Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Transcription

1 What is Network Agent? Websense Network Agent software monitors all internet traffic on the machines that you assign to it. Network Agent filters HTTP traffic and more than 70 other popular internet protocols, and captures data about bandwidth usage. It also integrates with proxy servers, network caches, and firewalls. Network Agent detects malicious peer-to-peer applications and spyware, even when they tunnel over well-known ports. 5-Step Quick Start See OVERVIEW: What does Network Agent do? What is Network Agent?, page 1 DEPLOYMENT: Where does Network Agent belong on the network? CONFIGURATION: How do I configure Network Agent in Websense Manager? VERIFICATION: How do I verify that Network Agent is working? TROUBLESHOOTING: How do I troubleshoot Network Agent? Hub Configuration, page 18 Switched Configurations, page 19 Gateway Configuration, page 23 To Configure Network Agent in Websense Manager, page 9 Verifying that Network Agent is Working, page 14 Top Troubleshooting Tips, page 16 Copyright 2006 Websense, Inc. All Rights Reserved. 1 Version 6.3

2 On how many machines should I deploy Network Agent? Capacity planning for Network Agent depends on hardware capabilities, bandwidth, memory, number of Network Interface Cards (NICs), operating system, user profiles, traffic mix, database, protocols assigned to Network Agent, and where you deploy it. Some sites use one Network Agent machine for every thousand users; some sites use one Network Agent machine for several thousand users. Websense Technical Support professionals and Sales Engineers can assist you with deployment decisions. Where does Network Agent belong in the network? Install Network Agent where can it see all internet requests for the machines it is assigned to monitor. For those machines, Network Agent must see all URL and protocol requests going out to the internet and replies coming back from the internet. This monitoring must be done on the internal side of the corporate firewall. A machine running Network Agent can access the network via a switch or hub, as discussed in the Network Topology Addendum, page 18. Network Agent can be installed on the same machine as an integration product, as discussed under Gateway Configuration, page 23. Quick Start 2 Network Agent

3 Network Agent s special role Quick Start for Network Agent Websense software can filter internet requests based on protocols or internet applications used for: instant messaging streaming media file sharing file transfer internet mail media players various other network or database operations When users make internet requests, if you use an integrated firewall, proxy, or cache product, the integration product distinguishes HTTP content from content provided by other protocols. The integration product then passes the HTTP content to Filtering Service for filtering, and leaves traffic from other protocols to be managed by Network Agent. Network Agent can also be used without an integrated proxy, cache, or firewall. In this case, select Stand-alone during installation to cause Network Agent to manage requests for all protocols, according to your filtering policies. Network Agent also provides bandwidth usage data to Policy Server and filtering log data to Filtering Service. Measuring network bandwidth With Bandwidth Optimizer, you can limit internet access based on bandwidth availability. Network Agent continually monitors overall network usage, including bytes transferred, and sends usage summaries to Filtering Service at predefined intervals. Planning Worksheets Planning worksheets on the next 4 pages capture all of the information you need to describe your Network Agent configuration via Websense Manager. Associate each Network Agent machine with a Filtering Worksheet 1 Service instance. Ensure that the entire network is visible to Network Agent. Worksheet 2 Designate any internal machines to be monitored (intranet). Identify proxy and cache machines and Network Agent ports. Worksheet 3 Assign a Network Interface card (NIC) to each segment of the network, with no overlap. Identify IP exceptions. Worksheet 4 Quick Start 3 Network Agent

4 Worksheet 1: Associate Network Agent and Filtering Service More than 1 Network Agent may connect to each Filtering Service. When you reach Filtering Service Connections Status, page 10, enter this data into Websense Manager via Server > Settings > Network Agent. Filtering Services Network Agent Connections Filtering Service Network Agent Indicate the of each Network Agent machine to associate with this instance of Filtering Service. Your network may have only one Network Agent machine, and Network Agent and Filtering Service may reside on the same machine. Are other Network Agents connected to this same Filtering Service? Filtering Service Network Agent Indicate the of each Network Agent machine to associate with this instance of Filtering Service. Network Agent and Filtering Service may reside on the same machine. Are other Network Agents connected to this same Filtering Service? Quick Start 4 Network Agent

