I was talking to one of our field folks the other day, and an old chestnut came up in our discussions. It seemed that the customer had asked about having the NetScaler provide AntiVirus scanning services for an application which accepted uploads. In this case it was a Business to Consumer (B2C) application in the financial sector that was in question. The user was uploading supportive data for a loan application, and the customer wanted to ensure that the upload was clean of viruses.
I’ve had this requested for partner portals as well. Nobody wanted to have the site that redistributed infected product information – that’s bad for business.
The solution can be implemented in a few ways, I’m sure. But rather than use an HTTP Callout, we chose to use the NetScaler Content Switch function in conjunction with a server based AntiVirus (AV) Scanner appliance.
It’s All About Screening
For this scheme to work, we had to ensure that all uploaded data was passed to the virtual appliance for scanning. The Content Switch policies simply screen the request and act appropriately.
*If it’s an upload from a user – send it to the scanner.
*If it’s an upload coming from the scanner, send it to the web site.
I’m glad we have that covered. Oh, you want the details? Read on…
Just the Uploads, Ma’am
To paraphrase Joe Friday “Just the uploads, ma’am”. We did not want to scan everything. In the interests of performance, we just wanted to scan the uploads.
To do this, we configured the NetScaler with a content switch policy. Simply stated, if the request received was form data, and if the request came from a source location other than the AV Scanner it had to be sent to the AV Scanner appliance. The policy that selects the user (non-AV Scanner initiated) form data requests is shown in the graphic below.
Note that, in this configuration, there were two AV Scanners deployed. These were load balanced, of course. But their back-end IP addresses were 172.17.3.241 and 172.17.3.242. Thus the IP address selection criteria in the above example.
The second set of criteria was set to ensure that the request being examined did, in fact, contain form data.
If all conditions were true, then the request would be sent to the AV Scanner appliance through the binding we set in the externally-addressable Content Switching VServer.
In this configuration, the “Target” entities were defined as internally accessible (IP address 0.0.0.0) LBVServer objects. Naturally, the AV Scanner servers were assigned to the lbvs_AV_Server VServer, and the application servers were assigned to the lbvs_upload VServer.
Just the Check!
When a request arrived at the AV Scanner, it performed the scan. If the content was virus free, or could be fixed, that request should be passed to the application. If infected, and not repairable, the user was to be notified.
Because the AV Scanner is a full proxy architecture, this is simply achieved.
If the data sent was infected or irreparable, the user had to be notified. We configured the AV Scanner to send an “infected” notification page only. This was simply a normal response to the NetScaler MIP (or SNIP) which the NetScaler passed on to the original user.
If the scan was successful (the data was repaired or good) we did not want to return the request to the user – which was the normal response behavior. Instead, we configured the AV Scanner to issue a DNS lookup of the server specified within the http host header, and had the AV Scanner server forward the request to that IP address.
Our DNS, naturally, resolves the address as being the VIP of the Content Switch LBVServer. And since the source IP address was the AV Scanner (remember the policy, above?), the NetScaler then sends the clean request to the application servers.
For the eye-chart fans, this is a schematic of the data flow…
In this configuration appropriate requests are sent to the AntiVirus appliance for scanning with only a simple NetScaler configuration adjustment. There is the downside, however, that valid form field goes to the application via the AV Scanner, and the subsequent application response goes to the user with the same intervening hop.
But that’s a small price to pay to protect the application from uploaded virus-infected data.
And, of course, follow me on Twitter