Global Information Assurance Certification Paper
`
`Copyright SANS Institute
`Author Retains Full Rights
`
`This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express w ritten permission.
`
` Exhibit 1020 Page 1
`
` SYMANTEC
`
`

`
`Content Vectoring Protocol with Checkpoint and Interscan Viruswall
`Jeff A. McConnell
`March 4, 2002
`
`Introduction
`
`The global marketplace drives advancements in technology that lead to expanding markets and service areas that
`may not have been possible prior to the internet generation which is currently in it’s infancy. As with most any
`situation a business or individual for that matter must be prepared to take the good as well as the bad. Conducting
`business with a heavy reliance on computers and Internet connectivity presents many challenges to all levels of the
`organization. A central focus in this environment has become ensuring continuity of the business processes that rely
`on the tasks of employees’ workstation applications, email, e-commerce web sites and other numerous data
`
`processing technologies in use today. These processes have come under fire in increasing numbers by a vast array
`of threats from viruses up to international cyber crime. Several of the more costly situations that American industry
`has faced in the past three years has been the presence of virus’ inside corporate networks with the ability to spread
`
`quickly through the network infrastructure. Wouldn’t it be nice to have something that monitors all the traffic that
`enters and exits through a network in real time every second of the day?
`
`
`
`
`
`
`
`
`
`
`
`
`Fortunately this situation can be manageable with due diligence and common sense. TruSecure analyst Roger
`Thompson stated it best in a January 2002 article for ComputerWorld, "The bottom line of malware prevention
`
`remains the same: Filter, patch strategically and update your antivirus software. Use common sense to protect your
`network's vulnerabilities." Due to the current nature of business these tasks are often a broad and overwhelming task.
`There are several different ways that malware, malicious code or software often classified as a virus or worm, can
`enter a network. Becoming a more vital defense to this daily battle is managing content of inbound and outbound
`Internet traffic at the perimeter beyond the traditional firewall capabilities. Checkpoint Software originally developed
`specifications for the Content Vector Protocol to be integrated with its firewall product to function simultaneously with
`
`separate vendors’ anti-virus servers. Version 3 of Checkpoint’s firewall was the first CVP introduction into the
`marketplace and as security needs expanded the capabilities of the specification have as well. The CVP API
`(Application Program Interface) was published in November 1998 as an open specification and was well accepted by
`security industry leaders such as Symantec and Trend Micro. I would like to discern in this document that there are
`many steps to defending against malicious attacks, worms or viruses but one of the more prevalent targets recently
`that allow harmful attacks to spread so rapidly is the internet gateway. A CVP implementation can considerably
`reduce the risk of malicious content entry or exit to a network through an Internet connection. This technology,
`although relatively new, looks to have enormous benefit potential in several different applications and environments. I
`
`will cover the primary uses for CVP today in this discussion and hopefully spark new thinking in how to defend the
`barriers protecting your network and business.
`
`
`
`
`
`Policy
`
`Due to the severity level of recent hybrid worms, companies are taking notice of how damaging these threats are and
`
`taking steps to guard against future disruptive instances. Primary focus might be to increase awareness of users in
`your organization to the possible dangers that exist while only performing routine activities. A typical user ordering
`office supplies online isn’t going to be able to determine if a Java applet is sending the contents of their clipboard to
`an undisclosed email address. Corporate policy can specify what is acceptable and unacceptable internet/computer
`use by employees, however, to tip the scales in favor of content security systems, malicious programs, viruses, etc.
`
`might enter a network even when industry best practices are in use. A portion of corporate policy that may not be
`covered in general would be the practices of the IT professionals and how the systems are to be handled. For
`example, who in an organization is responsible for reviewing logs, checking all pertinent security sites and
`publications on a daily basis for new threats and software updates? This is an all-inclusive plan where all dangers
`must be considered and followed. The roles that users and administrators play in network defense is key to continuity
`and the simplest of threats must be addressed. Removable media like floppies or CD’s, laptops with unmonitored dial
`
`
`
`
`
`
`
`
`
`
`
`
`up connections or home broadband connections, and internet access that may or may not be utilized according to
`corporate guidelines still can be harmful if a user isn’t careful. IT professionals must also be sure to patch and update
`systems to eliminate new vulnerabilities.
