ESET GATEWAY SECURITY Installation Manual and User Guide (intended for product version 4.
Contents 1. Introduction ..................................................................3 1.1 1.2 Main functionality .........................................................................................3 Key features of the system .........................................................................................3 2. Terminology ..................................................................5 and abbreviations 3. System .................................................................
1. Introduction Thank you for using ESET Gateway Security - the premier security system for Linux, BSD and Solaris. ESET's state-of-the-art scanning engine has unsurpassed scanning speed and detection rates combined with a very small footprint that makes it the ideal choice for any server on Linux, BSD and Solaris. 1.1 Main functionality Hypertext Transfer Protocol filter (HTTP) The HTTP filter module is an HTTP 1.
Web interface Configuration, administration and license management are offered through an intuitive and user-friendly web interface. Remote administration The system supports ESET Remote Administrator for management in large computer networks. No external libraries The ESET Gateway Security installation does not require external libraries or programs except for LIBC.
2. Terminology and abbreviations In this section, we will review the terms and abbreviations used in this document. Note that boldface font is reserved for product component names and also for newly defined terms and abbreviations. Terms and abbreviations defined in this chapter are expanded on later in this document. ESETS ESET Security is a standard acronym for all security products developed by ESET, spol. s r. o. for Linux, BSD and Solaris operating systems.
3. System requirements The following hardware requirements must be met before the installation process in order to run ESET Gateway Security properly: 250MB of hard-disk space 256MB of RAM glibc 2.3.6 or higher 2.6.x Linux OS kernel versions ESET Gateway Security should work on most recent and frequently used open-source Linux distributions if the above criteria are met.
4. Installation After purchasing ESET Gateway Security, you will receive your authorization data (Username, Password and license key). These credentials identify you as an ESET customer, and are required to download updates for ESET Gateway Security. The Username/ Password data is also required for downloading the initial installation package from our web site. ESET Gateway Security is distributed as a binary file: esets.arch.ext.
Enter your Username and Password information into the global section of the ESET configuration file using a text editor: vi @ETCDIR@/esets.cfg Edit the ESETS Update options section of the ESETS configuration file. av_update_username = "EAV-12345678" av_update_password = "yourpassword" Start main daemon service: Linux OS: BSD OS: /etc/init.d/esets start /usr/local/etc/rc.d/esets.
5. Architecture Overview Once ESET Gateway Security is successfully installed, you should become familiar with its architecture. Figure 4-1. Structure of ESET Gateway Security. The structure of ESET Gateway Security is shown in Figure 4-1. The system is comprised of the following parts: CORE The core of ESET Gateway Security is the ESETS daemon (esets_daemon). The daemon uses ESETS API library libesets.so and ESETS loading modules em00X_xx.
@ETCDIR@/license This directory is used to store the product(s) license key(s) you have acquired from your vendor. Note that the ESETS daemon will check only this directory for a valid license key. @ETCDIR@/scripts/license_warning_script If enabled by the Scheduler task named Threat notification, this script will be executed 30 days (once per day) before product license expiration, sending an email notification about the expiration status to the system administrator.
6. Integration with Internet Gateway services ESET Gateway Security protects the organization’s HTTP and FTP services against viruses, worms, trojans, spyware, phishing and other internet threats. The term Gateway Server refers to layer 3, or the ‘router’ level of the ISO/OSI model. In this chapter, we review the process of integrating ESET Gateway Security with various services. 6.
6.2 Manual HTTP/FTP proxy configuration The manual proxy configuration (see Figure 5-2) is characterized by explicitly configuring the proxied user agent to listen on a specific port and address of the parent proxy. Figure 5-2. Scheme of ESET Gateway Security as a manual proxy With this configuration, the proxy server usually modifies transferred requests and/or responses, i.e., non-transparent mode. The manual proxying functionality of esets_http has been tested with a wide range of common user agents (i.
In the following example, esets_http is configured to listen on port 8080 of the gateway server, with a local network IP address of 192.168.1.10, by specifying the following parameters in the [http] section of the ESETS configuration file: agent_enabled = yes listen_addr = ”192.168.1.
predefined port and reload the ESETS daemon service. In default mode, the installer shows all steps which will be performed and also creates a backup of the configuration, which can be restored later at any time. The detailed installer utility steps for all possible scenarios are also described in appendix A of this documentation. The second step of the ICAP configuration method is activating the ICAP client functionality within the Proxy Cache.
6.5.1 Operation principle The esets_ssfi.so module is a plug-in to access all objects processed by the SafeSquid proxy cache. Once the plug-in accesses the object, it is scanned for infiltrations using the ESETS daemon. If the object is infected, SafeSquid blocks the appropriate resource and sends the predefined template page instead. The esets_ssfi.so module is supported by SafeSquid Advanced version 4.0.4.2 and later. Please refer to the esets_ssfi.so(1) man pages for more information. 6.5.
