An ICAP Primer

Share/Follow Us:
LinkedIn115
RSS
Email

The Internet Content Adaptation Protocol was first proposed in 1999, however it’s perhaps one of the lesser known protocols on the Internet.

ICAP is defined in RFC 3507 whose basic premise is to provide sideband content filtering/modification of HTTP requests. It would normally be used in conjunction with a web proxy/cache. Its most common use would perhaps be to provide virus scanning of web content before being passed onto the user.

ICAP defines two main modes of operation; the first is where it will process requests from a client (for example in this case, squid would be considered the client) it could then return a HTTP error code or redirect the client to another location.

The second is whereby it can process responses from the client. So for example a user requests a web page, this response can then be passed to the ICAP server whereby it can examine the contents and act appropriately. This is where virus scanning would take place.

At Securolytics we utilize c-icap (an open source implementation of ICAP in C, with a modular plugin architecture) integrated with our layer-7 web proxy to enforce web filtering and security policies.

We currently make use of both the request and response modes of operation. The two main operations we currently perform are:

  • Firstly we have developed our own c-icap service (module) to perform URL and URL category checking. Users are able to provide both whitelists and blacklists for URLs that they want to allow or block respectively. They can also do the same with lists of URL categories. This happens in the REQMOD mode of operation in c-icap before the request makes it to the remote server.
  • Secondly we make use of the squidclamav c-icap module for virus scanning, this happens in the RESPMOD mode of operation when we have retrieved the requested content from the server.

For the immediate future we are working on doing blocking based on page content. Users will be able to provide a list of key words that can be used to block page access. However, this may be the subject of a future blog post.

Andrew Clayton | Software Engineer | Securolytics

Share/Follow Us:
LinkedIn115
RSS
Email

Leave a Reply

Your email address will not be published. Required fields are marked *