SERVICE DESCRIPTION Web Proxy

Transcription

1 SERVICE DESCRIPTION Web Proxy Date: Document: Service description: Web Proxy

2 TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION Basic service Options Web Filter Authentication SSL Inspection Application Control Intrusion Detection PAC File Certificate Management 13 3 ADDITIONAL DOCUMENTS 14 4 DISCLAIMER 14 Copyright United Security Providers AG page 2/14

3 1 INTRODUCTION This document describes the Web Proxy managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service. Field of application Our office life would be unthinkable today without access to the Internet. The Web Proxy service puts an additional security stage between the user and the Internet: incoming and outgoing data traffic is captured by the proxy, checked and then forwarded to the intended recipient. All HTTP and FTP traffic is buffered on the proxy. Data traffic is minimised by a sophisticated caching process. Requests are answered more quickly as the data does not have to be first downloaded from the Internet, but can be taken from the local cache. Buffering of data allows detailed investigation. Damaging software, such as malware or viruses, and attacks from the Internet can be detected and beaten in this way. You gain considerably in reliability and security in your internal network with this service. Copyright United Security Providers AG page 3/14

4 2 SERVICE DESCRIPTION 2.1 Basic service The basic service provides the basic functionality of a transparent or explicit proxy, including antivirus services. Name of service Service abbreviation Web Proxy MSS-WP Service version 2.0 Status Operating hours Operational OH1: Monday Friday, 08:00 17:00 CET OH2: Monday Saturday, 07:00 21:00 CET OH3: Monday Sunday, 0:00 23:59 CET OH4: Monday Friday, 08:00 17:00 local time Availability guarantee ACA: best effort ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours The service is assessed on the basis of the number of users using the service concurrently. The basic service offers a forward proxy operated either transparently or explicitly. The proxy receives all the HTTP and FTP data traffic on behalf of the intended recipient. The data is examined for viruses, malware and other dangerous software. The data stream is then forwarded to the intended recipient. The data is examined by the proxy for viruses, malware and other dangerous software. This traps and renders harmless damaging software as soon as it reaches the perimeter of your company network, significantly enhancing the protection of your internal resources. The proxy buffers the data in its own cache. Content that is retrieved many times need only be downloaded from the Internet the first time. The content is then read locally from the cache making accesses to such content considerably faster. The proxy receives requests and then forwards them. This process anonymises the actual sender. Security is thus enhanced, as internal addressing is concealed. Compliance with the SLA parameters is determined against the availability of the Web Proxy infrastructure. Copyright United Security Providers AG page 4/14

5 The following service-specific values are collated in the monthly reports: - infrastructure workload - incoming and outgoing data volume per day - viruses detected - most-visited websites Virus detection reports are provided in personalised form. The following measuring points are monitored to monitor the service: - CPU/RAM utilisation - log status - number of concurrent users - incoming and outgoing data volume - status of the AV signature updates The proxy infrastructure must be implemented redundantly for availability guarantees that are better than ACA. The Web Proxy service requires a valid Fortiguard or Forticare subscription for the infrastructure. The AV signatures are updated automatically on a regular basis. Fortigate must be able to access the Fortiguard service via TCP port 443. Whitelists are maintained for both the proxy as a whole and the antivirus module. It is the customer's responsibility to specify the entries required. Copyright United Security Providers AG page 5/14

6 2.2 Options Web Filter The Web Filter service offers the customer the capability of blocking specified URL categories. Name of the service option Abbreviation Web Filter MSS-WP-URLF The service option is assessed by analogy with the basic service. The Web Filter service option allows blocking of web addresses. The Web Filter database is divided into six main categories with a total of 79 subcategories. The categories are maintained centrally. Requests for changes can be can be submitted directly to Fortiguard or through the USP Security Operations Center. All mutations are checked by a team of analysts and implemented only after a positive outcome is obtained. This generally happens within 24 hours. In addition to the categories, blacklists and whitelists can be maintained so that regional circumstances can be taken into consideration, for example. The blacklists and whitelists are managed by the USP Security Operations Center. When a requested address is blocked the request is diverted to a customerspecific block page. Pages can be blocked generally or a specific times. Blocked pages can be temporarily unblocked. In many companies, private use of the Internet, visiting social media websites for instance, is regulated. The Web Filter service gives our customers the capability of implementing these policies effectively. Websites known for phishing attacks, malware or other hazards can be blocked as long as they constitute a risk. This reduces the risk of a client becoming infected by protecting users against access and becoming infected without their knowledge. This option allows sites that lead to high bandwidth consumption to be blocked, for example sites that provide Torrent downloads. Blocking this category will save you valuable bandwidth that will then be available to your business applications. Compliance with the SLA is determined using the KPIs for the basic service. The following log data is kept for this option: - number of blocked accesses per website - number of blocked accesses per category - pages with the highest bandwidth consumption - accesses to uncategorised sites Copyright United Security Providers AG page 6/14

