ORSP Client in Server Security 9.2

Is there a way that the ORSP lookups can be controlled? If you've a hundred servers with say a 1000 clients, all using the ORSP service, you'll be seeing high volumes of traffic going to F-Secure servers through your firewall - that's what we're seeing currently!

We've been seeing exactly this and want to control it!

Isn't it possible to proxy it via the PM or have the information downloaded from the F-S cloud to the PM so that you don't get these hubdreds of hits every minute?

Find more posts tagged with

Comments

Rick586

MJ-perComp, some very good points there and good reasons for not caching but what I was trying to say is that it's more to do with the fact that the ORSP client genereates hundreds of lookups in short spaces of time and if you've several hundred clients (we've nearly 1000), you see this traffic hitting the firewall in the form of thousands of small packets! It's this kind of thing that eats the CPU up on Firewalls as it has to analyse each new packet as we've got UTM enabled on our Firewalls.

To be honest, while this technology is suiable for SOHO users, on larger corporate networks it wasn't F-Secure's best idea and we resorted to disabling the ORSP service a while back, well before the option came around of being able to disable the lookups in the GUI.

My solution would be that the information that the ORSP client seeks, is downloaded hourly or something to the PM server and as all clients are configured already to communicate with it, the ORSP client does its lookup there, which keeps the traffic internal.

It's the same principle as the signature updates. You don't allow all your clients to pull their downloads from F-Secure's servers on the internet, you have a local copy for internal clients to access!

MJ-perComp

What are the figures on the network traffic that you face? (in % of overall-traffic?)

How much traffic per Host?

A customer of ours did traffic analysis:

caching does not make sense, as 98% of the requests generated by 1 Host are unique, i.e. the same request will not be generated by a second host.

Even more impressive: less than 0,05% are common from all hosts (word.exe) and as the results are cached locally they only appear once per host!

Siltanen

Hi Rick586,

I would assume it would be possible to proxy the traffic through a regular HTTP proxy. (It uses the same proxy as configured in AUA settings, so all the update traffic would also go through the said proxy.)

However the amount of requests towards our ORSP backend would still be in the same level. There's currently no "special" ORSP proxy solution from us. Nor is there any caching solution available.

Rick586

Hello Siltanen.

As we've so many hosts, what would you suggest we do currently?

Can these lookups be proxied?

Many thanks.

Siltanen

Hi Rick586,

Currently it's possible to only turn the network lookups on/off.

suntattood

Is it possible to have it split in groups and then reorganize everything? I am thinking about this way, but not sure if it is doable.