While modern cloud computing trends have challenged pre-existing definitions of enterprise “network perimeters” (i.e., distributed cloud computing has increased the attack surface of most networks), certain longstanding network edge concepts still remain intact. Namely, it remains true that internet traffic visiting or originating from any given web application server may still be constrained into passing through a network proxy chokepoint before reaching an internal or external server resource.
As such, effective enterprise web application security still depends on the implementation of stringent threat detection policies in proxy servers ahead of web application servers at the network perimeter. Applying security policies strategically at network chokepoints around a web application server significantly increases the likelihood of detecting and mitigating many modern cybersecurity threats, including insecure file uploads and downloads.
File Upload Attack Vector
Among the many different types of threats plaguing modern enterprise networks – including SQLI (SQL injection) attacks, botnet DDoS (distributed denial of service) attacks, MitM (man in the middle) attacks, and others – insecure file upload (and download) is becoming increasingly significant.
Malicious files can reach internal web application servers from direct client-side uploads (e.g., HTML form uploads), and they can exit the internal network in messages originating from the web application server (e.g., B2B document exchange via web-based CRM or ERP). In both scenarios, the enterprise network is responsible for threat detection and mitigation.
Web Application Security Solutions at the Network Perimeter
Proxy servers are commonly deployed as the enterprise network perimeter security solution for web application servers. Reverse and forward proxies are designed to intercept inbound and outbound internet traffic respectively, preventing direct communication between external and internal server resources.
A reverse proxy is typically used for anything from load balancing and SSL termination to the enforcement of access controls and other web traffic filters, while forward proxies are typically used for outbound request caching, anonymity, and blocking access to certain websites (i.e., blacklisting).
Because proxy servers are already designed to intercept internet messages (e.g., HTTP/HTTPS) headed to or from a web application server, they present an ideal location for the deployment of security policies against a variety of content threats, including insecure file upload and download traffic. File bytes encoded within internet messages can be intercepted by a reverse or forward proxy, checked for threats (e.g., malware), and subsequently prevented from entering or exiting a network.
The Internet Content Adaptation Protocol (ICAP) is also used to extend the capabilities of proxy servers. Sitting adjacent to proxy servers, ICAP servers provide select value-add services that lighten the burden placed on proxy servers in an enterprise network. Antivirus scanning and content filtering are two common services offloaded to ICAP servers in high-traffic networks; a proxy server can send file bytes and other content from internet messages to a threat scanning ICAP server and receive a threat detection response in return.
How Proxy Servers and ICAP Servers are Configured for Antivirus Scanning
Traditionally, antivirus scanning architecture in a proxy or ICAP server has involved the deployment of antivirus software directly within the value-add server itself. When antivirus software is deployed directly in a proxy or ICAP server, that server can, under ideal circumstances, accommodate fast processing times and low latency traffic to and from the web application server it’s deployed ahead of.
We might consider an ideal circumstance to be a steady, reliable flow of files falling within a relatively consistent size range. Under such conditions, maintaining a direct path between the message originator and message recipient is advantageous.
Using APIs for Proxy Server and ICAP Server Virus Scanning
Deploying antivirus software directly within proxy or ICAP servers can introduce scalability concerns for modern enterprise networks. Extremely high volumes of traffic – especially file byte traffic involving excessively large file sizes – may overburden existing servers and necessitate the deployment of additional proxy or ICAP servers (which also means multiple iterations of the antivirus software) behind a load balancer.
This can prove costly and inefficient, even when proxies and ICAP servers are deployed as virtual appliances/cloud-based services (as opposed to physical hardware, which is notably more inefficient for several reasons). Deploying multiple proxies or ICAP servers behind a load balancer decentralizes the flow of network traffic, which increases the complexity of managing those independent antivirus software iterations. Each iteration requires independent updates and maintenance, for instance.
By deploying an antivirus API within a single proxy or ICAP server, the value-add server can offload file traffic to a dynamically scaled external endpoint resource. When that endpoint is deployed in a region local to the proxy or ICAP server, the drop-off in latency (i.e., compared with a solution deployed directly in a proxy or ICAP server) may be negligible, and it may be offset by the enhanced performance of multiple distributed cores. Eliminating the need for proxies and ICAP servers to directly process internet messages also frees up their bandwidth considerably, allowing them to perform other crucial value-add operations as file traffic enters or leaves a network.
Using dynamically scaled API endpoint resources ultimately centralizes proxy and ICAP antivirus services for the enterprise network. It reduces the need to perform updates and maintenance across multiple iterations of a service, allowing enterprises to abstract those responsibilities away to the API provider.
Cloudmersive Proxy and ICAP Virus Scanning
Cloudmersive specializes in deploying its best-in-class Advanced Virus Scan API in web application proxies and ICAP servers. These deployment options make API calls against hyper-scalable API endpoints, and they excel in accommodating large-scale enterprise traffic scenarios.
To learn more about Cloudmersive proxy and ICAP server deployments, please feel free to reach out a member of our team.