- Websense Knowledge Bases

Controlling Risk, Conserving Bandwidth, and
Monitoring Productivity with Websense Web Security
and Websense Content Gateway
Websense Support Webinar – January 2010
web security | data security | email security
© 2009 Websense, Inc. All rights reserved.
Webinar Presenter
Juan R. Sanchez
Title: Tech Support Specialist
– Over 3 years supporting Websense
products
– 7 Years IT industry experience
– Websense Certified Software
Engineer (WCSE)
– MCSA
– CCNA (In Progress)
– B.S. in Computer Sciences
(National University)
Juan Sanchez
2
Goals and Objectives
Overview of Websense Web Security Requirements
Transparent Authentication (NTLM Demo)
Order of Precedence
Locking down Category and Protocol Filters
Bandwidth Optimization
Real Time Scanning / Categorization
Working with HTTPS (Certificates)
Leveraging Reporting to Observe Trends
Alerts to Monitor Behavior
3
Setup Overview
Websense Content Gateway is a high-performance web
proxy with caching.
Integrates tightly with Websense Web Security
components to provide maximum security,
performance, and productivity management.
4
Websense Overview
Installation & Setup Overview
The integration mode must be Websense Content Gateway.
A Port Mirror/SPAN must be configured at the top level switch.
Directory Services Integration (Active Directory or eDirectory) to leverage user
and/or group filtering.
NTLM Authentication or Transparent ID Agent (DC Agent, eDirectory Agent,
Logon Agent, or Radius Agent) must be configured to associate users to IPs for
Filtering.
Websense Content Gateway / V10000 Specific Webinars:
Installing and Configuring Websense Content Gateway
http://kb.websense.com/article.aspx?article=4783&p=12
Common Configuration Methods for the Websense Content Gateway
http://kb.websense.com/article.aspx?article=4868&p=12
Configuration & Best Practices for Websense V10000
http://kb.websense.com/article.aspx?article=4892&p=12
5
Ports
Ports used for Websense Content Gateway
–
–
–
–
–
–
–
–
–
–
–
–
–
–
21 TCP (Transparent FTP proxy)
22 TCP (SSH)
53 or 5353 UDP (DNS requests)
80 TCP (Transparent HTTP proxy)
443 TCP (Transparent HTTPS proxy)
2048 UDP (WCCP)
2121 TCP (Explicit FTP proxy)
8070 TCP (Explicit HTTPS proxy)
8071 and 8081 TCP (Proxy management interface)
8080 TCP (Explicit HTTP proxy)
8082 – 8090, 3031 TCP (Required only if clustering proxies)
40000, 55806, 55880, 55905 TCP (Local Websense Policy Server)
55807, 15868 TCP (Local Websense Filtering Service)
65535 TCP (Remote Websense Policy Server or Filtering Service)
6
WCCP Sample Network Diagram
Web traffic passes actively through Websense Content
Gateway
Other protocols are sniffed passively by Network Agent.
7
Transparent Identification with WCG
Three basic ways to identify users
Transparent ID agent such as DC Agent or Logon Agent detects users as they
log onto the network.
Manual Authentication prompts for credentials when the user makes their first
request to the internet.
NTLM challenge-based authentication. This can only be done with a proxy
server that is in the data path and designed to integrate with Active Directory.
Note: NTLM is transparent to user when on Domain and properly configured.
Related Webinars:
User Identification Technologies within Websense Web Security v7.x
http://kb.websense.com/article.aspx?article=4719&p=12
8
NTLM Authentication
Advantages
Transparently identifies user at time
of request (As opposed to being
identified at logon)
If transparent ID fails, manual prompt
is built-in. This is commonly
encountered if the user is not
currently logged into the domain.
Disadvantages
Can be sensitive to browser settings in
regards to transparent authentication.
Occasionally may cause extra pop-up
warnings requiring additional browser
configuration.
9
NTLM Authentication
A Common Solution to getting rid of the additional NTLM Authentication prompt is
to set the proxy’s IP address to “Local Intranet” zone, and confirm zone setting
allows Automatic Logon.