5 Worksheet 2: Network Agent Global Settings (use once per network) Identify the machines in your network, either by individual or IP range. When you reach Global Settings, page 10, enter this data into Websense Manager via Server > Settings > Network Agent > Global Settings Internal Network Definition Identify the machines in your network for Network Agent to monitor. Click Add to add individual es or IP address ranges. Identified segments are listed on the screen. Add these individual machines: IP IP IP IP IP IP IP IP IP IP ranges IP to IP IP to IP IP to IP IP to IP IP to IP IP to IP Internal Traffic Monitoring By default, Network Agent ignores traffic between internal machines. Identify specific internal machines here (such as your intranet server), only if you want to monitor the traffic between this internal machine and all other internal machines. IP IP IP Additional Settings Most sites leave the following default settings untouched. Bandwidth calculation interval (in seconds) (10) Log requests and traffic volume by protocol? Yes / No Log interval (in minutes): (1) Quick Start 5 Network Agent

6 Worksheet 3: Individual Network Agent Planning by IP Address (use once per copy of NA) When you reach Local Settings, page 11, enter this data into Websense Manager via Server > Settings > Network Agent > Global Settings > of Network Agent machine For this Network Agent IP: Connected to this Filtering Service IP: If this Filtering Service is unavailable: Block / Permit (choose one) Proxy / Cache Machines List the of all proxy or cache servers used by the machines monitored by this Network Agent machine. Any device used in proxy mode must be identified. Proxy or cache Proxy or cache Proxy or cache Proxy or cache Proxy or cache Proxy or cache Advanced Settings for this Network Agent (select only one) If you use Websense Enterprise in Stand-Alone mode: List Ports to scan for HTTP traffic (default 80, 8080) If you use Websense Web Security Suite in Stand-Alone mode: Network Agent scans all ports by default for HTTP traffic (default all) If you use Websense Enterprise or Web Security Suite with an integration product: List Ports used by the integration product to scan for HTTP traffic (default 80, 8080). Network Agent does not filter these ports. For some integrations that do not log bytes, Network Agent sends log records to the Filtering Service for these ports. Troubleshooting Do not change this section of the screen unless directed to do so by Websense Technical Support. Quick Start 6 Network Agent

7 Worksheet 4: Network Interface Card (NIC) Settings (use once per NIC) When you reach Network Interface Card (NIC) Settings, page 13, enter this data into Websense Manager via Server > Settings > Network Agent > Global Settings > Network Agent IP > NIC-# NIC Identification Monitor traffic passing through this NIC? NIC Yes / No If Yes, click Monitoring on screen and choose one answer: How much of the network should be monitored by this NIC for internet and protocol requests? All (all machines in the network segment seen by this NIC) None Specific machines and ranges in this segment (Add es/ranges below.) Single es: Ranges of es, no overlap. Overlaps can cause inefficiencies in your network and lead to duplicate block messages and duplicate logging entries Exceptions (do not monitor internet and protocol requests for these IPs seen by this NIC). (Network Agent could safely ignore requests made by the CPM Server machine.) Activities and Communication Name the NIC that activates blocking (NIC name): This is typically the same NIC used for monitoring. However, if a stealth NIC (a NIC without an ) is monitoring, it cannot also be used for blocking. Also, if your switch does not offer bidirectional port spanning, you must use two NICs on the machine: one for monitoring and a second NIC (identified here) for blocking. Level of HTTP Monitoring (choose one) Filter and log HTTP requests (default for Stand-Alone Mode) Log HTTP requests (option only if integration product does the filtering) Protocol Management (select all that apply) Filter protocol requests not sent over HTTP ports? Measure bandwidth by protocol? Quick Start 7 Network Agent

