vADC Docs

Antivirus Protection for Web Applications

by dnahas on ‎08-27-2014 09:17 AM - edited on ‎05-29-2015 05:27 PM by PaulWallace (7,015 Views)

With more services being delivered through a browser, it's safe to say web applications are here to stay. The rapid growth of web enabled applications and an increasing number of client devices mean that organizations are dealing with more document transfer methods than ever before. Providing easy access to these applications (web mail, intranet portals, document storage, etc.) can expose vulnerable points in the network.

 

When it comes to security and protection, application owners typically cover the common threats and vulnerabilities. What is often overlooked happens to be one of the first things we learned about the internet, virus protection. Some application owners consider the response “We have virus scanners running on the servers” sufficient. These same owners implement security plans that involve extending protection as far as possible, but surprisingly allow a virus sent several layers within the architecture.

 

SteelApp can extend protection for your applications with unmatched software flexibility and scale. Utilize existing investments by installing SteelApp on your infrastructure (Linux, Solaris, VMWare, Hyper-V, etc.) and integrate with existing antivirus scanners. Deploy SteelApp (available with many providers: Amazon, Azure, CoSentry, Datapipe, Firehost, GoGrid, Joyent, Layered Tech, Liquidweb, Logicworks, Rackspace, Sungard, Xerox, and many others) and externally proxy your applications to remove threats before they are in your infrastructure. Additionally, when serving as a forward proxy for clients SteelApp can be used to mitigate virus propagation by scanning outbound content.

 

The SteelApp Web Application Firewall ICAP Client Handler provides the possibility to integrate with an ICAP server. ICAP (Internet Content Adaption Protocol) is a protocol aimed at providing simple object-based content vectoring for HTTP services. The Web Application Firewall acts as an ICAP client and passes requests to a specified ICAP server. This enables you to integrate with third party products, based on the ICAP protocol. In particular, you can use the ICAP Client Handler as a virus scanner interface for scanning uploads to your web application.

 

Example Deployment

 

This deployment uses version 9.7 of the SteelApp Traffic Manager with open source applications ClamAV and c-icap installed locally. If utilizing a cluster of Traffic Managers, this deployment should be performed on all nodes of the cluster. Additionally, Traffic Manager could be utilized as an ADC to extend availability and performance across multiple external ICAP application servers. I would also like to credit Thomas Masso, Jim Young, and Brian Gautreau Thank you for your assistance!

 

"ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats." - http://www.clamav.net/

 

"c-icap is an implementation of an ICAP server. It can be used with HTTP proxies that support the ICAP protocol to implement content adaptation and filtering services." - The c-icap project

 

Installation of ClamAV, c-icap, and libc-icap-mod-clamav

 

For this example, public repositories are used to install the packages on version 9.7 of the Traffic Manager virtual appliance with the default configuration. To install in a different manner or operating system, consult the ClamAV and c-icap documentation.

 

  • Run the following commands (copy and paste) to backup and update sources.list file
cp /etc/apt/sources.list /etc/apt/sources.list.rvbdbackup

 

  • Run the following commands to update the sources.list file. *Tested with Traffic Manager virtual appliance version 9.7. For other Ubuntu releases replace the 'precise' with the current version installed. Run "lsb_release -sc" to find out your release.

cat <> /etc/apt/sources.list
deb http://ch.archive.ubuntu.com/ubuntu/ precise main restricted
deb-src http://ch.archive.ubuntu.com/ubuntu/ precise main restricted
deb http://us.archive.ubuntu.com/ubuntu/ precise universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise universe
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
EOF

 

  • Run the following command to retrieve the updated package lists

 

apt-get update

 

  • Run the following command to install ClamAV, c-icap, and libc-icap-mod-clamav.

 

apt-get install clamav c-icap libc-icap-mod-clamav

 

  • Run the following command to restore your sources.list.

 

cp /etc/apt/sources.list.rvbdbackup /etc/apt/sources.list

 

Configure the c-icap ClamAV service

 

  • Run the following commands to add lines to the /etc/c-icap/c-icap.conf

 

cat <> /etc/c-icap/c-icap.conf
Service clamav srv_clamav.so
ServiceAlias  avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
srv_clamav.ScanFileTypes DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
srv_clamav.MaxObjectSize  100M
EOF

 

*Consult the ClamAV and c-icap documentation and customize the configuration and settings for ClamAV and c-icap (i.e. definition updates, ScanFileTypes, restricting c-icap access, etc.) for your deployment.

 

  • Just for fun run the following command to manually update the clamav database.
/usr/bin/freshclam

 

Configure the ICAP Server to Start

 

This process can be completed a few different ways, for this example we are going to use the Event Alerting functionality of Traffic Manager to start i-cap server when the Application Firewall is started.

 

  • Save the following bash script (for this example start_icap.sh) on your computer.
#!/bin/bash
/usr/bin/c-icap
#END

 

  • Upload the script via the Traffic Manager UI under Catalogs > Extra Files > Action Programs. (see Figure 1)

Figure 1 

 

Upload+Action+Program.JPG.jpg

 

  • Create a new event type (for this example named "Firewall Started") under System > Alerting > Manage Event Types. Select "appfirewallcontrolstarted: Application firewall started" and click update to save. (See Figure 2)

Figure 2 

 

Firewall+Started+Event.JPG.jpg

 

  • Create a new action (for this example named "Start ICAP") under System > Alerting > Manage Actions. Select the "Program" radio button and click "Add Action" to save. (See Figure 3)

Figure 3

 

Create+New+Action.JPG.jpg

 

  • Configure the "Start ICAP" Action Program to use the "start_icap.sh" script, and for this example we will adjust the timeout setting to 300. Click Update to save. (See Figure 4)

Figure 4 

 

Configure+Action+program+to+run+and+timeout.JPG.jpg

 

  • Configure the Alert Mapping under System > Alerting to use the Event type and Action previously created. Click Update to save your changes. (See Figure 5)

Figure 5 

 

Final+Configure+Alert+Mapping.JPG.jpg

 

  • Restart the Application Firewall or reboot to automatically start i-cap server. Alternatively you can run the /usr/bin/c-icap command from the console or select "Update and Test" under the "Start ICAP" alert configuration page of the UI to manually start c-icap.

 

Configure the Web Application Firewall

  • Within the Web Application Firewall UI, Add and configure the ICAPClientHandler using the following attribute and values.
  •  
    • icap_server_location - 127.0.0.1
    • icap_server_resource - /avscan

Handler config.JPG.jpg

 

Testing Notes

 

  • Check the WAF application logs. Use Full logging for the Application configuration and enable_logging for the ICAPClientHandler. As with any system use full logging with caution, they could fill fast!
  • Check the c-icap logs ( cat /var/log/c-icap/access.log & server.log). Note: Changing the /etc/c-icap/c-icap.conf "DebugLevel" value to 9 is useful for testing and recording to the /var/log/c-icap/server.log. *You may want to change this back to 1 when you are done testing.
  • The Action Settings page in the Traffic Manager UI (for this example  Alerting > Actions > Start ICAP) also provides an "Update and Test" that allows you to trigger the action and start the c-icap server.
  • Enable verbose logging for the "Start ICAP" action in the Traffic Manager for more information from the event mechanism. *You may want to change this setting back to disable when you are done testing.

 

Additional Information

 

Contributors