under content
        scanning




For each quarantine section you have the option to view the message, forward the message,
discard it, or discard all messages.

Note that quarantine applies only to email. Other traffic that has infected content will be
discarded or in the case of mobile code, blocked from executing.




                                                 23
Content Scanning

Content scanning gives you the facility to search within an email for text that you would like to
prevent leaving or entering your email system. There is a wide range of filtering options, with the
most common mentioned here.




You can set up content scanning independently for neither, either or both inbound and outbound
email traffic. By default content scanning scans attachments formatted as text – you can attempt
to scan all attachments (including formatted text and binary files) – select the ‘Extend text
attachment scanning to all attachments’ option to do this. Be ware that this will have significant
impact on scanning speed because of the additional processor overhead.

You can add multiple rules – the picture above shows 3 rules that have been enabled for
Outbound Traffic – you may have similar rules for inbound and outbound, but this is not
required.

To set up a rule click Add.
Once you have added a title
you can specify to which
message sections the rule
applies, and the resultant
action if a message rule is
triggered.




Once the rule is created you can check to see to what sections the
rules applies, and what action will occur, by selecting the rule in the
Rule drop-down box You can then add the words and phrases that
messages will be scanned for.

Contents scanned phrases can be specified in a number of ways. In the example given, the
follow rules have been configured.



                                               24
A rule triggers
on any of the
following words
or phrases

–   spanner

–   screwdriver if flat head, cross blade or electric are also present

–   drill if hammer, electric and power are all present within 50 characters of each other

–   chisel if cold and wood are both present

–   job if plumber or electrician are not present

In addition, rules can be defined as case-sensitive or case-insensitive; wildcards are supported
(where ‘?’ represents a single character and ‘*’ zero or more characters); and scanning can
include searching for characters that begin or end a word.



Attachment Filtering

In addition to looking for words and phrases within a message, you can look at the size of the
message, the size of all attachments and the number of attachments it contains. Once again,
these settings can be applied to inbound and outbound messages separately.




The default is to allow all attachments, but you can choose to remove all attachments or
remove attachments over a certain size, or with more than a specified number of attachments.
You can also block messages over a certain size. Filtering can be applied to inbound and
outbound emails independently. Note if you set any value to 0 it is ignored

Mails with infected attachments

If an attachment cannot be cleaned the whole message is either discarded or
quarantined according to the global cleaning options you have selected


Once an email message has been detected that matches the selected criteria (i.e. contained
attachments that were not cleaned) you can decide what to do with the remainder of the
message.




                                                 25
Once the uncleaned attachment is either discarded or quarantined, the original email can then be
– delivered to the recipient without the attachment
– delivered to the recipient replacing the original attachment with a file (ALERT.TXT)
   customized as required. An example is shown below




–   sent back from the postmaster to the original sender without the attachment
–   sent back from a blank email address to the original sender without the attachment
–   sent back from the postmaster to the original sender replacing the original attachment with a
    file (ALERT.TXT) customized as required
–   sent back from a blank email address to the original sender replacing the original attachment
    with a file (ALERT.TXT) customized as required

In addition, you can customize the subject line of the email, by adding a prefix to the existing
subject line.

Rules for mails with infected attachments can be applied to inbound and outbound emails
independently.

You may want to notify the recipient of an inbound email that they have been sent an infected
file from somebody outside your organization. You probably would not want to send the same
information to somebody outside of your organization.


Adding Disclaimers to emails
Disclaimers can be separately added for both inbound and outbound traffic




                                               26
Other SMTP options

Undelivered mail
You can list all
messages      that
cannot          be
delivered       for
whatever reason
– these are stored
as        deferred
emails. From here
you can retry
delivery of the
email (or of all
deferred mails), forward the email to another address, view the mail, or discard the email (or all
deferred emails). If a large number of mails are deferred then the e500 will issue a warning
message (as the disk approaches 75% full), and again at 90% of capacity.


Anti-Relay protection
The appliance can prevent unauthorized senders from using it as a mail relay to deliver
unsolicited e-mail messages. You must specify your local mail domain(s) and any other
domain(s) that are allowed to use the e500 as a relay. (When the appliance receives an e-mail
message with an address that matches a local domain name, it simply forwards the message).