8 Network Interface Cards (NICs) NOTE The NICs (network interface cards) on machines running Network Agent must be connected to your hub or switch, enabled in the operating system, and activated. Each NIC used for monitoring must capture all packets on the network, not only the packets that are addressed directly to it (promiscuous mode). Complete the NIC hardware setup prior to software installation. Details in this section help you select the NICs you need to activate. After you set up the hardware and install Websense software, configure Network Agents in Websense Manager. Specify the network segments where Network Agent should monitor or filter traffic, the network interface card (NIC) to use, and the handling method for HTTP and other protocols. Use the planning worksheets to capture this information. NICs on the Network Agent machine You can install Network Agent on 1 or more machines (but only once on each machine). Each Network Agent machine must use at least one designated network interface card (NIC). In the example, Network Agent uses one NIC for monitoring traffic, and another to block. Each NIC that Network Agent uses for monitoring must be able to see all inbound and outbound traffic assigned to it. Network Agent needs to see the user es. Do not place Network Agent in a location where the original user es have been translated by another network device (such as a router or other Network Address Translation device). Switches If the device connected to the Network Agent machine is a switch, it must support port spanning (also known as mirroring). Traffic on monitored ports is simultaneously sent to the monitoring port to which Network Agent is connected. Quick Start 8 Network Agent

9 Hubs If you use a switch that supports bi-directional spanning, Network Agent needs only one NIC. Some switches do not allow bi-directional traffic in spanning (mirroring) mode. The network card receiving data on the Network Agent machine can only listen, not send. If you do not have a bi-directional switch: Use the NIC connected to the spanning port to monitor traffic. Install a second NIC on the Network Agent machine. Attach the second NIC to a port on the switch that can access all assigned workstations. Use the second NIC to block. The blocking NIC must have an. If you add a NIC on the Network Agent machine, restart the Network Agent service, and then configure the new NIC via Websense Manager. If the device connected to the Network Agent machine is a dumb hub (which distributes traffic from the up-linked port to all other ports), Network Agent requires only one NIC. To Configure Network Agent in Websense Manager 1. Go to Server > Settings. 2. Select Network Agent at the left to display associations between Network Agent and Filtering Service. Quick Start 9 Network Agent

10 Filtering Service Connections Status (Planning worksheet 1) For each Filtering Service, connect at least one Network Agent machine. Typically, Network Agent is installed on the Filtering Service machine, so the is the same for both. Global Settings (Planning worksheet 2) Global Settings determine the functions performed by all Network Agents. If your network includes multiple Network Agent machines, these settings apply to all. NOTE To monitor or filter file attachments exchanged internally via peer-topeer messaging, tell Network Agent to monitor the internal machines involved. Quick Start 10 Network Agent

11 Internal Network Definition: Identify the machines in your network. To add machines other than network segments recognized by default, click Add. Internal Traffic Monitoring: Network Agent monitors requests sent to and from the internal IP addresses you specify. To identify a machine, click Add, then enter its. Additional Settings: Bandwidth calculation interval (in seconds): A lower value (more frequent interval) ensures higher accuracy but also increases overall network traffic. Log requests and traffic volume by protocol: Do you want Network Agent to log requests and volume by protocol? Uncheck this box to prevent Network Agent from logging protocol requests periodically. If you enable protocol logging, either accept the default logging interval (1 minute) or specify a different interval (at least 1 minute). When protocol logging is selected, Network Agent provides to Log Server both the number of requests by protocol and the traffic volume for each protocol. Local Settings (Planning worksheet 3) These settings determine the functions performed by each Network Agent machine. By default, Network Agent monitors traffic to and from external sites for all internal machines it sees. Machine names are tracked in log data and Real-Time Analyzer output. Configure how much of the internal network each Network Agent machine sees. Then, specify any exceptions to the default monitoring behavior. Configure one Network Agent per screen. Quick Start 11 Network Agent

