- Websense Knowledge Bases
Transcription
- Websense Knowledge Bases
Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Websense Support Webinar – January 2010 web security | data security | email security © 2009 Websense, Inc. All rights reserved. Webinar Presenter Juan R. Sanchez Title: Tech Support Specialist – Over 3 years supporting Websense products – 7 Years IT industry experience – Websense Certified Software Engineer (WCSE) – MCSA – CCNA (In Progress) – B.S. in Computer Sciences (National University) Juan Sanchez 2 Goals and Objectives Overview of Websense Web Security Requirements Transparent Authentication (NTLM Demo) Order of Precedence Locking down Category and Protocol Filters Bandwidth Optimization Real Time Scanning / Categorization Working with HTTPS (Certificates) Leveraging Reporting to Observe Trends Alerts to Monitor Behavior 3 Setup Overview Websense Content Gateway is a high-performance web proxy with caching. Integrates tightly with Websense Web Security components to provide maximum security, performance, and productivity management. 4 Websense Overview Installation & Setup Overview The integration mode must be Websense Content Gateway. A Port Mirror/SPAN must be configured at the top level switch. Directory Services Integration (Active Directory or eDirectory) to leverage user and/or group filtering. NTLM Authentication or Transparent ID Agent (DC Agent, eDirectory Agent, Logon Agent, or Radius Agent) must be configured to associate users to IPs for Filtering. Websense Content Gateway / V10000 Specific Webinars: Installing and Configuring Websense Content Gateway http://kb.websense.com/article.aspx?article=4783&p=12 Common Configuration Methods for the Websense Content Gateway http://kb.websense.com/article.aspx?article=4868&p=12 Configuration & Best Practices for Websense V10000 http://kb.websense.com/article.aspx?article=4892&p=12 5 Ports Ports used for Websense Content Gateway – – – – – – – – – – – – – – 21 TCP (Transparent FTP proxy) 22 TCP (SSH) 53 or 5353 UDP (DNS requests) 80 TCP (Transparent HTTP proxy) 443 TCP (Transparent HTTPS proxy) 2048 UDP (WCCP) 2121 TCP (Explicit FTP proxy) 8070 TCP (Explicit HTTPS proxy) 8071 and 8081 TCP (Proxy management interface) 8080 TCP (Explicit HTTP proxy) 8082 – 8090, 3031 TCP (Required only if clustering proxies) 40000, 55806, 55880, 55905 TCP (Local Websense Policy Server) 55807, 15868 TCP (Local Websense Filtering Service) 65535 TCP (Remote Websense Policy Server or Filtering Service) 6 WCCP Sample Network Diagram Web traffic passes actively through Websense Content Gateway Other protocols are sniffed passively by Network Agent. 7 Transparent Identification with WCG Three basic ways to identify users Transparent ID agent such as DC Agent or Logon Agent detects users as they log onto the network. Manual Authentication prompts for credentials when the user makes their first request to the internet. NTLM challenge-based authentication. This can only be done with a proxy server that is in the data path and designed to integrate with Active Directory. Note: NTLM is transparent to user when on Domain and properly configured. Related Webinars: User Identification Technologies within Websense Web Security v7.x http://kb.websense.com/article.aspx?article=4719&p=12 8 NTLM Authentication Advantages Transparently identifies user at time of request (As opposed to being identified at logon) If transparent ID fails, manual prompt is built-in. This is commonly encountered if the user is not currently logged into the domain. Disadvantages Can be sensitive to browser settings in regards to transparent authentication. Occasionally may cause extra pop-up warnings requiring additional browser configuration. 9 NTLM Authentication A Common Solution to getting rid of the additional NTLM Authentication prompt is to set the proxy’s IP address to “Local Intranet” zone, and confirm zone setting allows Automatic Logon. Step #1: From the Internet Options Security Tab Click on “Custom Level” Button 10 NTLM Authentication Step #2: Ensure the “Logon” Option is set on: “Automatic logon only in Intranet zone” 11 NTLM Authentication Step #3: From the Internet Options Security Tab Click on “Sites” Button 12 NTLM Authentication Step #4: From the Local Intranet Window Click on the “Advanced” Button Step #5: Add the WCG Proxy IP Address to the “Websites” List Box NTLM Demo 13 Order of Precedence You can assign a policy to a user, a single workstation IP, a IP range, or a group. Searching in this order, Websense software determines which policy applies to the current request. Websense proceeds through the list until a match is made. Once a match has been determined, the corresponding policy is applied and Websense looks no further. 14 Order of Precedence Only Policies assigned to Groups can be combined to create unique combinations of permissions based on Group Memberships. Effective Policy = Basic + Expanded Effective Policy = Basic 15 Order of Precedence Allows both General and IT Categories and Protocols Allows both General and HR Categories and Protocols 16 Locking down Category and Protocol Filters Recommended Categories to Block/Restrict Web Reputation Potentially Damaging Content, Elevated Exposure and Emerging Exploits * The Extended Protection categories are only available with Websense Web Security Suite v6.3.1 and above. Bandwidth Categories (also known as Bandwidth PG) Internet Radio and TV, Internet Telephony, Peer-to-Peer File Sharing, Personal Network Storage and Backup and Streaming Media Information Technology Proxy Avoidance, URL Translation Sites, Web Hosting, Private IP Addresses, and Uncategorized Society and Lifestyles (Very Diverse and Dynamic Content) Social Networking and Personal Sites 17 Locking down Category and Protocol Filters Recommended Protocols to Block/Restrict Protocols File Transfer Malicious Traffic*, Bot Networks, Email-Borne Worms , Other Malicious , P2P File Sharing , Proxy Avoidance ,Remote Access , Streaming Media ThreatSeeker Example Brittany Murphy's Death SEO Poisoning Date:12.21.2009 Threat Type: Malicious Web Site / Malicious Code Websense Security Labs™ ThreatSeeker™ Network has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe, and at the moment it seems they haven't attracted much attention from AV companies. 