This feature can be configured to allow total flexibility within your
environment. As an example of this you can:

–   enable relay for your mail domains (local domains - acme.com),
–   block sub-domains of your local mail domains (deny domains – sales.acme.com),
–   allow other external mail domains (permit domains – acme-partners.com) to use the e500
    to relay mail.
–   You can also allow sub-domains of your blocked domains (permit domains –
    central.sales.acme.com)

You can also allow or deny specific routing characters, and determine what happens to email that
is unauthorized

–   Refuse -the appliance sends a rejection code (SMTP 550 Fail). Normally, the sender is
    informed that the message was not relayed. We recommend this selection.
–   Discard - The appliance discards the message but uses an acceptance code (SMTP 250 OK).
    This suggests to the sender that the message was received as intended. This is not
    recommend.




                                               27
Anti-Spam protection
The appliance can permit or block unwanted e-mail messages (spam) from specified sources.

                            Normally the appliance accepts email from all users at all mail
                            domains unless they are explicitly denied. If you have denied a
                            complete mail domain, you may wish to enable particular users from
                            that domain to send email.

In the example here, a complete mail domain
has been blocked        - any mail from
spammers.com will either be refused or
discarded (see below)




                                                  However, you wish to allow a single user
                                                  just.john in the spammers.com domain to send
                                                  mail in to your organization. Note that Permit
                                                  sender overwrites deny sender.



Organizations such as MAPS (http://mail-abuse.org/rbl/) produce real-time blackhole lists (RBLs),
which contain the names of message senders that are known spam sources. You can specify the
URLs for blackhole lists providers.

Use RBLs with care – you may inadvertently block mail from legitimate senders!

Once mail has been denied, you can determine what blocking action is taken

–   Refuse -the appliance sends a rejection code (SMTP 550 Fail). Normally, the sender is
    informed that the message was not relayed. We recommend this selection.
–   Discard - The appliance discards the message but uses an acceptance code (SMTP 250 OK).
    This suggests to the sender that the message was received as intended. This is not
    recommended.


Sender notification
When a sender is notified that an email
cannot be delivered (for example if it
contains an attachment that cannot be
cleaned), this notification can be sent from the postmaster email address, which may be a
distribution list.




                                               28
Configuring email scanning – POP3

This section discusses how you can configure the appliance to receive POP3 mail.

To disable POP3 email scanning but allow POP3 email through your
system, deselect the Scan POP3 traffic check box.

Typically without the e500 in place, you would configure your POP3 client (e.g. outlook express)
to connect the appropriate mail server to retrieve mail.

To scan this mail, the e500 must become part of this process. The easiest way to do this is to
direct each POP3 client to collect mail from the e500, and allow the e500 to connect to the
appropriate POP3 server to perform the actual download. The e500 downloads and scans, then
passes the mail to the POP3 client.

Depending on whether users will use a single POP3 server, or multiple servers, you have the
option of configuring a generic or dedicated connection.

•   If users typically access only one mail server you can set up a Dedicated Connection

•   If your users are likely to access a number of POP3 servers on the same port, (usually
    110), then each should be configured as an extended username using a Generic
    Connection

•   If your users are likely to access a number of POP3 servers where each server is on a
    different port (not typically the case), you could set up a Dedicated Connection for
    each server.




                                              29
Generic Connections

Using a generic connection, the mail client is configured to collect mail from the e500 using an
extended user name. An extended user name includes the standard user name and additional
information to allow the e500 to redirect the request to the actual POP3 server.

For example, if the user name was jsmith and the POP3 server was pop3.yahoo.com running
on port 110, the extended user name would be

jsmith#pop3.yahoo.com:110                       (user name # POP3 server : port number)

and the clients POP3 server name would be e500.

The port number can be omitted if it is the same as
that specified under generic connections. Note that
in this example the default value of 110 has
been changed to allow a dedicated connection
of 110 to be specified (see below).

The delimiter characters used (# and :) can be
changed on the pop3 configuration page if you wish
to    specify  the   extended    username     (e.g.
jsmith#pop3.yahoo.com:110 using another format, e.g. jsmith$pop3.yahoo.com&110).


