Archive for the ‘Content Inspection’ Category

Increasing HTTP connection buffer for Anti Virus scanning

Thursday, August 26th, 2010

Just stumbled about sk36090 which describes that Anti Virus scanning for HTTP traffic can significantly slows down browsing.
The resolution is easy, just increase the buffer assigned to each HTTP connection.

Go to Policy -> Global Properties -> SmartDashboard Customization. Click on Advanced Configuration.

http_buffers_size

Change the http_buffers_size from 4096 bytes to a higher value. Since the default number of concurrent connections is 1000 for HTTP, changing the parameter to the maximum of 65500 bytes would only allocate ~ 63 MB for all buffers together, so why not go with the max?

Tobias Lachmann

Posted in Content Inspection | No Comments »

Application Control – the next big thing?

Wednesday, August 25th, 2010

Check Point announced their new Application Control software blade.

Not it is not only possible to use URL filtering for blocking or allowing specific sites, but also to determine what exactly is allowed or denied.
For example: allow Facebook in general, but block Facebook games.

The AppWiki database is listing several thousand webbased applications to choose from for use in your policy.

Like DLP, this blade comes with UserCheck technology. This resident (Windows) client allows the gateway to interact with the user. If for example access to YouTube is allowed only for business use and not for personal use, UserCheck can present a dialog to the user asking what’s the intended purpose of visiting the site. If the user confirms that it’s for business, he is allowed to access the site.

At the moment I’m wondering if this is the next big thing….. will customers buy this blade and enforce their very own policy? Will this be a considerable alternative to pure content inspection products like WebWasher? What are the implications for the company security policy? Who’s defining the allow/block lists?

To be honest, I’m not sure at the moment how customers will use the technology.

Maybe for them it’s enough to block one or two specific apps as reason to buy this blade.

Maybe it’s getting as complex as a full-blown IPS solution with a security engineer defining policies and checking logs all day…. and how many companies can afford that?

I guess we have to wait some time to see where it’s going…

Tobias Lachmann

Posted in Content Inspection, Software Blades | Comments Off

Determine current Antivirus version

Friday, August 20th, 2010

We’ve seen problems with updating the AntiVirus patterns in the past on UTM-1 appliances.
Somehow the reported version numbers seemed wrong.

But where to check what’s the current version?

Easy answer to that:
http://sigcheck.checkpoint.com/Siglist2.txt

Compare your version from SmartView Monitor or avsu_client to the version you see on the above page.

Tobias Lachmann

Posted in Content Inspection, Troubleshooting | Comments Off

Determine version of Anti Virus

Tuesday, August 17th, 2010

All applications like SmartView Monitor get the information about the Anti Virus version running on the Security Gateway by reading the following file $FWDIR/av/ca/update/incoming/Anti_Virus.entitlement.C

Tobias Lachmann

Posted in Content Inspection | Comments Off

Proactive detection mode vs. Stream detection mode

Sunday, July 11th, 2010

As I wrote a while ago, we had great performance improvements with Antivirus Scanning and the R71 release. On the same UTM-1 hardware the throughput doubled. While this was true for my lab testing, real world testing didn’t show the same results. Upgraded systems had no better AV performance and only slightly more overall performance was showing.

The reason for that is that an upgraded systems keeps the old way of detecting viruses, the Proactive detection mode. In this mode, the traffic is trapped by the kernel and forwarded to the security server. The security server then forwards the traffic to the Antivirus engine and the traffic is allowed or blocked, depending on the response of the Antivirus engine. It is necessary to store the whole file first before scanning it.

The new Stream detection mode doesn’t need to store the file for scanning. Stream detection is able to scan uncompressed and compressed traffic while it is passing through the gateways kernel, doing decompression on the fly.

Stream detection mode works only signature-based, whereas Proactice detection mode works with Antivirus signatures and in addition with a sandbox where heuristic behaviour scans are done to detect malware, even if there no signature available at the moment.

Stream detection is default on fresh installations, so that’s why you can see great performance improvement on R71.

The mode can be changed within SmartDasboard -> Antivirus & URL Filtering tab -> Antivirus -> Security Gateway and then choose the desired protocol.

Configuration of Antivirus detection mode

HTTP and SMTP can work with Stream detection mode and Proactive detection mode, POP3 and FTP only work with Proactive detection mode.

While I appreciate the performance improvement which can be gained using Stream detection mode, I think we lower security a little bit by abstain from using Proactive detection mode.

This decission should be made with careful consideration of the specific setup and customer need. If you use solely Stream detection mode, make sure to have a good Antivirus solution from another vendor running on the end user’s desktop to double-check for malware.

What do you think about the two Antivirus modes? Mail your thoughts to blog@lachmann.org

Tobias Lachmann

Posted in Content Inspection, R71 | Comments Off

Keep up 2 date? Why 8?

Tuesday, June 15th, 2010

I stumpled about the process keepup2date8, which was running after a R71 upgrade for quite a while on the machine.
Took me some time to find out that it is nothing to worry, but the Kaspersky process for updating the antivirus-database.

