F5's ICAP Deployment: A Real-World Example
One of our customers faced a pressing need to block email attachments containing sensitive or confidential content on their external webmail, ensuring that such information didn't leak beyond their network borders. Let's delve into this real-world scenario from our experience.
The Concept
The messaging team configured the Internet Content Adaptation Protocol (ICAP) servers. That’s where the actual content analysis will happen – with their own rules. For the F5 specialist, the question is simple: how can we integrate a pool of ICAP servers to the traffic flow? In other terms, how can the F5 load-balancer forward the relevant content to the ICAP servers, and then forward a potentially modified response back to the client? Well, this is possible by configuring the BIG-IP® content adaptation feature; and F5 published how to implement it in the Manual Chapter : Configuring Content Adaptation for HTTP Requests and Responses. The following diagram illustrates the traffic flow when configuring content adaptation for both HTTP requests and responses.
Initial Configuration: Covering All Bases
Initially, we configured content adaptation on the F5 LTM for both HTTP requests and responses as shown in the diagram above. This approach seemed logical at first glance, as it promised a comprehensive assessment of all content entering and exiting the network.
While the F5 LTMs running on the new F5 VELOS platforms had no performance issue with this traffic flow, the ICAP servers received far more traffic than the messaging team was expecting. Technically, we had a working solution, but we needed to optimize it.
Optimizing for Performance
The first thought was to filter by URL, directly on the F5. With an iRule, we can easily disable the content adaptation profiles for the URLs that the messaging team do not wish to inspect. We identified the URLs for file attachments and previews and added this iRule to the webmail Virtual Server.
A Surprising Discovery
When I work with a protocol I haven’t seen before, I always like to look at its packet structure. I leveraged my trusted tool, Wireshark, to scrutinize the ICAP traffic. What I found was intriguing: when configuring content adaptation for HTTP requests, the ICAP protocol encapsulates the HTTP requests (as expected), but when configuring content adaptation for HTTP responses, not only were the responses (email attachments and previews) encapsulated, but the corresponding HTTP requests were included as well. This was a valuable discovery and evidence that our implementation could be optimized further.
The screenshot below shows the ICAP message crafted by the F5 when configuring content adaptation for HTTP responses only (not requests). Two HTTP elements are encapsulated in this ICAP message: one is the request, the other is the response.
Expanding the first HTTP element shows the request inside the ICAP message:
Expanding the second HTTP element shows the response inside the ICAP message:
The customer's primary objective was to scrutinize email attachments in the outgoing responses, not to analyze and block incoming requests before they even get to the web servers. Recognizing the implications, we adjusted the configuration, removed the content adaptation configuration for HTTP requests, and only kept it for HTTP responses.
A Lesson in Precision
This practical example underscores the importance of precision in ICAP configuration and deployment. It's not just about what you want to analyze, but precisely when and where you want to perform the analysis. In this case, it was a shift from a broad approach to a more focused one, optimizing network performance without compromising the core security objective.
Conclusion
Deploying the F5 BIG-IP® content adaptation feature with a pool of ICAP servers requires careful consideration. It’s not simply a choice of when and how to analyze network traffic, it’s about identifying the optimal moment to analyze, adapt, and secure your network traffic. Our journey with this deployment illustrates that by making strategic decisions based on your specific requirements, you can achieve the perfect balance of security and performance.
Author: Gregory Thiell