`
`Even faced with these circumstances, we must not discount the importance of protecting all internet and malware
`entry points that a corporation might have since a large number of corporate networks are comprised of numerous
`locations, LANs, WAN, internet connections and mobile users. Any unprotected internet entry point can be a stepping
`stone to the next segment for a virus or worm – virus software with signatures unable to detect new virus will pass
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 2
`
` SYMANTEC
`
`

`
`along attachments as they should through a corporate network or email system quite rapidly.
`
`Policy will be mentioned a few more times with regards to CVP implementation mainly due to the dynamic
`environment in corporate America. Policies w ill assist a great deal in establishing rules and event handling for a
`Firewaii/CVP implementation - employees' awareness of these guidelines can also improve network and business
`stability.
`
`Defending the Gate
`
`Besides external media brought into your infrastructure, the entry point that is most often unchecked is the Internet
`connection. The need for a firewall w hen conducting business on the internet in it's current state will not be covered
`it is assumed that your company has implemented at a minimum a packet filtering device or will be obtaining
`here -
`one in the near future.
`
`Since the firewall is the traffic cop that blocks information flow or lets it through with some directional assistance
`based on rule sets, the OPSEC Content Vectoring Protocol is an effective way to increase the capabilities and value
`of the firewall itself. Traffic that arrives at a firewall typically is compared to a rule set that either allows the traffic for
`predefined routes, rejects it, or just drops the packet entirely. This can be effective w hen everything is clear-cut in
`terms of access privileges given to your internal staff or the public outside your network. Where a large number of
`incidents occur is where these definitive rules of acceptable use for Internet activity expose vulnerabilities and
`weaknesses in defenses.
`
`OPSEC CVP
`
`OPSEC or Open Platform for Security gives you the ability to manage a complete network through an open structure
`that allows third party applications w ritten for security purposes to fit into the infrastructure through available API's
`(application programming interfaces) or scripting languages. Having all components integrated into the OPSEC
`structure w ill allow management and configuration of all aspects can be done from a central policy editor. OPSEC
`allows different components to be installed on different machines to eliminate compatibility issues among vendors as
`well as provide distributed processing but requires each piece to be aware of the others. A modular approach to
`securing a network is preferable because you can choose what platform or software best fits your environment plus
`adds the flexibility of upgrading single components without affecting others.
`
`The newest generation of CVP incorporates a CVP Manager application packaged with VPN-1 and FireWall-1 . CVP
`Manager can be setup to link several content validation servers to scan the same file multiple times. The ability to use
`separate servers provides simple load sharing of traffic to multiple validation servers, allowing scalability as well as fail
`over inspection servers. This can also come into play w hen a specific CVP server vendor has features another does
`not. For example, you prefer to use a Symantec product for antivirus scanning and a Trend Micro product for real
`time HTTP or FTP traffic monitoring, you could utilize both products.
`
`A great benefit for most of us on the defensive side of this ongoing battle is that content vectoring protocol was
`developed with intentions to allow a number of firewalls or packet routing devices to use a common validation server.
`This ability will become more meaningful as the Internet matures and the threats being faced each day continue their
`dramatic increase. For the 3rd year in a row the number of reported security incidents as well as reported
`vulnerabilities has doubled. This pace is quite alarming and most IT professionals have already begun seeing the
`need to focus more on security issues with their computer and network systems to the point w here it has become a
`scrutinized budgeted cost of doing business.
`
`CVP Client Server Relationship
`
`The OPSEC environment employs a standard client and server relationship where the client locates the server as
`well as initiates the connection to the server. The CVP client makes connections to the CPV server based on rules
`defined in the security policy. The client can connect and send traffic in a data stream in one of the following three
`methods:
`
`• Authenticated Connection using Secure Sockets Layer - does not encrypt data
`• Checkpoint Proprietary Authentication - uses Checkpoint authentication algorithm
`• Clear Text- authentication and data pass in clear text
`
`**The API does not currently support encrypted connections
`
`The CVP client collects traffic from a data stream in a buffer so that it can "look ahead" and be manipulating the
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 3
`
` SYMANTEC
`
`

`
`traffic prior to receiving the entire stream. The client will then send a portion of the data to the CVP server for
`inspection along with an event handler specifying the number of bytes sent. The CVP Server will analyze the data
`stream according to the type and role of the server. An antivirus server w ill inspect entire files against a known list of
`viruses or a certificate validation server will check the validity of certificates in HTTP traffic. At this point the CVP
`server has control over w hat the original destination will receive and delegates this responsibility to the client to carry
`out one of three tasks.