12 Filtering Service IP Address: The Filtering Service connected to this Network Agent. If Filtering Service is unavailable: Should internet and protocol requests be blocked or permitted when Filtering Service is down? Proxy/Cache Machines: Identify any proxy or cache server machines situated between this Network Agent machine and client machines. Network Agent ignores traffic from the proxy to external hosts. Include any device (such as a cache engine product) used in proxy mode. Otherwise, Network Agent may filter and log traffic only from the server, and not from the users. Advanced Settings for this Network Agent (select only one): 1. Websense Enterprise in Stand-Alone mode: List Ports to scan for HTTP traffic (default 80, 8080) 2. Websense Web Security Suite in Stand-Alone mode: Network Agent scans all ports by default for HTTP traffic (default all) 3. Websense Enterprise or Web Security Suites with an integration product: List Ports used by the integration product to scan for HTTP traffic (default 80, 8080). Network Agent does not filter these ports. For integrations that do not log bytes, Network Agent sends log records to the Filtering Service for these ports. Debug Settings: Do not modify the debugging defaults unless instructed by Websense. Quick Start 12 Network Agent

13 Network Interface Card (NIC) Settings (Planning worksheet 4) The NIC used for monitoring can be set for stealth mode (no ), but it must be associated with a second NIC that is assigned an and is used for blocking. Identification: The selected NIC. Monitoring: Use this NIC to monitor traffic? (If the Network Agent machine has multiple NICs, you can configure more than one NIC to monitor traffic. Each monitoring NIC must capture all packets it is assigned, not just packets that are addressed directly to it.) NOTE If Network Agent runs on a Linux or Solaris machine with multiple NICs, the operating system determines real-time which NIC to use for monitoring. Network Agent may sometimes use a NIC other than the one specified here. If you select Yes, click Monitoring to continue configuration of this NIC. Monitor List: How much of the internal network should be monitored for internet and protocol requests? All: Network Agent monitors requests from all machines it sees using the selected NIC. None: Network Agent monitors no machines in the selected NIC s network segment. Specific: Network Agent monitors only a portion of the selected NIC s network segment. If you selected Specific, click Add to identify the es of the machines to monitor. Monitor List Exceptions: Identify internal machines to exclude from monitoring. Quick Start 13 Network Agent

14 Activities and Communication: Which NIC is used to activate Websense blocking? By default, the NIC you are editing is used. Do not use a NIC without a valid for blocking. Filter and log HTTP requests: (Active by default in Stand-alone Mode) Network Agent performs full HTTP monitoring and logging using the selected NIC. Log HTTP requests: Network Agent logs but does not filter HTTP requests. Use this if the integration product filters HTTP traffic, but you want to use Network Agent s detailed logging information for Reporting. Protocol Management: Should this Network Agent handle non-http protocol and application requests via the selected NIC? If so, check Filter protocol requests not sent over HTTP ports (Protocol Management). Measure bandwidth by protocol (Bandwidth Optimizer) activates the feature. IMPORTANT Click Save Changes above the navigation tree to save the Network Agent configuration. Verifying that Network Agent is Working Run the Websense Traffic Visibility Tool on the Network Agent machine. 1. To start: Windows: Start > Programs (or All Programs) > Websense > Utilities > Traffic Visibility Tool. Linux or Solaris: Run./TrafficVisibility.sh from the Websense installation directory (/opt/websense). Quick Start 14 Network Agent

