Websense Web Filter to Blue Coat WebFilter Migration Guide

Transcription

Websense Web Filter to Blue Coat WebFilter
Migration Guide
October 2011
Websense to Blue Coat WebFilter Migration Guide
Websense Web Filter to Blue Coat WebFilter Migration Guide
Table of Contents
URL Category Map: Websense Web Filter to Blue Coat WebFilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Migration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Example Policy to Block Executables from Certain Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Blue Coat's Recommended Web Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
This document is designed to assist you in migrating your environment from using Websense Web Filter categories
on Blue Coat ProxySG to using Blue Coat WebFilter’s categories.
The first part of the document contains category mappings to assist you in selecting which Blue Coat mapping to
use. In many cases, there is a one to one matching. The second part of the document contains an example on how
to migrate from Websense Web Filter categories to Blue Coat WebFilter in our policy engine. During the migration,
ProxySG will allow you to run both Websense Web Filter and Blue Coat WebFilter so your web filtering service will
not be interrupted during the process. The Recommended Web Security Policies contained in the last part of this
guide are suggestions only. When in doubt, we recommend taking a conservative approach.
With your migration to Blue Coat WebFilter, you are being backed by Blue Coat’s WebPulse cloud service. This is
important because of the dynamic and changing landscape with cybercrime. Malware is constantly evolving, so
you need a dynamic security strategy that can keep up with the latest Web-based threats. To help protect your
Web gateway from sophisticated malware attacks, the WebPulse cloud service leverages real-time URL ratings
from a growing community of 70 million users, supports more than 50 languages, integrates multiple threat
detection engines and provides more than six billion real-time Web content ratings per day. As soon as Blue Coat
WebFilter is enabled, your latest security protection is automatic protecting your network with no requirement
software downloads.
URL Category Map: Websense Web Filter to Blue Coat WebFilter
To start the migration, the first thing that you need to do is review the categories that are being used for policy with
the Websense Web Filter categories and map them to the corresponding Blue Coat WebFilter categories.
The Websense Master Database is organized into more than 90 URL categories. Websense uses parent categories
and some of them may be containers of subcategories. You can find the complete listing and definitions of the
categories at this link: http://www.websense.com/content/URLCategories.aspx
The Blue Coat WebFilter is organized into more than 80 URL categories. Blue Coat WebFilter has the ability to rate
URLs under 4 different categories. For example, www.disney.com is categorized as “For Kids” and “Entertainment”.
You can find the complete listing and definitions of the categories at this link:
http://sitereview.cwfservice.net/catdesc.jsp.
Blue Coat WebFilter also offers a service called Site Review. The purpose of Site Review is to allow Blue Coat
customers to check the current database categorization of WebFilter URLs and report sites that they believe are
incorrectly categorized. http://sitereview.bluecoat.com/sitereview.jsp
Several Websense WebFilter categories map to more than one Blue Coat category. The table below is meant to help
you with making the decision in this mapping exercise.
Bold categories denote a Websense parent category. New categories in RED
Websense Category
Corresponding Blue Coat
Notable Differences
Migration Recommendations
Abortion
Abortion
Unlike Websense, Blue Coat
doesn't distinguish between prolife, pro-choice, or neutral. All
sites discussing abortion (pro or
con) are categorized as abortion in
Blue Coat's filter.
If a user wants to block certain
abortion sites, but not others,
recommendation would be to
block the abortion category and
allow exceptions for sites that
shouldn’t be blocked through an
allow list.
Pro-Choice
Abortion
Pro-Life
Abortion
Adult Material
Adult/Mature Content
Adult Content
Pornography
Websense defines this as sites
that display full or partial nudity in
a sexual context. Blue Coat defines
such sites as pornography.
If user wants to block full or
partial nudity depicted in a sexual
context blocked, use the Blue Coat
pornography category.
Lingerie and Swimsuit
Intimate Apparel/Swimsuit
Websense places semi-nudity
into their Lingerie and Swimsuit
category, Blue Coat places
these into the nudity category.
Otherwise, the categories are
similar.
If user wants semi-nudity blocked,
but lingerie and swimwear
allowed, block nudity category but