`
`• Send data from the buffer to the CVP server for inspection
`• Send data from the buffer to the destination - this will occur w hen content inspection deems the traffic
`acceptable
`• Send data from CVP server to destination - events causing the data to be changed could be virus or http
`control removal
`
`The data stream itself however is not the only information being transmitted between client and server.
`
`CVP Clients communicate:
`
`• Connection information - source IP and destination port
`• Data information - file type or protocol ID
`replace or modify harmful file content
`• Expected Server Actions -
`
`CVP Servers communicate:
`
`Impression of original data stream's safety (safe, unsafe, unreadable)
`•
`Impression of validated data stream's safety (safe or unsafe)
`•
`• Actions, if any, taken to secure data (data rejected, removed, modified to cure a virus)
`
`Content Vector Server's conclusion about data streams has a different application for each role the CVP server can
`fill. An antivirus server will react differently than an authentication server would.
`
`CVP Configuration
`
`Getting CVP setup can be a complex setup depending on your organizational needs however for a single internet
`entry point, the evolution of the OPSEC environment as a whole has streamlined this process amongst different
`vendors. Without going into much detail about what and where to purchase your software, let's assume we w ill be
`using a Checkpoint Firewall-1 server with a Trend Micro Viruswall CVP server.
`
`Client Setup
`
`The CVP client in this case will be the Checkpoint Firewall which has this software feature built into the base product.
`The firewall will have a Security Policy made up of representative objects and rule sets that are applied in a top to
`bottom - per packet analysis.
`
`First let's define what our CVP host w ill be through an object in the rule base which will simply be a descriptive
`name, an IP address, and any special routing instructions if necessary. If your setup w ill have more than one content
`validation server then those host objects will need to be created as well. In order to utilize the abilities of OPSEC
`CVP implementation we must specify what particular CVP services will be associated w ith each service. In the
`simplest case all CVP services (FTP, HTTP, SMTP) will be associated w ith a single CVP server but the option to
`define more is available to the client if you need HTTP scanning done on a different platform for example. The
`Checkpoint object that represents a particular CVP Server type is depicted below:
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 4
`
` SYMANTEC
`
`

`
`CVP Server Properties
`
`l
`
`CYP Server Prop~rties
`
`1
`
`Gene~aiJ
`
`Generlll]
`
`Commen· jHTTPAnWinn SeNer
`
`Comment: jSMTP AntiVirus Servet
`
`H o.st I JY An!Nrus
`Service: I® fil"TP _AV
`
`3
`CoiOf: 1
`Host I £J AntiVlrus
`Service: I ® fW1_cvp
`
`OK
`
`Canoe I
`
`Help
`
`OK
`
`Cancel
`
`The properties of the CVP servers can be changed to send HTTP to a different validation host than SMTP traffic as
`well as define a separate service. The service parameters referenced above are predefined services in the firewall
`(CVP Client) that allow the client to manipulate traffic in the rule base at a more granular level. For example, the CPV
`and FTP antivirus services are defined as a TCP service represented by an object in the Firewall-1 GUI that has
`some basic definable parameters:
`
`TCP Servtce Properties
`
`.·
`
`TCP Service Properties
`
`_I
`
`GeoeralJ
`
`Nlllll8: JfiiDI
`
`Corrmenl: J FT P Anlt-frus
`Color.]-
`3
`
`Gmeral]
`
`Name:!Bir __ _
`
`COilWilenl: [ CMck Pool OPSEC Content Vectoring Ptoh
`Color:] -
`iJ
`
`Source port range: J
`
`Pcolocol T,l!Pe; ]None
`r FastMode
`
`to J
`
`3
`
`SO\Jce port r<~nge; I
`
`Protocol Type: jNone
`r F<tsl Mode
`
`to I
`3
`
`This tells us how the client will communicate with the CVP server. When the CVP client must utilize the server for
`data stream inspection it w ill pass along the necessary information so that the CVP server can take the proper
`course of action.