Dedicated Connections
You can specify one dedicated connection for each POP3 port. If you use either a single POP3
server on the standard port, (or any other port), or use multiple POP3 servers each on a different
port you can set a dedicated connection for these servers. This avoids the need to use an
extended user name.

For example, if the POP3 server is pop3-server2 running on
port 110, then add a dedicated connection for this server.

At each client, the user name would be unchanged, but the
server would be set to the e500. The e500 would automatically proxy any POP3 requests
received on port 110 to pop3-server2, download and scan them, then pass them to the
requesting client.

Note that you cannot set a dedicated connection to use the same port as the generic port – if
you want to set a dedicated connection on port 110, you need to change the generic port to an
unused port.

If a virus is found and removed from a
downloaded message, the file will be replaced by
the text specified in the ‘Replacement Text’ box.




                                               30
Configuring web scanning – HTTP

Configure in which direction to scan and which port to listen on.




(To disable HTTP scanning but allow HTTP through your system, deselect the 2 check boxes
above.)

                                                                         If clients were not
                                                                         previously using a
                                                                         Proxy or Firewall to
                                                                         proxy    their    HTTP
                                                                         requests this is all the
                                                                         configuration that is
                                                                         necessary.


                                                                         If a user attempts to
                                                                         open or download an
                                                                         infected   file,   the
                                                                         appliance will display
                                                                         a     warning     and
                                                                         prevent           this
                                                                         happening.



If clients were previously handing off any HTTP
requests, then configure the handoff host to hand off
to the next device (likely to be an upstream proxy in a
multiple proxy environment, or else a Firewall)

Streaming Media - with streaming, the user can view or listen to the data before the entire file
has been transmitted. These are usually video or audio clips using Windows Media Technologies,
QuickTime, or RealNetworks software. To scan a download for viruses it is necessary to
download the entire file. So these two options are mutually exclusive – if you decide to allow
streaming media, it cannot be scanned. You can enable either or both inbound and outbound
pass-through.




                                                31
HTTP Traffic content filtering

You can filter in and outbound HTTP traffic by location (web site)
and content (Java applets, ActiveX executables and scripting
languages such as Java Script or Visual Basic scripting).



To stop internal users from accessing banned sites, you must specify that the users machines are
on the internal network. If machines are not specified as being internal (system configuration
link), content filtering will not be applied to these machines!

                                                For example, you can block a series of URL’s and
                                                prevent Java applets from being passed to
                                                clients. Care should be taken when blocking web
                                                page content as many web sites rely on this
                                                technology to display pages correctly.




When a page has been blocked, the user receives an image in place of the blocked web page.




                                               32
Bear in mind that if you block part of a URL (e.g. the word ‘sex’), then this will stop users
accessing legitimate sites that contain this word as part of the URL.




Note that you cannot filter in and outbound separately – filters apply to traffic in both directions!

Web Mail
Hotmail, Yahoo and many other web sites allow users to access email over the web. Email is
viewed and downloaded as http traffic, and so will not scanned by conventional email scanners.
This can result in your users accessing infected files, and downloading them to your network.
They can also send out infected files, which your SMTP email scanner will not detect.

The http scanner included with the e500 will scan web mail in the same way it as it will scan
other http traffic. If it finds an infected file it will block if before it is downloaded in to your
organization, (or before it is uploaded to be sent out of you organization). Access to an infected
attachment within Yahoo Mail for example, will be blocked.




                                                 33
Configuring web scanning – FTP

In order to scan ftp downloads (and uploads) you need to introduce the e500 in to the process.
Before adding an e500 to your environment users you will either browse transparently or via a
proxy or proxies (which may be before and / or at the firewall). Somewhere in this process you
must introduce the e500 so that all ftp traffic passes through this before it reaches users
browsers. The next section will look at some of the typical scenarios and the changes that need
to be made to accommodate the e500.

FTP file transfer via a web browser
                                                                       In this scenario, a file is
                                                                       downloaded using ftp
                                                                       over http, and is a typical
                                                                       example of the method
                                                                       used by most users to
                                                                       download files from ftp
                                                                       sites.
                                                                       Web browsers such as
                                                                       Internet Explorer, that
                                                                       incorporate an FTP client
                                                                       require             special
                                                                       configuration to function in
this situation. (An FTP connection using a browser is sent as HTTP calls over FTP. The appliance
does not allow HTTP traffic through the FTP proxy, so blocks it).