7. Important ESET Gateway Security mechanisms 7.1 Handle Object Policy The Handle Object Policy (see figure 6-1) mechanism provides filtering for scanned objects based on their status. This functionality is based on the following configuration options: action_av action_av_infected action_av_notscanned action_av_deleted For detailed information on these options, please refer to the esets.cfg(5) man page. Figure 6-1. Scheme of Handle Object Policy mechanism.
[http] agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 8080 action_av = "scan" user_config = "esets_http_spec.cfg" Once the special configuration file is referenced from within the [http] section, create the ‘esets_http_spec.cfg’ file in the ESETS configuration directory and add the appropriate individual settings. The next example shows the individual setting for parameter ‘action_av’, for the client computer with IP address 192.168.1.40. See below: [|192.168.1.
In order to enable sampling, the samples submission system cache must be initialized. This can be achieved by selecting ‘samples_enabled’ in the [global] section of the ESETS configuration file. For more information on the Samples Submission System and its options, please refer to the esets_daemon(8) mane page. 7.
Figure 6-1. ESET Security for Linux - Home screen. The web interface window of ESET Gateway Security is divided into two main sections. The primary window, that serves to display the contents of the selected menu option and the main menu.
Figure 6-2. ESET Licenses. You can enable the license notification option in the Scheduler section options. If enabled, this functionality will notify you 30 days prior to your license expiration. 7.6.2 Agent HTTP configuration example ESETS can be configured in two ways. In this example, we will demonstrate how to use both when configuring the HTTP module, leaving you with the choice of your preferred configuration method: Using the ESETS configuration file: [http] agent_enabled = yes listen_addr = "0.
7.6.2.1 HTTP Agent testing with the Mozilla Firefox To test ESETS HTTP Agent on your local machine, you need to set the local proxy server to ‘localhost:8080’. See the figure below for an example of such configuration in the Mozilla Firefox brower: Figure 6-5. Mozilla Firefox - Network Settings. Note: You do not need to configure the local machines connected to the ESETS server in the same manner. However, you will still need to set a transparent http proxy via netfilter (see section A.1 for details).
7.6.3 Scheduler You can manage the scheduler tasks either via ESET configuration file (see chapter Scheduler) or using the web interface. Figure 6-5. ESETS - Global > Scheduler. Click the checkbox to enable/disable a scheduled task. By default, the following scheduled tasks are displayed: Log maintenance – The program automatically deletes older logs in order to save hard disk space. The Scheduler will start defragmenting logs. All empty log entries will be removed during this process.
7.6.4 Statistics You can view statistics for all of active ESETS agents here. The Statistics summary refreshes every 10 seconds. Figure 6-6. ESETS - Control > Statistics. 7.7 Remote Administration ESETS supports ESET Remote Administration for gateway security management in large computer networks.
7.7.1 Remote Administration usage example Before commencing any remote administration process, ensure your system fulfills the three following prerequisites: Running ERA Server Running ERA Console Enable RA Client in the ESETS daemon. Ensure that firewall settings do not block traffic to ERA Server or vice versa. To setup the basics, specify the address of your ERA Server in the ‘racl_server_addr’ parameter first.
Figure 6-8. ERA Configuration Editor. The New Task context menu contains On-demand scanning options (enabled/disabled cleaning). You can select the desired product that you wish to set the task for in the On-Demand Scan pop-up window in the Configuration Section drop-down menu. Make sure that you select the On-demand Scan task for Unix ESET Security Product option (i.e. the product that is installed on your target workstation). Figure 6-9. ERA On-demand scan.
7.8 Logging ESETS provides system daemon logging via syslog. Syslog is a standard for logging program messages and can be used to log system events such as network and security events. Messages refer to a facility: auth, authpriv, daemon, cron, ftp, lpr, kern, mail, ..., local0, ..., local7 Messages are assigned a priority/level by the sender of the message: Error, Warning, Summall, Summ, Partall, Part, Info, Debug This section describes how to configure and read the logging output of syslog.
8. ESET Security system update 8.1 ESETS update utility To maintain the effectiveness of ESET Gateway Security, the virus signature database must be kept up to date. The esets_update utility has been developed specifically for this purpose. See the esets_update(8) man page for details. To launch an update, the configuration options ‘av_update_username’ and ‘av_update_password’ must be defined in the [global] section of the ESETS configuration file.
9. Let us know We hope this guide has provided you with a thorough understanding of the requirements for ESET Gateway Security installation, configuration and maintenance. It is our goal to continually improve the quality and effectiveness of our documentation. For additional assistance with your ESET product, please visit our online Knowledgebase at the following URL: http://kb.eset.
10. Appendix A. ESETS setup and configuration 10.1 Setting ESETS for scanning of HTTP communication - transparent mode HTTP scanning is performed using the esets_http daemon. In the [http] section of the ESETS configuration file, set the following parameters: agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 8080 In the example above, ‘listen_addr’ is the address of the local network interface named ‘if0’. Restart the ESETS daemon. The next step is to redirect all HTTP requests to esets_http.
11. Appendix B. PHP License The PHP License, version 3.01 Copyright (c) 1999 - 2006 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