`
`SMTP 0-efmitlon
`
`-,
`
`Genetlll Match J Aetm1 ] Aetion2]
`
`Sender·
`
`1·
`
`fleePer'tL
`
`l·@b.ilC123.CO ...
`
`SMTP Dcflmtion
`
`j
`
`Sl!1l MIME ofT p: U
`Don'\ AQ;ept Ma~1 latget Thart 12r0Xl
`CVP
`
`Sef"tfe(: I~ SMTP·Scemi :::J
`r None
`r ReadOnl)l
`r. Read/W'rle
`
`Allowed 01ars
`(+ S·bit
`r ?·bit (no CTRl chbrs)
`
`OK
`
`OK
`
`Cancel
`
`HelP
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 5
`
` SYMANTEC
`
`

`
`Above are some properties variables that apply to the CVP client's communication with the CVP server on how to
`handle the data it sends for inspection. In the left hand capture, we are specifying the characteristics a data stream
`has to possess or match before redirection to the CVP server will take place. In this example, any Sender (*) trying to
`send SMTP mail to any(*) recipient@ the ABC123.COM domain will be sent to for content validation. The right hand
`capture adds action parameters such that only files under 20 megabytes will be allowed and that the CVP server is
`expected to modify (Read/Write) files. The ability to Read and Write would be necessary for the server to be able to
`clean viruses from email attachments. Now we know what the client is expecting the CVP server to do, the traffic
`must have a method for getting to the CVP server carrying those instructions.
`
`A standard method for routing IP traffic to the proper destination is used when the CVP client needs to have data
`validated. Typical rule sets or access lists involve usually 4 items: a source, destination, service/protocol, and action
`taken if encountered.
`
`Source
`
`I Destination
`
`I
`
`Service
`
`I Action
`
`I
`
`Internet SMTP Hosts Internal SMTP Mail Server Scanned SMTP Service Accept
`
`This rule simply states that any Internet SMTP relay host can send traffic to your internal email server through port 25
`and it will be accepted. However, the role of the CVP client is important to note because it is acting as an integral
`part of the Scanned SMTP Service in this case. Any SMTP traffic destined for your internal email server is to be
`buffered by the CVP client and delivered to the CVP server for inspection before the final destination receives it.
`
`Sou rce
`
`I Destination
`
`I
`
`Service
`
`I Action
`
`I
`
`Internal SMTP Mail Server Internet SMTP Hosts Scanned SMTP Service Accept
`
`A similar rule should applied to outgoing mail as well since you certainly don't want to risk sending viruses to clients.
`
`Scanning web or HTTP traffic also has parameters to take into consideration - captures of the CVP Client resources
`for Hypertext Transfer Protocol show some parameters that the client w ill communicate to the CVP server. In the
`case of HTTP, the CVP client w ill ensure content validation based on w hat is defined in the URI or Uniform Resource
`Identifier.
`
`URI DeliMiliUn
`uei'H!r~ l r-!alch I Acboo ]
`
`£J
`
`~ammert lscamedHTTPfiei
`cqoc I c:::::J 3
`
`I
`
`CmJel;(ion Mclhoch
`p !•~P~es'll:
`re.O><y
`r 1 U'lnti.rl9
`
`EHC~ Track
`(' Non~ C. l 2!1 (' 8le1t
`
`r file
`r !.!FP
`
`URI Match
`Specd!cabon T!IP«
`C. Y{old C~ds
`
`I
`
`f3
`
`URI O.,finitian
`
`Gmeralj Match AdJon I
`Replac<.~lnel!t .!J.r( I
`HTMLWeedng
`r Slnp ScriJ'tl agt
`r strip hwlet rags
`r Slnp Aeliv~ T agt
`
`Acspome Sc«n.-.;~:
`r !!.lock JAVA Code
`
`~-------------------
`
`CVP
`
`~ei\'E\1; I ~ HTTP-Scornir ::J
`
`(' t:!one
`r fieadOey
`(.' Re.:~d>\![nte
`
`OK
`
`Cancel
`
`Help
`
`OK
`
`Cancel
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 6
`
` SYMANTEC
`
`

`
`URI Definition
`
`13
`
`General Match J Action]
`Schemes
`r gopher
`r lE~-~-~ r
`ftp
`r mailto r news r wais
`~ Molhod•
`J GET J POST J HEAD r PUT Other: ]'
`
`Other: J'
`
`Host:
`
`Path:
`
`Query:
`
`OK
`
`Cancel
`
`Help
`
`URI resources can define schemes or protocols such as HTTP, FTP, GOPHER etc., methods or commands (GET,
`POST), individual hosts (for example, "*.com", "*.net"), paths and queries. The settings for HTTP traffic to be
`inspected are for all schemes, methods, and hosts with the ability to modify (Read/Write) traffic w ith logging only
`unsafe exceptions. When scanning HTTP, a few more configurable parameters are available to security administrators
`like JAVA applets not being allowed even on resources that are allowed. JAVA applets, JAVA scripts and ActiveX can
`be removed from HTML altogether from the through the client configuration.
