In the age of digital economy, applications have become the lifeblood of corporations, and protecting them is paramount for productivity and profitability. Most applications render services via the Web, and privacy and data protection concerns have fueled growth in encryption use. While encryption provides protection for data in transit, it also presents an opportunity for nefarious actors to encrypt their own payloads to bypass detection by anti-malware engines and conceal device infections, hide data exfiltration, and obfuscate (Steganography) botnet communications with command and control servers. Moreover, most Anti-Virus vendors don't intercept HTTPS traffic and allow for potential attackers to compromise files. Once inside the SSL/TLS chain of trust, malware can use a variety of tools like TOR to evade security controls and transform encryption tunnels into infection chains. Layered security approaches like daisy-chaining devices and continuous monitoring of activities not only cannot scale but also add to complexity, latency and loss of productivity.

But, there's hope...Internet Content Adaptation Protocol (ICAP) services give us a way to solve these issues. ICAP services use the RFC3507 ICAP protocol to refer HTTP traffic to one or more content adaptation devices to inspect or modify the data. You can add an ICAP service to any TCP service chain, but only HTTP traffic is sent to the chain. Additionally, you can configure up to ten ICAP services using the configuration utility to load-balance across them.

To address these challenges, F5 has teamed up with OPSWAT to allow for comprehensive content analysis without compromises. All F5 products that expose ICAP interfaces (like BIG-IP ASM and SSL Orchestrator) can take full advantage of OPSWAT’s MetaDefender capabilities.  These capabilities include thorough malware scanning using over 30 leading antivirus engines, as well as Content Disarm and Reconstruction (CDR) services for content sanitization and file vulnerability assessment.

OPSWAT Deployment In F5 Ecosystem

 

MetaDefender Integration With F5 BIG-IP

 

OPSWAT’s independently deployable MetaDefender is built on proven technology that offers the in-depth customizable logic of OPSWAT Multiscanning for granular content inspection capability, greater capacity for file type analysis, archive extraction, and the power to remove all traces of malware from files without impacting usability or performance. MetaDefender CDR detects and disables malicious Active Content like embedded Macros. Furthermore, MetaDefender has an application-centric perspective whereby it detects unresolved vulnerabilities in files pertaining to over 20,000 software applications. MetaDefender integrates seamlessly with both reverse and forward proxies for total protection in file uploads and file downloads.

 

Abstraction Of MetaDefender Platform

 

ICAP performs content manipulation as a service for the appropriate client HTTP request or HTTP response. This service is also referred to as "content adaptation." Readymade iApp templates in MetaDefender provide configuration ease so that profile setting for application services is automated through a wizard. Once the iApp script runs, a profile is defined and ICAP virtual servers and pools are established.

ICAP clients (clients on F5 side) communicate in reverse or forward proxy modes with the BIG-IP ASM or SSLO which sends HTTP messages to ICAP servers (MetaDefender) to support business-critical use cases such as file upload/downloads. The ICAP server executes its transformation service on messages and sends back responses to the F5 proxy with results on TCP port 1334. MetaDefender performs malware detection and data sanitization through CDR and either returns the payload untouched, modifies the data (removes the sensitive information and/or malware payload), or simply indicates that the examined file(s) are free of malicious content. Typically, the adapted messages are either HTTP requests or HTTP responses.

 

 

Content Disarm and Reconstruction (CDR) In Action

 

One of the greatest benefits of using the Metadefender ICAP Server is the "one-step configuration" in the beginning of the integration.  All future updates and enhancements may be rolled in without additional integration efforts. Moreover, automation of traffic steering by offloading file inspection to MetaDefender reduces administrative costs and enables DevSecOps to gain more value from investments already made in security services.

 

F5 SSL Orchestrator and OPSWAT MetaDefender File Upload/Download Security

SSL Orchestrator (SSLO) eases the creation and maintenance of such custody chains by determining whether traffic should bypass or be decrypted and sent to one service or another. MetaDefender inspects files using content metanalysis for integrity monitoring and verification of malware-free payload.  Through Dynamic Service Chaining -- decrypt once, inspect often, re-encrypt once -- operational efficiency is attainable. F5 SSLO provides high-performance decryption of inbound and outbound SSL/TLS traffic, enabling security inspection to expose threats and stop attacks using contextual classification engines. Provisioning and deployment is straightforward and requires configuring MetaDefender.  The below screenshots show the ICAP Server and SSL Orchestrator Management Console interface which accomplishes this configuration. 

 

 

To test the setup, simply use a test file such as eicar over HTTPS.  Last, you can check ICAP History on OPSWAT MetaDefender ICAP Server side to view the archives of file analysis (screenshot below).

 

Viewing File Upload/Download History In MetaDefender User Interface

 

Since ICAP can perform a variety of services including Data Loss Prevention (DLP), deploying OPSWAT MetaDefender services through ICAP provides for seamless service additions without operational disturbance and the need to reconfigure web apps.  This can apply to both request (client-to-server) and response (server-to-client) payloads.