7 The USP Security Operations Center will be informed if a notable repetition of block events for a specific URL within a short period of time is detected. Repeated errors of Fortiguard requests lead to a notification to the USP Security Operations Center. The URL database is cached on the Fortigates. Categorisation of unknown URLs is queried from Fortiguard via UDP port 53. Requests via this port must be permitted accordingly. Copyright United Security Providers AG page 7/14

8 2.2.2 Authentication The users are authenticated on the proxy. Name of the service option Proxy Authentication Abbreviation MSS-WP-AUTH The service option is measured on the basis of the number of users. The users must have a valid AD account before they can use the proxy. Exceptions, for example system users, can be excluded from authentication on the basis of various criteria, such as client address. The users are communicated to the proxy together with the AD groups. User authorizations are determined on the basis of their membership of AD groups. Granting rights at the AD group level allows a finely-tuend rights model that matches company policies and the needs of the individual user groups. Access to social media websites can be limited for the bulk of the staff, for example, while the marketing department retains full access so that it can maintain the relevant company profiles. The web page accesses of individual users are logged. While this data is kept confidential in normal operation, if necessary (if ordered by a court, for instance) it can be provided in detail so that legal requirements, even in strictly regulated environments such as banking or the health care sector, can be complied with. Compliance with the SLA is determined using the KPIs for the basic service. The users are not listed separately in the monthly reports. These reports are only available with the written approval of the customer's legal entity. The USP Security Operations Center is notified if the number of failed authentication attempts increases significantly. User authentication requires the installation of an FSSO agent on a member server. This server need not be dedicated. The customer is responsible for operating this server. Disclosure of user data presupposes corresponding staff policies which define the use of this data and the time of any possible views of the data. Copyright United Security Providers AG page 8/14

9 2.2.3 SSL Inspection This option is provided for the inspection of encrypted data traffic. Name of the service option Abbreviation SSL Inspection MSS-WP-SSL The magnitude is defined on the basis of the basic service. Data traffic encrypted with SSL is terminated and inspected on the proxy. The data is then re-encrypted with the system's own certificate and forwarded to the intended recipient. Various web applications do not permit encryption with an external certificate. These applications are excluded from scanning by SSL whitelists. All egov and ebanking sites are excluded by default. Websites, including for example even Google or Facebook, are increasingly using the encrypted variant https. Encrypted websites, because of their growing numbers, are increasingly becoming the targets of attacks and manipulations, so that it is no longer possible to guarantee the trustworthiness of such sites. All the protective mechanisms the proxy has can also be applied to encrypted data traffic thanks to the SSL Inspection option. SSL Inspection thus becomes an important building block for protecting your staff, and also your internal network. Compliance with the SLA is determined using the KPIs for the basic service. is not changed. The https sites are, however, added to the existing filter reports. No additional measuring points are introduced for this option. Where USP issues the proxy certificates necessary, USP will also monitor their validity. USP can issue the proxy certificates required (see MSS-WP-CERT) if desired. It is the customer's responsibility to distribute the certificates. The customer is responsible for ensuring the validity of the certificates if the certificates are issued by the customer himself, or a third party is commissioned to do so. USP manages SSL whitelists on the proxy. It is the customer's responsibility to notify entries in addition to the USP defaults. Copyright United Security Providers AG page 9/14

10 2.2.4 Application Control The data is assigned to the original applications. Name of the service option Abbreviation Application Control MSS-WP-AC The service option is assessed on the basis of the size of the basic service. This service option analyses all data packets and assigns each data packet to an application. This data will be logged so that use can be submitted for detailed analysis. Data assignment can be applied to other USP services. This allows the data traffic for individual applications to be blocked. Or data can be prioritised in conjunction with the quality of service option in the USP Wide Area Network service (MSS-WAN). Unknown applications, for example customer-specific applications, can be recognised by way of custom patterns. USP Security Operations Center is able to manage custom patterns if the customer makes them available. Often a detailed analysis is not able to give a conclusive answer as to which applications are using how much bandwidth and so causing bottlenecks in the network. The Application Control option provides detailed information on Layer 7 so that performance-enhancing measures can be configured with the greatest precision. Individual functions within applications frequently cause security problems, while the remainder of the application is harmless or even vital for the business. Skype, for example, is a widely-used communcation application, yet the function for sending data to and fro through Skype is often not wanted. The Application Control option is able to restrict applications to the functions that are truly needed. Compliance with the SLA is determined using the KPIs for the basic service. The following information is added to the reported data: - applications with the greatest bandwidth consumption - most-blocked applications No additional measuring points are introduced for this option. The database of application patterns is dynamically synchronised with Fortiguard. TCP port 443 must be open to allow this. Copyright United Security Providers AG page 10/14