`
`URL Filtering is another mainstream function for a CVP client that integrates well w ith Firewall-1 and the CVP
`specification. URL filtering gives companies the capability to monitor, manage and report traffic traveling from their
`internal network to the Internet. The client would send the traffic to the CVP server where it would be compared
`against a list of predefined URL's that are classified as either accessible or not for example. This technology and
`features can be found in other products however it is not present in the product being discussed from Trend Micro.
`
`CVP Servers
`
`Hopefully a clear definition of what role a CVP client plays in the inspection process has been defined at this point.
`Since the client's responsibilities include getting the traffic over to the inspection server with the proper parameters
`and necessary information, determining how the CVP server will manipulate the traffic would be the next setup
`requirement. This discussion will be referencing Trend Micro's Virus Wall server, which was one of the earlier products
`that integrated seamlessly with Checkpoint's Firewall-1. Viruswall is able to scan files that travel to and from the
`Internet in real time or pass through mode so that the process is transparent to users as to not be a disruptive
`feature. The product detects viruses by pattern matching key areas of suspect files to strings of virus code and
`compared against a database of known virus patterns. The software also has the ability to recognize over twenty
`types of compression formats. Files that are compressed are opened and examined for viruses - even if a
`compressed file contains more compressed files inside it, Viruswall will decompress the embedded files recursively
`up to twenty times until all files have been scanned.
`
`A CVP server would normally be placed in a strategic section of a network so that it doesn't have any interaction with
`many other hosts or portions of the network you're protecting. Logically speaking it's a good idea to isolate a server
`whose intended purpose is to accept and process often malicious traffic. Most implementations locate the CV P server
`in a DMZ or Demilitarized Zone. A DMZ will usually be located between the Internet and the private network that is
`being protected most often by a firewall. The firewall or packet filtering device will direct specific traffic to the host in
`the DMZ for processing. More common implementations housed by a DMZ would be web, ftp, or mail servers that
`have to be publicly accessible but at the same time somewhat protected. In this case, the CVP server won't be
`publicly accessible but for purposes of protecting the internal network should be located in a DMZ controlled by the
`firewall. The firewall would need to be setup to allow traffic from the Internet or internal network to be redirected to the
`CVP server for inspection prior to entry or exit. We will assume this has been configured properly.
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 7
`
` SYMANTEC
`
`

`
`Internet
`
`fire'IIWII
`C'IJP Cliett
`
`Trend Micro's VirusWall is a CVP aware application that integrates with Firewall-1 through Checkpoint's CVP API.
`Once the CVP client setup has been completed, Viruswall can be operational fairly quickly. After software installation,
`the necessary configuration modifications and setup parameters need to be defined so that client and server can
`exchange data streams for analysis.
`
`SMTP configuration parameters are represented below - some options listed here should mirror the CVP client setup
`such as port number 18181 that the server will listen on will be the same that the client will communicate on.
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 8
`
` SYMANTEC
`
`

`
`Advanced Options
`SMTP Configuration
`
`I
`
`Virus Encyclopedia
`HTTP Configuration
`
`Active Update
`Log File
`l
`FTP Configuration
`r lnbound Mail ...,..FireWall-1 CVP Configuration ----------,~ Outbound Mail(cid:173)
`(;; Enable
`Viru~
`Scanning
`
`Service Port j18181
`r Enable Authenticated OPSEC Connections
`[Requires FireWall-1 to be configured for authentication)
`
`Op!ions
`
`Scan~====================================================~
`r. All attached files
`r Files with the following extensions :
`
`Notification- - - - - - - - - - - - - - - - - - - - - - - - - - - . .