Step #1: From the Internet
Options Security Tab Click on
“Custom Level” Button
10
NTLM Authentication
Step #2: Ensure the “Logon” Option is set on:
“Automatic logon only in Intranet zone”
11
NTLM Authentication
Step #3: From the Internet Options
Security Tab Click on “Sites” Button
12
NTLM Authentication
Step #4: From the Local Intranet Window
Click on the “Advanced” Button
Step #5: Add the WCG Proxy IP Address to
the “Websites” List Box
NTLM Demo
13
Order of Precedence
You can assign a policy to a user, a single workstation IP, a IP range, or a group.
Searching in this order, Websense software determines which policy applies to the
current request. Websense proceeds through the list until a match is made. Once a
match has been determined, the corresponding policy is applied and Websense looks
no further.
14
Order of Precedence
Only Policies assigned to Groups can be combined to
create unique combinations of permissions based on
Group Memberships.
Effective Policy = Basic + Expanded
Effective Policy = Basic
15
Order of Precedence
Allows both General and IT
Categories and Protocols
Allows both General and HR
Categories and Protocols
16
Locking down Category and Protocol Filters
Recommended Categories to Block/Restrict
Web Reputation
Potentially Damaging Content, Elevated Exposure and Emerging Exploits
* The Extended Protection categories are only available with Websense Web
Security Suite v6.3.1 and above.
Bandwidth Categories (also known as Bandwidth PG)
Internet Radio and TV, Internet Telephony, Peer-to-Peer File Sharing,
Personal Network Storage and Backup and Streaming Media
Information Technology
Proxy Avoidance, URL Translation Sites, Web Hosting, Private IP
Addresses, and Uncategorized
Society and Lifestyles (Very Diverse and Dynamic Content)
Social Networking and Personal Sites
17
Locking down Category and Protocol Filters
Recommended Protocols to Block/Restrict
Protocols
File Transfer Malicious Traffic*, Bot Networks, Email-Borne Worms , Other Malicious ,
P2P File Sharing , Proxy Avoidance ,Remote Access , Streaming Media
ThreatSeeker Example
Brittany Murphy's Death SEO Poisoning
Date:12.21.2009
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ ThreatSeeker™ Network has discovered that Google top
searches on "Brittany Murphy death" will return rogue AV Web sites. The malicious
domains try everything to convince people that they are real AV software Web sites, so
that users download and execute the fake software offered. There are now a lot of
variants available, typically named install.exe, and at the moment it seems they haven't
attracted much attention from AV companies.
18
Bandwidth Optimization
Keeping your Bandwidth Under Control
The more bytes of unnecessary data are transferred from/to your users'
machines, the greater the impact on bandwidth available for other business
critical tasks performed by your network.
When you create a category or protocol filter, you can easily elect to limit
access to a category or protocol based on bandwidth usage.
♦ Block access to categories or protocols based on total network bandwidth
usage.
♦ Block access to categories based on total bandwidth usage by HTTP traffic.
♦ Block access to a specific protocol based on bandwidth usage by that
protocol.
Bandwidth Optimization Demo
19
Real Time Scanning
Four different types of real-time scanning:
Content Categorization (On or Off)
- Leave turned on. Turn off briefly for troubleshooting only.
Security Scanning (Dynamic sites, All, or Off)
- Recommended is for only dynamic sites as researched by
Websense. If you are running significantly below maximum
capacity of the V10000 or have a very powerful Content
Gateway server, switching to “All” can provide some
additional peace of mind.
Advanced File Scanning (Dynamic sites, All, or Off)
Traditional Anti-Virus (Dynamic sites, All, or Off)
- Recommended to leave these also at default – Dynamic
sites only.
20
Real Time Scanning
21
Real Time Scanning
22
Real Time Scanning
Fine Tune
Scanning
23
Working with HTTPS
WCG
HTTP vs HTTPS
24
Working with HTTPS
Content Gateway is fully capable of terminating and
doing deep inspection on HTTPS headers and data.
