Integrate ICAP server with EMC Isilon

Overview

You can scan the files you store on an Isilon cluster for computer viruses, malware, and other security threats by integrating with ESET Server Security for Linux (ESSL) through the Internet Content Adaptation Protocol (ICAP).

Prerequisite

1.ESSL is installed and its Web interface is enabled.

2.Isilon OneFS is installed.

Enable ICAP server in ESSL

In this example ICAP server will listen on IP address 10.1.169.28 and on port 1344.

1.Click Setup > Detection Engine > Remote scanning, turn on both Enable remote scanning using ICAP service and Dell EMC Isilon compatibility.

2.Click Edit next to Listen addresses and ports.

3.Click Add.

4.Type the applicable IP address and port. In our example, the IP address is 10.1.168.28, and port is 1344.

5.Click Save.

Enabling ICAP server in OneFS

1.Log in to OneFS administration panel, click Data Protection > Antivirus > ICAP Servers > Add an ICAP Server.

2.Select Enable ICAP Server, and enter the URL address of ICAP server to the ICAP Server URL field using the following pattern: icap://<IP_ADDRESS>:<PORT>/scan
In our example: icap://10.1.168.28:1344/scan

3.Click Add Server.

4.Click Settings, select Enable Antivirus Service.

5.Type into Path prefixes the path to scan. To scan all paths, type "/ifs" (without quotation marks).

6.Click Save changes.

Scan-related settings on EMC Isilon

File size, file name or file extension restrictions

On-access scanning or on-demand scanning via policy

Threat response settings

How does it work?

When a file is written to (or accessed on) the EMC Isilon cluster, OneFS queues the file to be scanned, and sends the file to the ICAP server configured in both OneFs and ESSL. ESSL scans the file and provides feedback on the scanned file to EMC Isilon. OneFS decides how to deal with the scanned files based on threat response settings.

Test your setup

To test your setup, you need to have access from your computer to OneFS cluster through one of the supported protocols. In our example, we will use the NFS protocol.

1.Configure NFS:

a.Log in to OneFS administration panel, click Protocols > UNIX Sharing (NFS) > Create Export.

b.Leave the default settings, verify the path is /ifs, click Save.

2.Mount NFS share on your Linux machine:

mkdir isilon

sudo mount -t nfs <IP address of OneFS cluster>:/ifs isilon

 

3.Complete a test scan:

a.Get eicar antivirus test file from www.eicar.org, copy it to Isilon's NFS share and try to read its content.

wget www.eicar.org/download/eicar.com

cp eicar.com isilon

cat isilon/eicar.com

 

b.Based on your OneFS antivirus settings, the result will be either permission denied on that file (default), or the file will be truncated or deleted. For example:

cat: isilon/eicar.com: Permission denied

 

c.To check the detected threat, log in to OneFS administration panel, click Data Protection > Antivirus.