`P Warning to user(s):
`{InterS can has detected virus[es) in users' e-mail attachment.
`P' Warning to sender
`JSender, InterS can has detected virus[es) in your e-mail attach
`p · Warning to recipient ]Receiver, lnterScan has detected virus[es) in the e-mail attach
`r Safestamp
`r Virus message
`Action on Viruses-==================-r.-============================-r
`r Pass
`r Move
`r. Auto Clean
`(" Delete
`D.Qtion
`
`I r:::::::::~~~~:::::::::;J
`
`B.eset
`
`Other options not defined by the client are essential for proper operation. The option to enable virus scanning for
`inbound mail must be checked plus a definition of what to scan needs to be configured. In most cases scanning all
`files is recommended but depending on what policies are in place for the organization, these settings can be modified
`to suit your needs. Outbound mail scanning might be an essential part of your defensive strategy as well - enabling
`this option is configurable also.
`
`option is configurable also.
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 9
`
` SYMANTEC
`
`

`
`0 utbound SMTP Mail Processing
`
`- Setup
`P' f.nable outbound mail processing
`
`13
`
`Specify the IP address(es) of any mail server
`that will be sending outgoing mail to the InterS can
`machine (delimit with commas]. If this includes the
`same machine lnterScan is on, use 127.0.0.1 along
`with the IP address of your local host:
`]I
`
`I
`
`- Virus Scanning
`W Enable outbound mail v1rus scanning
`~ Stop delivery of infected outbound messages
`(Messages will be placed in quarantine directory)
`Send notification messages to:
`W Sender
`W Administrator
`- Additional Message T e~t
`r Add customized text to every outbound mail message at:
`tlw 1;0p oteaoh m~age
`(0 the bottoro. of. each m~e r
`~'dit Cu$t9[11Zed.ITeJ~J I
`
`-
`This configuration menu is accessible from the SMTP folder tab under the Outbound Mail Option button. Scanning
`outbound mail from an internal mail server can be setup by specifying its IP address - make sure the firewall is setup
`to pass SMTP (Port 25) the host and DMZ where the CVP server is located. Delivery of infected messages can be
`stopped and/or quarantined and a notification that can be added on each outbound message stating something along
`the lines that it has been scanned for viruses prior to delivery.
`
`One of the actions we defined on the CVP client is when it sends data streams over to the CVP server it expects the
`CVP server to clean viruses if possible. This screen allows us to tell the server to follow the instructions of the client
`and clean the files if possible and to delete virus files that cannot be cleaned but to notify sender and recipient of the
`action that was taken.
`
`Auto Clean 0 ption
`
`Ef
`Send Cleanable File(s] to: - - - - - - - - - - - - - ;
`P' l$.~6~·~·;x.s.~·64.~ .. ~·9.P.Y.O!.~~-i_E~ (l,"i_l_gl_6~1.··~-~6.~.~i·i
`f" Recipient (send cleaned file in a separate msg)
`
`Action on Uncleanable File(s): -------......,
`P Notify sender
`r Notify recipient and do the following to the file:
`r. Delete
`! Move
`! Pass
`
`Even though you may have antivirus software on every link in the delivery chain within your network, an administrator
`can ensure that no new viruses are getting in despite how often the individual workstations are being updated.
`Updating all workstations and servers as often as necessary can become too challenging.
`
`VirusWall software is also capable of detecting viruses not only in email but in file downloads as well. HTTP and FTP
`are two industry standard methods of delivering files to users or clients over the Internet.
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 10
`
` SYMANTEC
`
`

`
`Advanced Options
`SMTP Configuration
`
`Active Update
`Log File
`FTP Configuration
`J
`
`Virus Encyclopedia
`HTTP Configuration
`
`p On/Off=-=o:-===-===-=:-:-....,. FireWall-1 CVP Configuration-==========-'1
`P Enable Virus Scanning
`Service Port ]19001
`r Enable Authenticated OPSEC Connections
`
`(Requires FireWall-1 to be configured for authentication)
`r Option.,.--------....a.:...--------------------t
`Send 11024 bytes of data to client for every J512
`
`kilobytes received
`
`Scan~=========================~
`r. All files
`r Files with the following extensions :
`
`SMTP server :
`
`~ Warning to user(s) :
`
`SMTP port : J25
`
`JlnterScan has detected virus(es) in user's FTP traffic.