not Intimate Apparel category.
Nudity
Nudity
Sex
Pornography
Child Pornography
Websense's definition: Sites that
depict or graphically describe
sexual acts or activity, including
exhibitionism; also sites offering
direct links to such sites. Blue
Coat categorizes such sites into
the Pornography category.
Websense customers that block
the Sex category should block the
Blue Coat Pornography category.
Sex Education
Sex Education
Websense Category
Notable Differences
Advocacy Groups
Political/Activist Groups
Websense's definition: Sites that
promote change or reform in
public policy, public opinion, social
practice, economic activities and
relationships. Blue Coat's category
is similar but includes political
groups or movements.
If blocking the Political/Activist
category, a customer can allow
exceptions to certain Web sites.
Bandwidth
Educational Video
Audio/Video Clips
Entertainment Video
Audio/Video Clips
Internet Radio and TV
Radio/Audio Stream
TV/Video Stream
Internet Telephony
Internet Telephony
Peer-to-Peer file sharing
Peer to Peer
Personal Network Storage and
Backup
Online Storage
Streaming Media
Radio/Audio Stream
TV/Video Stream
Audio/Video Clips
Surveillance
TV/Video Stream
Viral Video
Audio/Video Clips
Business and Economy
Business/Economy
Financial Data and Services
Financial Services
Brokerage/Trading
Websense's definition: Sites
that offer news and quotations
on stocks, bonds and other
investment vehicles, investment
advice, but not online trading.
Includes banks, credit unions,
credit cards, and insurance.
Use Blue Coat’s Financial Services
category for Banks, Credit Unions,
and Credit cards.
Hosted Business Applications
Web Applications
Blue Coat categorizes sites
that offer news and quotations
on stocks, bonds and other
investment vehicles, investment
advice, insurance, and online
trading into Brokerage/Trading.
Banks, credit unions, and credit
cards are classified as Financial
Services.
Use Blue Coat’s Brokerage/
Trading category for insurance,
online trading, stock, bonds,
investments, and investment
advice.
Drugs
*See notes
Illegal drugs fall under the Illegal
Drugs category. Prescription drugs
fall under the health category.
Use Blue Coat Health category
for legal prescription, over
the counter medications, and
nutrition supplements. Use Blue
Coat Illegal Drugs category for
Abused Drugs, Marijuana, and
questionable substances.
Abused Drugs
Illegal Drugs
Marijuana
Illegal Drugs
Prescribed Medications
Health
Supplements and Unregulated
Compounds
Health
Blue Coat differentiates between
Audio and Video categories.
Websense has a separate category
for marijuana. Blue Coat places
marijuana in the Illegal Drugs
category.
Websense Category
Education
Education
Cultural Institutions
Art/Culture
Educational Institutions
Education
Educational Materials
Education
Reference Materials
Reference
Entertainment
Entertainment
MP3 and Audio Download Services
Audio/Video Clips
Notable Differences
Blue Coat's Audio/Video Clips
category includes Sites that
provide streams or downloads of
audio or video clips – typically 15
minutes or less in length. This
also includes sites that provide
downloaders and players for audio
and video clips.
Extended Protection
Dynamic DNS
Dynamic DNS Host
Elevated Exposure
Suspicious
Emerging Exploits
Hacking
Potentially Damaging Content
Placeholders
Gambling
Gambling
Games
Games
Government
Government/Legal
Military
Military
Political Organizations
Political/Activist Groups
Health
Health
Websense's Health category does
not include prescription drugs,
Blue Coat's does.
Illegal or Questionable
Scam/Questionable/Illegal
Blue Coat's category includes
educational cheating or related
questionable activities. Websense
does not make this distinction in
their category definition.
Information Technology
Computers/Internet
Computer Security
Computers/Internet
Hacking
Hacking
Proxy Avoidance
Proxy Avoidance
Search Engines/Portals
Search Engines/Portals
URL Translation Sites
Translation
Web and Email Spam
Spam
Suspicious
Web Collaboration
Online Meetings
Web Hosting
Web Hosting
WBSN: Sites likely to contain little
or no useful content
Websense's category does not
include lawyers, adoption, legal
services, and legal reference; Blue
Coat's does.
If a user wants to allow health
sites but block prescription drug
sites, they can add prescription
drug sites to a block list, or block
the health category and allow
exceptions.
Customers blocking Spam may
also want to consider blocking
Suspicious.
Websense Category
Notable Differences
Internet Communication
*See notes
Websense's Internet
Communication category is a
parent category of Web Chat and
Web-based email.
General Email
Email
Organizational Email
Email
Text and Media Messaging
Chat/IM
Web Chat
Chat/IM
Job Search
Job Search/Careers
Militancy and Extremist
Violence/Hate/Racism
Miscellaneous
*See sub categories