18 Bandwidth Optimization Keeping your Bandwidth Under Control The more bytes of unnecessary data are transferred from/to your users' machines, the greater the impact on bandwidth available for other business critical tasks performed by your network. When you create a category or protocol filter, you can easily elect to limit access to a category or protocol based on bandwidth usage. ♦ Block access to categories or protocols based on total network bandwidth usage. ♦ Block access to categories based on total bandwidth usage by HTTP traffic. ♦ Block access to a specific protocol based on bandwidth usage by that protocol. Bandwidth Optimization Demo 19 Real Time Scanning Four different types of real-time scanning: Content Categorization (On or Off) - Leave turned on. Turn off briefly for troubleshooting only. Security Scanning (Dynamic sites, All, or Off) - Recommended is for only dynamic sites as researched by Websense. If you are running significantly below maximum capacity of the V10000 or have a very powerful Content Gateway server, switching to “All” can provide some additional peace of mind. Advanced File Scanning (Dynamic sites, All, or Off) Traditional Anti-Virus (Dynamic sites, All, or Off) - Recommended to leave these also at default – Dynamic sites only. 20 Real Time Scanning 21 Real Time Scanning 22 Real Time Scanning Fine Tune Scanning 23 Working with HTTPS WCG HTTP vs HTTPS 24 Working with HTTPS Content Gateway is fully capable of terminating and doing deep inspection on HTTPS headers and data. This allows you to treat HTTPS traffic just like HTTP. Full real-time scanning available for encrypted connections. Full URLs, not just IP addresses are available in reports. Without HTTPS proxy, URL data is contained inside the encryption layer, and cannot be read. No need to recategorize sites by IP address. Websense Content Gateway can read the URL and categorize appropriately. 25 Working with HTTPS Much better reporting on HTTPS requests. Compare the data returned on what sites were visited in the following two reports. 26 Working with HTTPS Recategorize HTTPS sites by name without having to worry about which IP address(es) they resolve to. Saves you the trouble of having to run nslookup against the hostname, plus there is no concern about the DNS records of the recategorized site changing. Set it and leave it. 27 Working with HTTPS 28 Working with HTTPS 29 Working with HTTPS Tunneling Remote access programs that are designed to be 100% secure between the end user and server. HTTPS connections that contain highly sensitive data exchanged between users and trusted servers (such as financial sites). 30 Working with HTTPS 31 Working with HTTPS Certificates HTTPS inspection at the Content Gateway User’s browser literally exchanges keys with the Content Gateway – not the web site on the internet. Browser trusts the Content Gateway to determine if the site’s certificate is valid. Websense Content Gateway uses a certificate validation engine with updated revocation lists to provide this functionality. 32 Working with HTTPS For initial deployment phase, it is recommended to leave the Certificate Validation Engine disabled. Managing incidents takes time and generally is not technically problematic. Phase two deployment should include validation, with the option for users to bypass the certificate failure warnings. For maximum security, the validation should be required. 33 Certificate Validation Engine settings 34 Certificate Warning – Internet Explorer This is direct to Internet. 35 Certificate Warning – Firefox This is direct to Internet. 36 Certificate not valid – Content Gateway This is the equivalent of IE and Firefox warnings, but will be returned by Content Gateway. 37 Manage Incidents 38 Leveraging Reporting and Alerts to Observe Trends Alerts, Investigative and Presentation Reports are invaluable tools to monitor: Productivity Bandwidth Usage Risk Useful Webinar Resources: ♦ Leveraging Websense Explorer to Optimize Internet Use and Minimize Security Threats http://kb.websense.com/article.aspx?article=3357&p=12 ♦ Maximizing Your Return Using Investigative & Presentation Reports v7 http://kb.websense.com/article.aspx?article=4037&p=12 39 Leveraging Reporting and Alerts to Observe Trends Alerts and Reporting Demo How to Track Productivity Loss, Legal Liability, Security Risk and Bandwidth Loss How to identify the main potential risks defined as Risk Classes Forensic Reporting Optimizing Policies based on Report Output Setting Up Alerts 40 Support Online Resources Knowledge Base – Search or browse the knowledge base for documentation, downloads, top knowledge base articles, and solutions specific to your product. Support Forums – Share questions, offer solutions and suggestions with experienced Websense Customers regarding product Best Practices, Deployment, Installation, Configuration, and other product topics. Tech Alerts – Subscribe to receive product specific alerts that automatically notify you anytime Websense issues new releases, critical hot-fixes, or other technical information. • ask.websense.com – Create and manage support service requests using our online portal. Customer Training Options To find Websense classes offered by Authorized Training Partners in your area, visit: http://www.websense.com/findaclass Websense Training Partners also offer classes online and onsite at your location. For more information, please send email to: readiness@websense.com Webinar Announcement Title: Websense Content Gateway HTTPS Configuration Date: February 17, 2010 Webinar Update Time: 8:30 AM PST (GMT -8) How to register: http://www.websense.com/content/ SupportWebinars.aspx 43 Questions? 44
Similar documents
Websense Public Template 2012 4x3
a Web site does not load as expected • Web sites that have difficulty transiting Content Gateway • How to run a packet capture on Websense Content Gateway • SSL Manager Certificate Verification Eng...
More information