Sample ESI Topology

In the example shown in this section, ESI External Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. is used to provide an interface to the antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server device for providing virus inspection services. An antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server device is one of many different types of services supported in the ESI External Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. .

Figure 1   ESI-Fortinet Topology

Click to view a larger size.

In the ESI External Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. –Fortnet topology, the clients connect to access points (both wireless and wired). The wired access points tunnel all traffic back to the managed device over the existing network.

The managed device receives the traffic and redirects relevant traffic (including but not limited to all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. and email protocols such as SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission. and POP3) to the antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server device to provide services such as anti-virus scanning, email scanning, web content inspection, etc. This traffic is redirected on the “untrusted” interface between the managed device and the antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server device. The managed device also redirects the traffic intended for the clients coming from either the Internet or the internal network. This traffic is redirected on the “trusted” interface between the managed device and the antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server device. The managed device forwards all other traffic (for which the antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server does not perform any of the required operations such as AV scanning). An example of such traffic would be database traffic running from a client to an internal server.

The managed device can also be configured to redirect traffic only from clients in a particular role such as “guest” or “non-remediated client” to the antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server device. This might be done to reduce the load on the antivirus firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. server device if there is a different mechanism such as the Aruba-Sygate integrated solution to enforce client policies on the clients that are under the control of the IT department. These policies can be used to ensure that an anti-virus agent runs on the clients and the client can get access to the network only if this agent reports a “healthy” status for the client. Refer to the paper (available from Sygate) on Sygate integrated solutions for more details on this solution.

The managed device is also capable of load balancing between multiple external server appliances. This provides more scalability as well as redundancy by using multiple external server appliances. Also, the managed device can be configured to have multiple groups of external server devices and different kinds of traffic can be redirected to different groups of devices with load balancing occurring within each group (see Figure 2 for an example).

Figure 2  Load Balancing Groups

Click to view a larger size.