web security | data security | email security © 2009 Websense, Inc. All rights reserved.
Controlling Risk, Conserving Bandwidth, and
Monitoring Productivity with Websense Web Security
and Websense Content Gateway
Websense Support Webinar – January 2010
Webinar Presenter
2
Juan R. Sanchez
Title: Tech Support Specialist
– Over 3 years supporting Websense products
– 7 Years IT industry experience
– Websense Certified Software Engineer (WCSE)
– MCSA
– CCNA (In Progress)
– B.S. in Computer Sciences
(National University)
Juan Sanchez
Goals and Objectives
Overview of Websense Web Security Requirements
Transparent Authentication (NTLM Demo)
Order of Precedence
Locking down Category and Protocol Filters
Bandwidth Optimization
Real Time Scanning / Categorization
Working with HTTPS (Certificates)
Leveraging Reporting to Observe Trends
Alerts to Monitor Behavior
3
Setup Overview
Websense Content Gateway is a high-performance web proxy with caching.
Integrates tightly with Websense Web Security components to provide maximum security, performance, and productivity management.
4
Websense Overview
Installation & Setup Overview
The integration mode must be Websense Content Gateway.
A Port Mirror/SPAN must be configured at the top level switch.
Directory Services Integration (Active Directory or eDirectory) to leverage user and/or group filtering.
NTLM Authentication or Transparent ID Agent (DC Agent, eDirectory Agent, Logon Agent, or Radius Agent) must be configured to associate users to IPs for Filtering.
Websense Content Gateway / V10000 Specific Webinars:
Installing and Configuring Websense Content Gateway
http://kb.websense.com/article.aspx?article=4783&p=12
Common Configuration Methods for the Websense Content Gateway
http://kb.websense.com/article.aspx?article=4868&p=12
Configuration & Best Practices for Websense V10000
http://kb.websense.com/article.aspx?article=4892&p=12
5
Ports
Ports used for Websense Content Gateway– 21 TCP (Transparent FTP proxy)– 22 TCP (SSH)– 53 or 5353 UDP (DNS requests)– 80 TCP (Transparent HTTP proxy)– 443 TCP (Transparent HTTPS proxy)– 2048 UDP (WCCP)– 2121 TCP (Explicit FTP proxy)– 8070 TCP (Explicit HTTPS proxy)– 8071 and 8081 TCP (Proxy management interface)– 8080 TCP (Explicit HTTP proxy)– 8082 – 8090, 3031 TCP (Required only if clustering proxies)– 40000, 55806, 55880, 55905 TCP (Local Websense Policy Server)– 55807, 15868 TCP (Local Websense Filtering Service)– 65535 TCP (Remote Websense Policy Server or Filtering Service)
6
7
WCCP Sample Network Diagram
Web traffic passes actively through Websense Content Gateway
Other protocols are sniffed passively by Network Agent.
Transparent Identification with WCG
Three basic ways to identify users
Transparent ID agent such as DC Agent or Logon Agent detects users as they log onto the network.
Manual Authentication prompts for credentials when the user makes their first request to the internet.
NTLM challenge-based authentication. This can only be done with a proxy server that is in the data path and designed to integrate with Active Directory.
Note: NTLM is transparent to user when on Domain and properly configured.
Related Webinars:
User Identification Technologies within Websense Web Security v7.x
http://kb.websense.com/article.aspx?article=4719&p=12
8
NTLM Authentication
Advantages
Transparently identifies user at time of request (As opposed to being identified at logon)
If transparent ID fails, manual prompt is built-in. This is commonly encountered if the user is not currently logged into the domain.
Disadvantages
Can be sensitive to browser settings in regards to transparent authentication.
Occasionally may cause extra pop-up warnings requiring additional browser configuration.
9
NTLM Authentication
A Common Solution to getting rid of the additional NTLM Authentication prompt is to set the proxy’s IP address to “Local Intranet” zone, and confirm zone setting allows Automatic Logon.
10
Step #1: From the Internet
Options Security Tab Click on
“Custom Level” Button
NTLM Authentication
11
Step #2: Ensure the “Logon” Option is set on:
“Automatic logon only in Intranet zone”
NTLM Authentication
13
Step #5: Add the WCG Proxy IP Address to
the “Websites” List Box
Step #4: From the Local Intranet Window
Click on the “Advanced” Button
NTLM Demo
Order of Precedence
14
You can assign a policy to a user, a single workstation IP, a IP range, or a group.
Searching in this order, Websense software determines which policy applies to the
current request. Websense proceeds through the list until a match is made. Once a
match has been determined, the corresponding policy is applied and Websense looks
no further.
Order of Precedence
Only Policies assigned to Groups can be combined to create unique combinations of permissions based on Group Memberships.
15
Effective Policy = Basic + Expanded Effective Policy = Basic
Order of Precedence
16
Allows both General and IT
Categories and Protocols
Allows both General and HR
Categories and Protocols
Locking down Category and Protocol Filters
Recommended Categories to Block/RestrictWeb Reputation
Potentially Damaging Content, Elevated Exposure and Emerging Exploits
* The Extended Protection categories are only available with Websense Web Security Suite v6.3.1 and above.