This allows you to treat HTTPS traffic just like HTTP.
Full real-time scanning available for encrypted
connections.
Full URLs, not just IP addresses are available in reports.
Without HTTPS proxy, URL data is contained inside the
encryption layer, and cannot be read.
No need to recategorize sites by IP address. Websense
Content Gateway can read the URL and categorize
appropriately.
25
Working with HTTPS
Much better
reporting on
HTTPS requests.
Compare the data
returned on what
sites were visited
in the following
two reports.
26
Working with HTTPS
Recategorize HTTPS sites by name without having to worry about
which IP address(es) they resolve to.
Saves you the trouble of having to run nslookup against the
hostname, plus there is no concern about the DNS records of the
recategorized site changing.
Set it and leave it.
27
Working with HTTPS
28
Working with HTTPS
29
Working with HTTPS
Tunneling
Remote access programs that are designed to be 100%
secure between the end user and server.
HTTPS connections that contain highly sensitive data
exchanged between users and trusted servers (such as
financial sites).
30
Working with HTTPS
31
Working with HTTPS
Certificates
HTTPS inspection at the Content Gateway
User’s browser literally exchanges keys with the
Content Gateway – not the web site on the internet.
Browser trusts the Content Gateway to determine if
the site’s certificate is valid.
Websense Content Gateway uses a certificate
validation engine with updated revocation lists to
provide this functionality.
32
Working with HTTPS
For initial deployment phase, it is recommended to leave
the Certificate Validation Engine disabled.
Managing incidents takes time and generally is not
technically problematic.
Phase two deployment should include validation, with the
option for users to bypass the certificate failure warnings.
For maximum security, the validation should be required.
33
Certificate Validation Engine settings
34
Certificate Warning – Internet Explorer
This is direct to Internet.
35
Certificate Warning – Firefox
This is direct to Internet.
36
Certificate not valid – Content Gateway
This is the equivalent of IE and Firefox warnings, but
will be returned by Content Gateway.
37
Manage Incidents
38
Leveraging Reporting and Alerts to Observe Trends
Alerts, Investigative and Presentation Reports are
invaluable tools to monitor:
 Productivity
 Bandwidth Usage
 Risk
Useful Webinar Resources:
♦ Leveraging Websense Explorer to Optimize Internet Use and
Minimize Security Threats
http://kb.websense.com/article.aspx?article=3357&p=12
♦ Maximizing Your Return Using Investigative & Presentation Reports
v7
http://kb.websense.com/article.aspx?article=4037&p=12
39
Leveraging Reporting and Alerts to Observe Trends
Alerts and Reporting Demo
How to Track Productivity Loss, Legal Liability, Security Risk and
Bandwidth Loss
How to identify the main potential risks defined as Risk Classes
Forensic Reporting
Optimizing Policies based on Report Output
Setting Up Alerts
40
Support Online Resources
Knowledge Base
– Search or browse the knowledge base for documentation, downloads, top knowledge
base articles, and solutions specific to your product.
Support Forums
– Share questions, offer solutions and suggestions with experienced Websense
Customers regarding product Best Practices, Deployment, Installation, Configuration,
and other product topics.
Tech Alerts
– Subscribe to receive product specific alerts that automatically notify you anytime
Websense issues new releases, critical hot-fixes, or other technical information.
•
ask.websense.com
– Create and manage support service requests using our online portal.
Customer Training Options
To find Websense classes
offered by Authorized Training
Partners in your area, visit:
http://www.websense.com/findaclass
Websense Training Partners
also offer classes online and
onsite at your location.
For more information, please
send email to:
[email protected]
Webinar Announcement
Title: Websense Content Gateway HTTPS
Configuration
Date: February 17, 2010
Webinar
Update
Time: 8:30 AM PST (GMT -8)
How to register:
http://www.websense.com/content/
SupportWebinars.aspx
43
Questions?
44