Your security policy allows users to transfer files from other systems to their systems on the network. They can exchange mail with colleagues, view Web sites, and transfer files from other sites on the Internet. These activities are essential to your business. You want to make sure that the files that come into your network are not infected with viruses. The Gauntlet Firewall includes content scanning as a configurable option for transferring files (via FTP), viewing Web sites (via HTTP), and exchanging e-mail (via SMTP).
This chapter discusses the concepts behind content scanning and explains how it works, how to configure the proxies for content scanning, and how to configure your content scanning engine. The chapter consists of the following sections:
Several of the Gauntlet proxies provide content scanning. The content scanning option runs as part of the proxies. You can configure content scanning on the following protocols:
Because content scanning is a configurable option in several different proxies, you can configure the firewall to scan transferred files for some hosts and not for others. For example, you could enable content scanning for e-mail only, if you were concerned about the types of files people are sending to your employees.
File transfers via FTP can contain threatening contents. You can use the content scanning capability to identify and block these transfers. Scanning can be configured independently for file retrieval (GET) and transmission (PUT). When you enable content scanning, the firewall inspects the file before it delivers the file.
It is important to note that the firewall scans only mail that enters the firewall via SMTP. The firewall does not scan mail that passes through the firewall using the POP3 protocol. Because the POP3 proxy is intended for use from outside to inside only, this is generally not a problem. In this recommended configuration, all of your company's e-mail arrives via SMTP protocol and is scanned at the firewall.
If you configure the POP3 proxy to allow employees on the inside network to connect to POP3 servers on the outside network, you cannot use content scanning on their e-mail.
Web pages can contain malicious content and applications. When you enable content scanning, the firewall scans Web pages before it displays them. It scans files transferred via the HTTP proxy, whether they were retrieved via HTTP or FTP URLs.
 | Note: Even though the Gopher proxy is an implementation of the HTTP proxy, the firewall does not scan Gopher traffic. |
The firewall makes decisions on the data based on information from a content scanning engine running on another system. The types of content for which the firewall scans depends completely on the content scanning engine you are using. Common types of files that these engines can scan include the following:
Consult the documentation included with your content scanning engine to see what types of files the engine can scan.
Content scanning is another check that the firewall performs before passing packets from one side of the firewall to the other. When the firewall receives an SMTP, HTTP, or FTP packet, the appropriate proxy service performs the standard source and destination checks. If the proxy is configured to allow requests from the source to the destination, the proxy scans the files.
The proxies use the Content Vectoring Protocol (CVP) to communicate with the content-scanning engine. As it scans the file, the proxy uses the criteria you have set on the content-scanning engine to determine if the file is infected. If the file is not infected, the proxy passes the packet to the destination host just as it would have if content scanning were disabled. If the file is infected, the proxy checks its configuration settings and either discards the infected file or asks the scanning engine to attempt to repair the infected file.
When the proxy discards the infected file, it logs the error and drops the packet. The firewall does provide notification when it blocks a file. When blocking FTP traffic, the firewall provides status messages to the requesting client that notify the user that the firewall blocked the transfer. When blocking SMTP traffic, the firewall logs the attempt and sends e-mail to the recipient configured on the firewall to receive bad e-mail (by default, root). When blocking HTTP traffic, the firewall provides information to the browser to display a page indicating that the firewall blocked the requested page.
If the proxy is configured to repair infected files, the firewall asks the content engine to provide a repaired file. If the content engine successfully repairs the file, it returns the repaired file. The firewall passes the file to the destination host. If the file is not infected and the proxy is not configured to repair infected files, the firewall passes the file to the destination host.
With the exception of status messages that the firewall displays when it blocks content, content scanning is transparent to the user. Users do not need to change their file transfer, mail, or browsing habits. However, users may see some small delays in both FTP and HTTP traffic, as the content scanning engine must also look at each packet.
You can access content scanning configuration from each of the proxy services that support content scanning.
To access content scanning configuration for mail:
From within the Gauntlet Firewall Manager, select Environment.
Click the Mail tab.
The Mail window displays.
To access content scanning configuration for the FTP proxy service:
From within the Gauntlet Firewall Manager, select Services.
Click the FTP tab.
Select the configuration set for which you want to enable content scanning.
Click Modify.
To access content scanning configuration for the HTTP proxy service:
From within the Gauntlet Firewall Manager, select Services.
Click the HTTP tab.
Select the configuration set for which you want to enable content scanning.
Click Modify.
Configuring the firewall consists of planning, configuring, and enabling content scanning.
To configure and enable content scanning:
On the content scanning configuration page for the service, click Enable Content Scanning.
Provide information about content scanning.
Enable the proxy service normally. Do not forget to add the service to a service group or create service group rules.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
The firewall enables content scanning the next time you reboot your firewall.
The Gauntlet Firewall uses the Content Vectoring Protocol (CVP) to communicate with content scanning engines. Currently, Symantec Norton AntiVirus for Firewalls is supported.
To configure your firewall:
If at all possible, install the content scanning engine on a system that is on the same network segment as the firewall, either the trusted or service net. Do not place the scanning engine on the outside network.
When configuring information about the host that will provide content to be scanned (that is, the firewall), enter the IP address of the interface that is closest to the content scanning engine. For example, if the content scanner is on the inside network, enter the IP address of the inside interface of the firewall.
For each of the protocols that you are scanning, set the scan policy to:
scan all items
accept all items
This ensures that the content-scanning engine looks at all traffic it receives.