15 Field Network Card Networks Tested IP Address Count IP Address List Detail Description Name of the network interface card (NIC) to test. Active cards on the installation machine appear in this list. Cards without an do not appear. Displays the netmasks that are being tested. Use the defaults or add your own. These netmasks can reside in different network segments depending on the ranges to be filtered. Number of es for which traffic is detected during the test. Lists all the es from which internet traffic is being detected. 2. From the Network Card drop-down list, select the network interface card (NIC) that the Network Agent is configured to use for monitoring. A default list of networks (netmasks) appears. Use the defaults or add your own. 3. If the network you want to test does not appear in the default list, click Add Network. Enter a new netmask value in the Network ID field. The subnet mask defaults to and changes as the netmask is defined. Click OK.Your new network appears in the list. 4. Select Remove Network to delete a network from the list. 5. Click Start Test to begin testing all networks in the list. The counter in the IP Address Count column should begin recording internet traffic immediately. The counter increments each time the NIC detects an individual from the target network in a passing packet. The activity bar at the bottom of the dialog box indicates that a test is underway. If the count for a network remains at zero or is very low, the selected NIC cannot see the traffic it is supposed to monitor. 6. If the Network Agent NIC is unable to see the desired traffic: If the installation machine has multiple NICs, select a different card to test. If this card can see the desired traffic, configure Network Agent to use this card. Resolve network configuration issues to make sure that the NIC can see the desired traffic. This might involve connecting to a different router or configuring for port spanning in a switched environment. 7. When you are finished, click Stop Test. 8. Click Close. The Network Agent NIC must be able to monitor all assigned internet traffic. If Network Agent cannot see the traffic, either reposition the machine in the network or select another machine for Network Agent. Quick Start 15 Network Agent

16 Top Troubleshooting Tips Network Agent cannot communicate with Filtering Service after it has been reinstalled When Filtering Service has been uninstalled and reinstalled, the Network Agent does not automatically update the internal identifier (UID) for Filtering Service. After the new installation is complete, Websense Manager attempts to query Filtering Service using the old UID, which no longer exists. To re-establish connection to Filtering Service: 1. Open Websense Manager. An error message is displayed stating Network Agent <> is unable to connect with Filtering Service. 2. Clear the message and select Server > Settings. The same error message is displayed. 3. Clear the message again and select Network Agent from the Settings Selections list. 4. Click Local Settings. 5. Select the listed above the NIC for the Network Agent. 6. Click Edit Selection. The Filtering Service Connection dialog box appears. 7. Select the of the Filtering Service machine from the Server IP Address drop-down list. 8. Click Finish. 9. Click OK in the Local Settings dialog box. 10. Click OK in the Settings dialog box to save the changes. Network Agent fails to start with stealth mode NIC removed from Linux configuration file Network Agent can monitor (not block) with a stealth mode NIC if the interface retains its old IP address in the Linux system configuration file. If you have bound the Network Agent to a network interface card configured for stealth mode, and then removed the of the NIC from the Linux configuration file (/etc/sysconfig/network-scripts/ifcfg-<adapter name>), Network Agent will not start. An interface without an will not appear in the list of adapters displayed in the installer or in Websense Manager and will be unavailable for use. To reconnect Network Agent to the NIC, restore the in the configuration file. Stealth mode NIC selected for Websense communications in Solaris and Linux Network interface cards configured for stealth mode in Solaris and Linux are displayed in the Websense Enterprise installer as choices for Websense communication (blocking). If you have inadvertently selected a stealth mode NIC for communication (blocking), Network Agent will not start, and Websense services will not work. Select a different NIC in Websense Manager. Quick Start 16 Network Agent

17 Spanning or mirroring has not been turned on The switch port connected to the Network Agent machine must see all traffic. On most switches, you can change the port mode to spanning, mirroring, or monitoring mode (the term varies with the manufacturer; the function is the same). Cicso uses the term spanning. 3Com, DLink, and others use mirroring. HP and some other manufacturers call it monitoring. To connect Network Agent to the network using a switch, plug the Network Agent machine into the port on the switch that mirrors (spans, monitors) the traffic going to the gateway or firewall port. The span port mirrors all the traffic that leaves the network segment, so traffic is simultaneously sent to the monitoring port to which Network Agent is connected. Spanning or mirroring is set on the wrong port Monitor (span, mirror) only the port going to the firewall or router port, not the entire network. Router or Firewall traffic is being monitored in the wrong direction Monitor (span, mirror) the traffic going to the firewall/router. On Cicso switches, this means you need to specify Tx. On HP and 3Com switches, you need to specify Egress. To log bytes sent and received, set both Tx and Rx (Cisco) or both Egress and Ingress (HP, 3Com). Mono-directional spanning (mirroring, monitoring) is used with a single NIC Websense strongly recommends using a switch that supports bi-directional spanning. If such a switch is used, Network Agent can function successfully with a single Network Interface Card (NIC) performing both monitoring and blocking. If the switch does not support bi-directional spanning, Network Agent must use separate NICs for monitoring and blocking. How do I set up Network Agent on a machine with teamed NICs (TNICs)? TNICs share the load under one common identity, with four adapters load-balancing under a single IP address. This is also known as link aggregation or trunking. Websense recommends against using teamed NICs for Network Agent. An anti-spoofing mechanism has been used in the switch Either disable the anti-spoofing mechanism or contact Websense Technical Support for additional options. Are other tools available for verifying that the Network Agent machine sees the traffic? Yes. Contact a Websense Technical Support specialist or Sales Engineer for information about network tools that can help verify Network Agent behavior. Can a network tap be used with Network Agent? Yes. A tap can be used with the Network Agent machine. Network Agent must be able to see the traffic in both directions Quick Start 17 Network Agent

