I'd like to get this working properly and allow real-time look ups but I'm concerned about the amount of lookups they'll be from hosts on a network which contains almost 1000 computers!
I've read that if you use a web proxy, then you can configure this to work via your proxy by using the proxy settings under the connection section.
But how about the volume of lookups? Can't the PM cache this information so that each client doesn't have to poll the Internet?
In current versions Real-time Protection Network is not utilizing PM for any ORSP queries caching.
Real-time Protection Network uses AUA proxy by default, or can use a special proxy configured in F-Secure Real-time Protection Network Client ->Settings->HTTP proxy in Policy Manager Console.
How about the volume of lookups by clients? We have around 800 hosts. This isn't the most efficient way of doing lookups to my mind.
Websense do a similar thing but you can Cache to a local database and when the information isn't there, it'll go and retrieve the information on behalf of the client and add that data to the local DB!
This works really well.
I think F-Secure should develop something similar.
So, would I be correct in thinking that as long as the PM's AUA has access to the Internet, then this should work fine? I ask as I can't find any information no the technicalities.
The Real-Time protection network client queries are done directly by the client running our end-point protection software (e.g. Client Security). Policy Manager Server has no role in this scenario. Meaning, the AUA on the client needs to be able to access the Internet. The RTPN client by default uses the AUA http-proxy setting configured for the client, but you can also configure a separate setting.
We've considered implementing a proxy for caching RTPN queries, but this is not yet available. As for the traffic generated by hosts, this is approx. 20 Kb / host / day.
There's a couple of problems with this. As I operate in a secure environment, all outbound ports are blocked by default. We only allow certain protocols outbound, especially from user PCs.
Therefore, user PCs can only access http and https - that's it!
Also, only specified servers have access to the Internet and that access is restricted to specific IP addresses on specific ports only.
All Windows updates and F-Secure updates come from our internal servers.
If companies like RSA operated like that by default, then the threat vectors which exploit firewalls configured with little or no outbound access policies, wouldn't happen and RSA is a really good example as the lack of a stringent configuration on their firewall, allowed hackers to set-up an FTP service on an internal server and upload a complete customer database with security token information - a carnal sin some would say!
Then there's also the issue of the frequency of the requests multiplied by several hundred hosts - it causes unnecessary traffic to go via the firewall. I wasn't so concerned about the bandwidth as I gathered it'd be small amounts of data.
Therefore Peter, how would you suggest we proceed with this considering the current operational configuration restrictions of the software?
To clarify, for file/url reputation to work, the F-Secure client needs to be able to access the Internet either directly or via a http-proxy and the protocol used for the reputation lookups is HTTP. The F-Secure IP ranges used for the reputation lookups are documented here, which gives you the ability to control the granularity of the available HTTP access granted to these special servers.
And if you do experience issues/problems etc. when enabling lookups, let us know and we'll look into it.
Thanks for this article. My only concern is the amount of different IPs needed to be configured within the firewall.
Is it therefore not possible to to use an FQDN which would naturally resolve to the most relevant host?
Even though I've previously said that regarding server outbound access, we like to restrict to specific IP addresses, I'm not that keen on using IP only rules for lookup services due to the fact that if they change, then the lookup service will fail.
As far as the clients go, they pretty much have unrestricted http outbound access so that's an easy one to configure for me.