11 2.2.5 Intrusion Detection This option makes it possible to detect and prevent attacks. Name of the service option Abbreviation IDS / IPS MSS-WP-IDS The service option is assessed on the basis of the size of the basic service. The data flow is examined for patterns by which attacks can be detected. The patterns against which the data flow is compared are grouped into categories according to the attack targets, typically operating systems. Valuable resources are saved and false alarms are avoided because only patterns of realistic targets are checked. Attacks are only detected and results logged in the acclimatisation phase. At the end of this phase, USP will work with the customer to set up the optimum configuration. Attacks detected will then automatically be blocked by the firewall, if desired. It is frequently very difficult to detect an attack and to reproduce it later when a system is infiltrated by an attacker. The log data collated by an intrusion detection system is an important component in reproducing an infiltration. Analyses allow attacks to be illustrated, corresponding countermeasures to be taken and the security measures of the targets of the attack to be further developed. Compliance with the SLA is determined using the KPIs for the basic service. The following information is added to the reported data: - detected/blocked attacks Additional alarm messages are sent to the USP Security Operations Center in addition to the reports. These alarm messages may also be sent to the customer if desired. No additional measuring points are introduced for this option. There are no additional conditions of use. Copyright United Security Providers AG page 11/14

12 2.2.6 PAC File The PAC file is made available to the clients on the proxy. Name of the service option Abbreviation PAC File MSS-WP-PAC The service option is assessed at a fixed rate independently of the basic service. The client browsers have to be configured before it is possible to access the Internet via the proxy when an explicit proxy is deployed. This configuration is sent to the clients in a standardised format using a Proxy AutoConfiguration (PAC) file. The file is provided to the clients on the proxy using a web service. The use of a PAC file means that it is no longer necessary to distribute the configurations to the clients manually, instead the clients download the configuration from the proxy automatically, which means that modifications can be quickly and easily distributed to all clients. The use of an additional web server at each location is not necessary thanks to the ability to host the PAC file on the proxy. Compliance with the SLA is determined using the KPIs for the basic service. This service option is not listed in the reports. Accessibility of the web service is monitored. Modified PAC files are provided by the customer and made available on the proxy by the USP Security Operations Center. The customer is responsible for checking the correctness of the syntax and the content. Copyright United Security Providers AG page 12/14

13 2.2.7 Certificate Management The USP Security Operations Center manages the web proxy certificate required for the SSL Inspection option. Name of the service option Abbreviation Certificate Management MSS-WP-CERT The service option is assessed at a fixed rate independently of the basic service. SSL data traffic that is terminated and examined on the proxy must subsequently be re-encrypted with a certificate so that it can be sent to the recipient securely. The certificate required can be purchased or issued by the customer himself as long as he has a PKI. Taking up the Certificate Management option means that the USP Security Operations Center takes over the issue and administration of the proxy certificates necessary. The full life-cycle of the proxy certificate is handled by the USP Security Operations Center. The certificate is renewed in good time before it expires, so that sufficient time remains to roll the certificate out to the clients. This avoids annoying and unnecessary interruptions caused by expired certificates. The customer's IT department does not need to worry about life-cycle tasks, and consequently has less work. Compliance with the SLA is determined using the KPIs for the basic service. The status of all certificates can be inspected in USP Connect. No additional measuring points are introduced for this option. There are no additional conditions of use. Copyright United Security Providers AG page 13/14

14 3 ADDITIONAL DOCUMENTS The present document describes the functional scope of USP's Web Proxy service. General information on the Service Level Agreement and on operation may be found in the additional documents. Service management and SL catalogue Services catalogue Price list This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees. The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. The prices of all services and options are laid down in the price list. 4 DISCLAIMER This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement. USP's General Terms and Conditions shall apply unless higher-ranking provisions apply. Copyright United Security Providers AG. All rights reserved. Copyright United Security Providers AG page 14/14