Content Delivery Networks
Content Servers
Dynamic Content
Web Advertisements
File Download Servers
Software Downloads
Image Servers
Media Sharing
Websense defines their Images
Servers category as Web servers
whose primary function is to
deliver images.
Blue Coat categorizes such sites in
the Media Sharing category.
Images (Media)
Not Applicable – See notes
Websense describes this category
as sites ending with image
filenames. Blue Coat currently
does not have an equivalent
category. But such categorization
is not necessary under Blue
Coat's system since images are
categorized based upon the type of
image they are.
Network Errors
Unrated
Websense describes this category
as sites with hosts that do not
resolve to IP addresses.
Private IP Addresses
Unrated
Private IP addresses do not have a
need for filtering. This is for proxy
reporting.
Uncategorized
Unrated
Users should not block the
Unrated category, but can make
exceptions as needed.
News and Media
News/Media
Blue Coat's category includes
instant messaging sites and sites
that support the download of chat
and instant messaging clients.
Websense defines the Militancy
and Extremist category as sites
that provide information about
or promote or are sponsored
by groups advocating antigovernment beliefs or action. Blue
Coat categorizes such sites as
Violence/Hate/Racism.
Users that want to block militant
and extremist sites should use the
Blue Coat Violence/Hate/Racism
category.
Websense's Dynamic Content
definition is included in Blue
Coat's Web Advertisements
definition.
Network errors do not have a
need for filtering. This is for proxy
reporting and handled through
Blue Coat Reporter.
Websense Category
Notable Differences
Alternative Journals
Society/Daily Living Art/Culture
Websense defines this category
as the online equivalent of
supermarket tabloids and other
fringe publications. Blue Coat
typically categorizes these types
of publications as Society/ Daily
Living or Art/Culture unless there
is adult content or nudity involved.
Websense customers familiar with
the Alternative Journals category
should use the Blue Coat Society/
Daily Living and Art/Culture
categories. Users can make
allowance and blocking exceptions
as needed.
Parked Domain
Placeholders
Productivity
Advertisements
Web Advertisements
Freeware and Software Download
Software Downloads
Instant Messaging
Chat/IM
Message Boards and Forums
Newsgroups/Forums
Online Brokerage and Trading
Brokerage/Trading
Pay-to-Surf
Pay to Surf
Racism and Hate
Religion
Religion
Non-Traditional Religions and
Occult and Folklore
Alternative Spirituality/Belief
Traditional Religions
Religion
Security
Bot Networks
Malicious Sources
Keyloggers
Malicious Sources Hacking
Malicious Embedded iFrame
Malicious Sources
Malicious Embedded Link
Malicious Sources
Malicious Web Sites
Malicious Sources
Phishing and Other Frauds
Phishing
Potentially Unwanted Software
Potentially Unwanted Software
Spyware
Malicious Sources Malicious
Outbound Data/Botnets
Sucpicious Embedded Link
Suspicious
Shopping
Shopping
Internet Auctions
Auctions
Real Estate
Real Estate
Social Organizations
Charitable Organizations
Professional or Worker
Organizations
Political/Activist Groups Business/
Economy
Service and Philanthropic
Organizations
Charitable Organization
Social and Affiliation Organizations
Charitable Organization
Society/Daily Living
Society and Lifestyles
Society/Daily Living
Malware sources and outbound
data (call home traffic).
Websense's Professional or
Worker Organizations and Blue
Coat's Political/Activist categories
are similar.
Blue Coat would also categorize
such sites as Business/Economy.
Websense Category
Notable Differences
Alcohol and Tobacco
Alcohol
Tobacco
Alcohol and Tobacco.
Blogs and Personal Sites
Blogs/Personal Pages
Gay or Lesbian or Bisexual
Interest
LGBT
Hobbies
Sports/Recreation
Personals and Dating
Personals/Dating
Restaurants and Dining
Restaurants/Dining/Food
Social Networking
Social Networking
Special Events
*See notes
Sports
Sports/Recreation
Sport Hunting and Gun Clubs
Sports/Recreation
Tasteless
Adult/Mature Content
Travel
Travel
User-Defined
*See notes
Vehicles
Vehicles
Violence
Weapons
Weapons
Websense defines this category
as; sites devoted to a current
event that requires a separate
categorization. Blue Coat would
categorize these based on the
type of event. i.e. A sporting
event would be classified Sports/
Recreation a concert would be
Entertainment, and a religious
conference would be Religion.
Users can add sites to allowed and
blocked lists as needed.
Blue Coat ProxySG also allows
users to define their own
categories.
Websense Social Web Control Categories:
Facebook, LinkedIn, Twitter, YouTube, Craigslist and WordPress.
Categories and Operations:
http://www.websense.com/content/support/library/shared/sec_labs/social_web11/social_web.pdf
Blue Coat Web Application Policy Engine, 80+ Applications:
http://www.bluecoat.com/security/web-application-controls
Note: Websense does not have equivalent categories for the following:
Informational: is a modifier category only and can be used to select out informational sites from broader
categories. For example, sites that provide information about gambling would be categorized as both Gambling
and Informational.
Migration Example
1. Download BCWF database. Enter Username and Password. Click Download now. Click View
Download Status.
2. Take a coffee or tea break. Approximately 20 minutes. Check the Download status. It should be done by now.
3. Check the box to enable BCWF:
4. Launch the Visual Policy Manager:
5. Go through each Layer and check the Destination Field for Request URL Category Objects or any Combined
Destination Objects as they may contain Category Objects. An example of what your policy might look like:
6. For the above example you would right-click AlwaysDeny and choose Edit.
7. Expand Blue Coat to see the available categories. The categories currently enforced for this rule can be seen
on the right. Use the category mapping chart in this document to identify the 3rd party category (as seen on
the right) and check the box under Blue Coat for the corresponding BCWF category.
8. Do this for each category in the Request URL Category Object. Do this for every rule where Category Objects
are used, you only have to check the Destination field.
9. Install the policy when done. You should now be running BCWF and a 3rd party database concurrently.
Make sure to test the policy to make sure it works as expected. When you are comfortable with the BCWF
categories you can go back into the Visual Policy Manager and remove the check boxes for all the 3rd party
categories. If you want to cut over immediately, simply uncheck the 3rd party categories once you have
added all the corresponding BCWF categories.
10. Finally, you can disable the 3rd party content filtering database by selecting None:
Example of Policy to Block Executables From Certain Domains (see Recommendation #1 Below)
1. In VPM create a new Web Access Layer rule and place it above the Allow Rule:
2. Right click Destination in rule #3 and choose Set – New – Combined Destination Object. On the lower left
select New – Request URL Category and add the following categories:
3. Click OK. On the lower left select New – Apparent Data Type. Select DOS/Windows Executable and click OK:
4. Click on BlockExecutableCategories and click the top Add. Click on Executables and click on the
bottom Add:
5. Click OK and then OK. Install the policy.
Blue Coat’s Recommended Web Security Policies
Recommendation #1: (see instructions above) Use policy to block executable content from these categories. This is
a blended rule which you would pick the category and the action is block executables.
1. None: In rare incidents there may be URLs that have not been rated in the WebPulse ecosystem. If this is the
case, it is important to block executables as a precaution that it is malware content.
2. Adult: Many malware vectors begin with search engines, and many searches for Adult-themed material
return links to malware.
3. Open/Mixed Content: Many malware sites use open content servers to host parts of their site, and
occasionally their payloads. Legitimate business sites generally don't use these hosts. There are some
consumer sites like www.youtube.com that use open content servers, so don’t block the category outright
just block executables.
4. Online Storage: As with Open Content above, many malware sites use OS servers to host parts of their
site, which frequently includes payloads. However, many popular (or at least widely used) sites fall into this
category: e.g., file sharing sites like megaupload.com and rapidshare.com, and many photo-upload sites.
5. Web Advertisements: There has been a major increase in "malvertising" where major ad networks
(including even "name brands" like doubleclick and yieldmanager) get duped into serving malicious ads from
affiliate networks.
6. Non-viewable: Similar in threat profile to Web Advertisements. Sites in this category tend to be tracker/
analytics type services, typically serving such "non-viewable" content or small chunks of Javascript; the
intent is to track users' visits to sites.
7. Web Hosting: A lot of malware is distributed via subdomains that are created on free or low-cost Web
Hosting domains.
8. Software Downloads: Depending on the size of your organization and the autonomy of your users, you may
want to use an Allow list approach for domains in this category, and block the rest. This is a great vector for
a malware author to target, since the victims are actively looking for software to install – making this a risky
area. If you block executables, you have a chance to vet what your users are trying to download, and decide if
