Back to Home

Filtration of content on the stream by the eSafe hardware-software complex

content filtering · eSafe · streaming antivirus

Filtration of content on the stream by the eSafe hardware-software complex

I would like to share my experience in providing content filtering using the eSafe hardware and software system.

eSafe is a proactive protection tool installed on the Internet gateway and prevents known and unknown malicious programs, spam from entering the protected network, as well as restricting access to data and applications that do not comply with corporate policies or ethical standards.

eSafe is a development company Aladdin is now SafeNet. eSafe has 4 modes of operation eSafe Mail, eSafe Web, eSafe Web & Mail and eSafe Web SSL. eSafe can work in bridge mode and it is invisible to users, except when there is a lock and the user sees the lock page. The blocking page can be modified by correcting its code in the management console, or disabled.

Advantages of the complex:
  • filtration on the fly
  • blocking applications (Skype, ICQ, XMPP, etc.) and anonymizers
  • removal of viruses and blocking communications of trojans
  • clustering capability
  • the main network card has ByPass (only if the appliance was purchased), in the event of an emergency stop of the complex, the network continues to work


Minuses:
  • Before version 8.5, the application filter is not able to work with LDAP groups
  • Prior to version 8.5, when configuring bridge mode, you must enter ip addresses on the main network interfaces
  • sophisticated quarantine mail release system
  • RedHat 9 carrier platform - additional protection of the complex itself is required


At us, eSafe is used to filter the Internet traffic of users. At the beginning, eSafe was also responsible for anti-spam protection, but due to problems with extracting messages from quarantine, it was decided to transfer email filtering to McAfee EWS. The quarantine spam extraction system is designed for Microsoft Outlook, for other clients it is necessary to have an additional server with IIS on board, but this bundle does not always work correctly. For example, at McAfee EWS everything is on board, but can be transferred to a single quarantine server.
eSafe has an antivirus on board (versions up to 8.x - eSafe antivirus, versions 8.x - Kaspersky antivirus), URL filters, application filters, content filters, in version 8.x there is DLP.

Anti-Virus scans traffic “on the fly”, any file is downloaded up to 80% transparently for the user, then the download is paused for the user, and eSafe downloads the file and checks if the file is clean the user receives the remaining 20%, if not, the download for the user is interrupted. Visually, eSafe version 7.x seems faster than version 8.x, but I did not measure it.

URL filtering - sites are categorized, there are initially predefined permission templates. Able to work with LDAP groups, that is, there is no need to create users on eSafe itself to provide privileged access. The list of sites in a particular category cannot be viewed. A site can be in several categories at once, and a second-level domain will appear everywhere, for example, if a user is forbidden to use web mail but allowed to read blogs, then he will not be able to access mail.ru. URL filter does not work if you open the site via HTTPS, to control HTTPS you need a separate device with eSafe Web SSL mode. It looks like the URL filter is used from IBM Proventia.

Application filter - for its operation, privileged access is required either by ip addresses or by running eslogin authorization utility on clients, which transfers the username and ip address of the computer to eSafe. Prior to version 8.5, you must specify users / ip addresses directly through the management console; in version 8.5, you can use LDAP groups. The application filter perfectly blocks: skype, IM, twitter, facebook, tunneling (TOR, ultrasurf, etc.), P2P, malware communication with the world wide web, and much more.

Content filters can block selected file types, dangerous script functions, multi-volume archives and password-protected archives.

The use of this complex allowed to reduce the infection of computers through the Internet, to reduce the consumption of traffic for personal purposes.

One physical device quietly pulls out the simultaneous surfing of 1,500 users.
eSafe is not alone in this segment, closest competitors IBM Proventia and McAfee EWS

Read Next