`r Virus message
`Action on Virusesc - - - - - - - - - , . , - - - - - - - - - - - - - - - - ,
`I Move
`I Delete
`O.Qtion
`Ci' Auto Clean
`('" Pass
`
`~ave
`
`B.eset
`
`FTP virus scanning configuration is a straightforward setup where we are enabling virus scanning and specifying the
`port 19001 that the server will listen for communication from the client on. We would want to scan all files again and
`input who and where a notification will be sent to if a virus is found. The Auto Clean Option again will let us specify
`what to do when a file beyond repair is encountered.
`
`FTP Auto Clean Option
`
`£I
`
`Action on Uncleanable File(s):- - - - - - - - - .
`r Move
`
`\e Delete
`
`(' Pass
`
`HTTP scanning options are almost identical except for some optional settings for data unique to HTTP. The standard
`Enable check box, listening port specification of 19000, scanning of all downloaded files, and event notification
`options are common between HTTP and FTP. Some additional options for configuring actions for Java and MIME
`encoding are present on this page. If expected actions are configured on the CVP client for Java or Active-X removal
`for example, the options should be reflected in the server setup as well.
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 11
`
` SYMANTEC
`
`

`
`Virus Encyclopedia
`Active Update
`Log File
`Advanced Options
`HTTP Configuration
`]
`FTP Configuration
`SMTP Configuration
`r- On/Off- - - - - - - - . - FireWall·1 CVP Configuration- - - - - - - - - - - - ;
`P Enable Virus Scanning
`
`i"" Options- - - - - - - ' - - - - - - - - - - - - - - - - - - - - - , !J
`r Enable Java TeleWindow
`~ecurity
`II MIME
`P Log HTTP requests
`Send j1 024 bytes of data to client for every~ kilobytes received
`
`Scan- - - - - - - - - - - - - - - - - - - - - - - - - - - - ,
`r. All files
`I Files with the following extensions :
`
`SMTP port: j25
`
`SMTP server :
`P Warning to user(s) :
`linterS can has detected virus(es) in user's HTTP traffic.
`r Virus message
`Action on Viruses- - - - - - - - - - - - - - - - - - - - - - - : - .
`r Pass /-Jiow _f"""r! IJ}Im!~>tO.dO'll/niOad vi~ tif~
`! Move
`I Delete
`I
`r- Auto Clean
`0 I;!tion
`I
`I r:::::::::~~~~:::::::::ll
`
`Reset
`
`Auto Clean Options remain similar across the two protocols as well:
`
`HTTP Auto Clean Option
`
`EJ
`
`Action on Uncleanable File(s): =======~
`r. Delete
`I Move
`
`I Pass
`
`Duplication of configuration options may seem unnecessary for FTP and HTTP but having the ability to specify
`settings at a more granular level is important in this scenario.
`
`Advanced options are available on a separate folder tab where added features can be modified. Notification
`messages' From: or sender address is defined here and plus the method for sending these notifications. Available
`options your environment may require is to block Microsoft Office attachments that contain macros the defaults are
`usually appropriate.
`
`© SANS Institute 2000 - 2005
`
`Author retains full rights.
`
` Exhibit 1020 Page 12
`
` SYMANTEC
`
`

`
`SMTP Configuration
`Advanced Options
`
`J
`FTP Configuration
`Log File
`]
`Active Update
`
`HTTP Configuration
`Virus Encyclopedia
`
`Common-------------------------------------------------------,
`
`"From:" address used in notifications :
`Please save and then restart the InterS can services
`if you change the notification "From:" address.
`
`Plug-In Manager
`
`E ·Mail VirusW all-------------------------------------------------,
`
`Send InterS can notification/generated messages to ["default"= use DNS)
`at port : Jr:-2-:-5--~
`SMTP Server : jdefault
`When DNS delivery is u