it is safe or not.
9. Content Servers: Unlike sites in the Open Content category, these sites are run by larger, reputable
companies and typically are used to store and serve images and videos and not executables.
Recommendation #2: We strongly recommend blocking the following categories as we have found through our Web
security labs that certain type of Web traffic have a high potential risk of containing some type of malware content.
1. Phishing, Malicious Sources, Malicious Outbound Data/Botnets
2. Pornography, Extreme: There are a lot of sites that include malware content masquerading as Pornography.
3. Hacking: Most of the remaining one-third of masqueraded content as Hacking related ("warez").
4. Gambling: There are a large number of on-line casino sites that attempt to persuade you to load a malware
client on your computer.
5. Suspicious: There is a large spectrum of sites that fall into this category. Many, if not most, of these are part
of malware or spam networks.
6. Placeholder: These are generally "undead" domains, no longer truly alive and have become "search engine
zombies" – many with ties to malware networks' search engine optimization schemes.
7. Potentially Unwanted Software: This category includes adware-/spyware-relate and other "borderline"
malware.
8. Scam/Questionable/Illegal: Many scammers, whose sites are flagged as Questionable, are also involved in
malware-related activities.
9. Proxy Avoidance: If not blocked, then any of the above may be reached.
10. Dynamic DNS Host: This category identifies sites that do Dynamic DNS "hosting" or "aliasing". These
sites have been used as "phone home" data sites in many high-profile targeted attacks. Customers should
consider blocking all content, not just executables from Dynamic DNS sites.
Recommendation #3: Include as much information as possible in the requests to WebPulse™:
The SG gives you the option of sending malware info; please use it. If you're running with a ProxyAV, and it finds
malware in a download, the SG can let WebPulse know about it. This helps keep the whole Blue Coat WebFilter
community safer.
The SG gives you the option of sending the Full URL; please use it. To get the maximum anti-malware protection
from WebPulse, it needs to have the full path and querystring available to it.
Recommendation #4: Use Reporter to look for evidence of botnet activity on your network.
1. In addition to the "usual suspects" (Spyware/Malware Source, Spyware/Malware Effects, Suspicious, and
Phishing), consider the categories named above as being worth an extra look.
2. Review the amount of "Unrated/None" traffic as an infection indicator: a normal SG customer sees around
90-95% of their traffic rated on ProxySG, so only about 5-10% of their traffic goes to WebPulse™ for a rating.
If you see a lot of unrated traffic coming from a computer on the network, it may be an infected machine
trying to "phone home" to a brand-new malware command-and-control domain.
Recommendation #5: Many bots attempt to be stealthy by utilizing port 443 for their "phone home" communications
to their Command and Control (C&C) servers. There are two steps you can take in your policy to block this sort
of traffic:
1. Ensure that SSL protocol is using valid certificates. We recommend blocking SSL that isn't using a valid cert
backed by a legitimate authority. We also recommend that you consider blocking SSL traffic to sites using
self-signed certs. Any false positives in this traffic would need to be whitelisted.
2. We recommend blocking all non-SSL traffic that attempts to use port 443. Many botnets use custom
encryption for their traffic, and this will stop them in their tracks. However, many legitimate apps also use
custom encryption over port 443, and so this will generate some false positives, which must be investigated
and whitelisted.
Blue Coat Systems, Inc. • 1.866.30.BCOAT • +1.408.220.2200 Direct
+1.408.220.2250 Fax • www.bluecoat.com
Copyright© 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be
reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat
Systems, Inc. Specifications are subject to change without notice. Information contained in this document is
believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue
Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue
Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property
of their respective owners. v.WEBSENSEWF-to-BCWF-MIGRATION-GUIDE-v2c-1011

Websense Web Filter to Blue Coat WebFilter Migration Guide

Transcription

Similar documents

TEA STAINED STAINLESS STEEL?

FASHION THAT HAS GONE TO THE DOGS! www.pinkwhiskers.co.uk

How I Finish My Models

TODAY!

TOP FIVE REASONS TO CHOOSE BLUE COAT

Off Duty section of the Wall Street Journal

Web - Elmec Vision

Permaguard - Cyntech.ca

to view additional information on Horseman`s Edge® and this