Bandwidth Categories (also known as Bandwidth PG)Internet Radio and TV, Internet Telephony, Peer-to-Peer File Sharing, Personal Network Storage and Backup and Streaming Media
Information Technology
Proxy Avoidance, URL Translation Sites, Web Hosting, Private IP Addresses, and Uncategorized
Society and Lifestyles (Very Diverse and Dynamic Content)
Social Networking and Personal Sites
17
Locking down Category and Protocol Filters
Recommended Protocols to Block/RestrictProtocols
File Transfer Malicious Traffic*, Bot Networks, Email-Borne Worms , Other Malicious , P2P File Sharing , Proxy Avoidance ,Remote Access , Streaming Media
ThreatSeeker ExampleBrittany Murphy's Death SEO Poisoning
Date:12.21.2009
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ ThreatSeeker™ Network has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe, and at the moment it seems they haven't attracted much attention from AV companies.
18
Bandwidth Optimization
Keeping your Bandwidth Under ControlThe more bytes of unnecessary data are transferred from/to your users' machines, the greater the impact on bandwidth available for other business critical tasks performed by your network.
When you create a category or protocol filter, you can easily elect to limit access to a category or protocol based on bandwidth usage.
♦ Block access to categories or protocols based on total network bandwidth usage.
♦ Block access to categories based on total bandwidth usage by HTTP traffic.
♦ Block access to a specific protocol based on bandwidth usage by that protocol.
Bandwidth Optimization Demo
19
Real Time Scanning
Four different types of real-time scanning:
Content Categorization (On or Off)
- Leave turned on. Turn off briefly for troubleshooting only.
Security Scanning (Dynamic sites, All, or Off)
- Recommended is for only dynamic sites as researched by Websense. If you are running significantly below maximum capacity of the V10000 or have a very powerful Content Gateway server, switching to “All” can provide some additional peace of mind.
Advanced File Scanning (Dynamic sites, All, or Off)
Traditional Anti-Virus (Dynamic sites, All, or Off)
- Recommended to leave these also at default – Dynamic sites only.
20
Working with HTTPS
Content Gateway is fully capable of terminating and doing deep inspection on HTTPS headers and data.
This allows you to treat HTTPS traffic just like HTTP.
Full real-time scanning available for encrypted connections.
Full URLs, not just IP addresses are available in reports. Without HTTPS proxy, URL data is contained inside the encryption layer, and cannot be read.
No need to recategorize sites by IP address. Websense Content Gateway can read the URL and categorize appropriately.
25
Working with HTTPS
Much better reporting on HTTPS requests.
Compare the data returned on what sites were visited in the following two reports.
26
Working with HTTPS
Recategorize HTTPS sites by name without having to worry about which IP address(es) they resolve to.
Saves you the trouble of having to run nslookup against the hostname, plus there is no concern about the DNS records of the recategorized site changing.
Set it and leave it.
27
Working with HTTPS
Tunneling
Remote access programs that are designed to be 100% secure between the end user and server.
HTTPS connections that contain highly sensitive data exchanged between users and trusted servers (such as financial sites).
30
Working with HTTPS
Certificates
HTTPS inspection at the Content Gateway
User’s browser literally exchanges keys with the Content Gateway – not the web site on the internet.
Browser trusts the Content Gateway to determine if the site’s certificate is valid.
Websense Content Gateway uses a certificate validation engine with updated revocation lists to provide this functionality.
32
Working with HTTPS
33
For initial deployment phase, it is recommended to leave the Certificate Validation Engine disabled.
Managing incidents takes time and generally is not technically problematic.
Phase two deployment should include validation, with the option for users to bypass the certificate failure warnings.
For maximum security, the validation should be required.
Certificate not valid – Content Gateway
37
This is the equivalent of IE and Firefox warnings, but
will be returned by Content Gateway.
Leveraging Reporting and Alerts to Observe Trends
Alerts, Investigative and Presentation Reports are invaluable tools to monitor: Productivity Bandwidth Usage Risk
Useful Webinar Resources:
♦ Leveraging Websense Explorer to Optimize Internet Use and Minimize Security Threatshttp://kb.websense.com/article.aspx?article=3357&p=12
♦ Maximizing Your Return Using Investigative & Presentation Reports v7http://kb.websense.com/article.aspx?article=4037&p=12
39
Leveraging Reporting and Alerts to Observe Trends
Alerts and Reporting DemoHow to Track Productivity Loss, Legal Liability, Security Risk and Bandwidth Loss
How to identify the main potential risks defined as Risk Classes
Forensic Reporting
Optimizing Policies based on Report Output
Setting Up Alerts
40
Support Online Resources
Knowledge Base
– Search or browse the knowledge base for documentation, downloads, top knowledge base articles, and solutions specific to your product.
Support Forums
– Share questions, offer solutions and suggestions with experienced Websense Customers regarding product Best Practices, Deployment, Installation, Configuration, and other product topics.
Tech Alerts
– Subscribe to receive product specific alerts that automatically notify you anytime Websense issues new releases, critical hot-fixes, or other technical information.
• ask.websense.com
– Create and manage support service requests using our online portal.
Customer Training Options
To find Websense classes offered by Authorized Training Partners in your area, visit:http://www.websense.com/findaclass
Websense Training Partners also offer classes online and onsite at your location.
For more information, please send email to:
Webinar Announcement
43
Title: Websense Content Gateway HTTPS
Configuration
Date: February 17, 2010
Time: 8:30 AM PST (GMT -8)
How to register:
http://www.websense.com/content/
SupportWebinars.aspx
Webinar
Update