To use this type of client, configure your browsers’ FTP proxies to be the same port that the
appliance uses for the HTTP proxy (port 80 by default).

Be aware that the FTP over HTTP feature of the HTTP proxy does not allow local users to
transfer files to external hosts; the appliance discards such requests.

FTP file transfer via an FTP client
If you’re using an ftp client, set the
client to use the e500 as a proxy server,
and set the connection to use the format
user@site.

For example, to enable CuteFTP to use
the    appliance:   in  the     Firewall
configuration page,
- set the Host the be the e500,
- the type to be User @ Site and
- check the Enable Firewall access tick
    box.




                                               34
FTP file transfer via a command prompt
                                               File transfer from a command prompt
                                               requires that users explicitly connect to
                                               the appliance (in the example ftp
                                               mye500). They will then receive any
                                               welcome message you have set up. To
                                               connect to the required ftp site users can
                                               be redirected using the handoff host (if
                                               access to only one ftp site is required) or
                                               have users enter an extended username –
in the example below anonymous@ftp.site.com. They can then proceed in the usual way.

In the example below a user connects to ftp.site.com via the e500 in the following way:

(i)       opens an explicit connection with the e500           (ftp mye500)
(ii)      logs on using an extended username           (anonymous@ftp.site.com)
(iii)     is redirected to the required site.
(iv)      The user then attempts to download a file, which is blocked, (and a message to this
          effect displayed).


         (i)


        (ii)


        (iii)




        (iv)




                                              35
Alerting options

Event Types
 Events are classed as one of 5 types, (Information, Detection, Warning, Critical and Attention).
You can configure some or all of these event types to log or alert as required (and further
configure specific events to always or never be reported, using the Override button).

Logging
You can log all or some events types
(Information, Detection, Warning, Critical
and Attention) and.

Alerting
You can alert to the McAfee ePolicy
Orchestrator Anti-Virus management tool,
and send alerts via email to a list of users,
and via SNMP specifying an SNMP
management server and trap community.


e500 reporting




You can create reports specifying a number of parameters
– event types (virus, Blocked URL’s, Emails filtered by Spam or Content Scanning rules, and
   Management Events)
– period (day, week, month, or a custom date range)
– Format (as a log, a chart, or a Top Ten pie chart on screen or as a Report (CSV), a
   Comma Separated Value file, which is downloaded and can then be imported into Excel for
   instance.)




                                                36
The top ten chart will show the most common
viruses detected, either over a day or over a date
range (last sever days, a selected month, or a
user-defined range.

The log can be generated over the same date
range as the top ten chart, and includes date and
time, virus name, action taken and the protocol
being scanned when the virus was detected.

Other information is protocol dependent. If a virus
was detected during an FTP or HTTP download, the filename is shown as the full URL to the
infected file, and the sender listed as the users IP address, if available. If a virus was detected in
an email the senders email address and the attachment name are displayed.




If you require more detailed information the report option includes many other fields, including
the DAT and Engine version that detected the virus.

ePolicy Orchestrator reporting
The ePolicy Orchestrator (ePO) Agent, once installed, will send events back to the ePO server.
ePO can then be used to generate reports which can be viewed and saved for incorporation into
your      own       documents.     ePO      in     conjunction     with      ‘Seagate     Info’
(http://www.crystaldecisions.com/products/seagateinfo/) can be configured to provide real-time
reports on you intranet.

Virus      Events.     The
report opposite shows
the    most      prevalent
viruses detected in a 7-
day    period.      Further
information can then be
obtained for each virus
by clicking on the
appropriate             pie
segment. This will yield
similar information to
the log file: date, time, sender, action taken, protocol being scanned, etc.


                                                 37
Email Content
Scanning. This
report shows the
email     content
scanning    rules
that have been
triggered      to
prevent banned
text and phrases
from leaving and
entering      the
corporate    mail
system.


I hope this guide has been of use. Further information                         is   available     at
http://www.mcafeeb2b.com/products/webshield-eapp500/default.asp.




  If you have any feedback or questions relating to the contents, you can contact the author at
                                    jason_brown@nai.com



                                              38

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:8/21/2012
language:simple
pages:38