Tobias Lachmann

Posted in Content Inspection | Comments Off

Details on Data Loss Prevention (DLP) blade licensing

Monday, May 10th, 2010

It has taken a long time to get information from Check Point how to license the DLP blade, but now I got an answer:

For the 500 and 1500 user DLP blade a 2-Core-Container is needed. For the unlimited user DLP blade you need a 8-Core-Container.
The size of the blade is determined by the number of users behind the gateway!

So that would mean you need an SG201 container (included: gateway for up to 500 users) for the CPSB-DLP-500 blade.

For the CPSB-DLP-1500 blade a SG203U pre-defined system is needed, to allow more than 500 users.

For the CPSB-DLP-U blade a SG801 container is needed.

So the solution for 500 users will cost $3000 for the blade and $6500 for the container, so $9500 in total.

The solution for 1500 users will cost $7000 for the blade, $14000 for the container, so $21000 in total.

The unlimited solution will cost $12000 for the blade and $18000 for the container, so $30000 in total.

This is the pure software side, you will also need hardware, for example an open server for additional $4000.

If we look at the appliance solution DLP-1 2571 we’ll find that it is limited to 1500 users but costs only $14990.

In case your organization need DLP protection for up to 500 users, a solution with software running on an open server is about $1500 cheaper. If you need up to 1500 users, you pay $10000 more with an open server solution than for the DLP-1 2571. Lot’s of money….. but still worth thinking about it because of the higher performance you will get from an open server.

More easy with the DLP-1 9571 that you need for unlimited users, as the appliances costs $49900. The software solution on an open server is only $34000, that is about $16000 cheaper.

What’s the baseline here? Well, carefully think about your setup before you buy. Think about performance limitations you may encounter with an appliance. Think about the cost for the 2nd and 3rd year… and then make your decision!

Tobias Lachmann

Posted in Content Inspection, Data Loss Prevention, Software Blades | Comments Off

R71 performance on UTM-1 appliances

Tuesday, May 4th, 2010

As mentioned before, the UTM-1 appliance had performance trouble when doing content scanning and I would not recommend doing this in this machines. Now R71 claimes to give a big boost by new methods of scanning. I tested the performance improvement of the new R71 release with the following setup:

UTM-1 270 mit GigabitEthernet-Uplink to the Internet and GigabitEthernet-Link to the internal network. 4 Servers mit GigabitEthernet as clients running HTTrack website copier in the internal network. I used HTTrack to download several website at the same time, creating a mixture of HTML, graphic, archives and executables content.

The UTM-1 270 was installed out-of-the box using the wizard. I activated VPN, SmartView Monitor and Antivirus in addition the moduls already activated as standard.

The rulebase had two rules, on allowing access to the systems from a management client outside the network and one rule for allowing access to the Internet for the servers. No NAT was used, no additional settings.

With NGX R65 with Messaging Security (HFA25) I had an average throughput of 1,026,474 Bytes / sec while running with 100% CPU load for a couple of minutes.

With NGX R65 with Messaging Security (HFA70) I had an average throughput of 1,094,563 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R70 I had an average throughput of 1,647,257 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R71 I had an average throughput of 1,999,611 Bytes / sec while running with 100% CPU load for a couple of minutes.

My test maybe not so accurate as the ones that Check Point is doing, but I thing the traffic blend reflects the behaviour of normal users really good.

And, having 2x the performance with Antivirus scanning on the same hardware is pretty impressive! The improvement really shows, how nice! I also recognized that R71 comes with a new AV engine with has the name KSS, maybe Kaspersky?

This is enough performance to use modern DSL lines or direct links completely, not only partial. So I would recommend this release to everyone who still uses content scanning on an UTM-1 appliance and has performance problems.

Tobias Lachmann

Posted in Content Inspection, General, Software Blades, UTM-1 | Comments Off

URL Filtering update error

Monday, May 3rd, 2010

When you receive continous update errors within the URL Filtering modul, maybe it’s a good idea to delete the whole database and rebuild it via the update database function in SmartDashboard. Was helpful for me several times…

  • First change to the directory $FWDIR/uf/sc/update/incoming.
  • Delete all the files beginning with “sfcontrol”. The file “sfcontrol” itself is the database, all the others are differentials and status infos.
  • Run cpstop and cpstart for a restart of the services that controll URL Filtering.
  • Go to your SmartDashboard, change to the “Content Inspection” tab and click on “Update Databases Now”.

It will take awhile to download to whole database, but you can watch this process while checking the files and sizes in the directory.

While debugging URL Filtering in general, you may stumble over sk35196 which describes several procedures with the avsu_client command and optional parameters. Please note that Check Point changed the URL Filtering provider, I think with HFA50, from SurfControl to SecureComputing. This engine change comes together with a change in the parameters when you call avsu_client. The application name “URL Filtering” does not provide valid output when you use the SecureComputing engine, you have to use “URL Filtering2″ to get actual results from the installation.

avsu_client -app "URL Filtering" fetch
failed to fetch signature update
err_str=Failed. Message from module: "Server has no available updates".
info=
Local version is date

avsu_client -app "URL Filtering2" fetch
signature file up to date
err_str=Succeeded. Existing signature is up-to-date.
info=
Local version is date

Sadly just calling avsu_client gives no explanation about the changed parameters, it only lists “URL Filtering”.

Tobias Lachmann

Posted in Content Inspection, General, Secure Platform | Comments Off