18 Network Topology Addendum Where Should Network Agent be Located on the Network? Network Agent must be installed where it can monitor all URL and protocol requests going out to the internet and all replies coming back from the internet. On a busy network, you may need to deploy Network Agent on more than one machine, with each machine monitoring a segment of the network. Locate Network Agent on the internal side of the corporate firewall. Several possible configurations are described below. Hub Configuration Network Agent is often deployed on a dedicated machine, connected to an unmanaged, unswitched hub located between an external router and the network, as pictured here: Network Agent must see the traffic, in both directions, for those segments of the network that it is assigned to monitor. The port to which the Network Agent machine is attached must be capable of bidirectional port spanning (also known as mirroring). Use the planning worksheets to plan your deployment, and then enter the results in Websense Manager. Quick Start 18 Network Agent

19 Switched Configurations Network Agent may be connected to a switch or router, as shown here: Network Agent must see all outbound and inbound traffic. Thus, the (switch) port connected to the Network Agent machine must see all traffic. On most switches, you can change the port to spanning or mirroring mode. To connect to the network using a switch, plug the Network Agent machine into the port on the switch that mirrors (spans) the traffic on the gateway or firewall port. The span port mirrors all the traffic that leaves the network segment, so traffic on monitored ports is simultaneously sent to the monitoring port to which Network Agent is connected. If a switch that supports bi-directional spanning is used, Network Agent can function successfully with a single Network Interface Card (NIC) performing both monitoring and blocking. If the switch does not support bi-directional spanning, Network Agent must use separate NICs for monitoring and blocking. Quick Start 19 Network Agent

20 Multiple switches In a multiple switch environment, one Network Agent machine suffices if you connect it to the port on the switch that spans (mirrors) the port on which the firewall is connected: Quick Start 20 Network Agent

21 The following network uses a router for communications from a remote office. The machine running Network Agent is connected to an additional switch, on the port that mirrors (spans) the router port. Quick Start 21 Network Agent

22 Multiple Network Agents On a busy network, you may need to install Network Agent on multiple machines and assign each machine to monitor a segment of your network. If you install multiple Network Agents, note: One copy of Filtering Service can support more than one Network Agent. Websense suggests up to four Network Agents per Filtering Service; some sites successfully use more. Deploy the Network Agents so that together they filter the entire network. ranges for the Network Agents should not overlap. This is inefficient and can lead to double filtering and logging. Quick Start 22 Network Agent

23 Gateway Configuration Quick Start for Network Agent A gateway provides a connection between two networks, such as between your network and the internet. Network Agent can be installed on the gateway machine. This allows Network Agent to manage and monitor all Internet traffic. The gateway can either be a proxy server or a network appliance. Do not install Network Agent on a firewall. i IMPORTANT This configuration is supported only on the Windows operating system and is intended for small to medium networks. In larger networks, performance can suffer as a result of resource competition between the gateway software and Network Agent. Quick Start 23 Network Agent