To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

ORSP Client in Server Security 9.2

Rick586
Rick586 Posts: 52 Security Scout
in Business Suite

Is there a way that the ORSP lookups can be controlled?  If you've a hundred servers with say a 1000 clients, all using the ORSP service, you'll be seeing high volumes of traffic going to F-Secure servers through your firewall - that's what we're seeing currently!

 

We've been seeing exactly this and want to control it!

 

Isn't it possible to proxy it via the PM or have the information downloaded from the F-S cloud to the PM so that you don't get these hubdreds of hits every minute?

Comments

  • suntattood
    suntattood MyAccount Posts: 14 Security Scout

    Is it possible to have it split in groups and then reorganize everything? I am thinking about this way, but not sure if it is doable. image

  • Siltanen
    Siltanen Posts: 47 Digital Defender

    Hi Rick586,

     

    Currently it's possible to only turn the network lookups on/off.

  • Rick586
    Rick586 Posts: 52 Security Scout

    Hello Siltanen.

     

    As we've so many hosts, what would you suggest we do currently?

     

    Can these lookups be proxied?

     

    Many thanks.

  • Siltanen
    Siltanen Posts: 47 Digital Defender

    Hi Rick586,

     

    I would assume it would be possible to proxy the traffic through a regular HTTP proxy. (It uses the same proxy as configured in AUA settings, so all the update traffic would also go through the said proxy.)

     

    However the amount of requests towards our ORSP backend would still be in the same level. There's currently no "special" ORSP proxy solution from us. Nor is there any caching solution available.

  • MJ-perComp
    MJ-perComp Posts: 669 Firewall Master

    What are the figures on the network traffic that you face? (in % of  overall-traffic?)

    How much traffic per Host?

     

    A customer of ours did traffic analysis:

    caching does not make sense, as 98% of the requests generated by 1 Host are unique, i.e. the same request will not be generated by a second host.

    Even more impressive: less than 0,05% are common from all hosts (word.exe) and as the results are cached locally they only appear once per host!

     

    BR

     

  • Rick586
    Rick586 Posts: 52 Security Scout

    MJ-perComp, some very good points there and good reasons for not caching but what I was trying to say is that it's more to do with the fact that the ORSP client genereates hundreds of lookups in short spaces of time and if you've several hundred clients (we've nearly 1000), you see this traffic hitting the firewall in the form of thousands of small packets!  It's this kind of thing that eats the CPU up on Firewalls as it has to analyse each new packet as we've got UTM enabled on our Firewalls.

     

    To be honest, while this technology is suiable for SOHO users, on larger corporate networks it wasn't F-Secure's best idea and we resorted to disabling the ORSP service a while back, well before the option came around of being able to disable the lookups in the GUI.

     

    My solution would be that the information that the ORSP client seeks, is downloaded hourly or something to the PM server and as all clients are configured already to communicate with it, the ORSP client does its lookup there, which keeps the traffic internal.

     

    It's the same principle as the signature updates.  You don't allow all your clients to pull their downloads from F-Secure's servers on the internet, you have a local copy for internal clients to access!

This discussion has been closed.

Categories