Clearswift SECURE Web Gateway Evaluation Guide

Transcription

1 Clearswift SECURE Web Gateway Evaluation Guide Revision 1.1

2 Introduction Thank you for taking the time to evaluate the Clearswift SECURE Web Gateway. Balancing the requirement for strong network security with the need to harness collaborative web technologies is essential for business growth. The Clearswift SECURE Web Gateway is a trusted internet security solution for your web gateway that does just that. The SECURE Web Gateway s policy-based content-filtering engine allows your organisation to both exploit and benefit from modern web technologies and services, while ensuring that the company network remains fully protected against incoming threats and data leakage. With the Web Gateway deployed, the web is transformed from a high-risk environment to a place of free and safe collaboration and communication. Business-enhancing online technologies, like webmail, social-media websites and collaborative services, can therefore be enabled with confidence. This evaluation guide explores and explains some of the many benefits of the SECURE Web Gateway. Rather than overwhelm you with an in-depth analysis of every feature our intention is to present the essential information that will allow you to continue to explore and evaluate of SECURE Web Gateway at your own pace. Note that this guide assumes that you have already followed the Clearswift SECURE Web Gateway Getting Started Guide. As such, you should have completed the Initial Setup Wizard and be able to log in to SECURE Web Gateway. If this is not the case then the Getting Started Guide can be found on the Technical Guides area of the Clearswift website please read it before proceeding. We ll start with a brief overview of what you can expect to see the graphical user interface. As that s a bit of a mouthful, we ll call it the GUI from here on. Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

3 The GUI When you first log in you will be presented with this Home page: The Home page is the starting point for managing SECURE Web Gateway s features and for implementing and maintaining an Acceptable Usage Policy (AUP) for your organisation. It is supported by a further five pages, or Management Centers, displayed as tabs across the top of the GUI Policy, Reports, System, Health and Users. Let s take a closer look at these... Here s a close-up of the six tabs used to navigate SECURE Web Gateway just click on one to access the associated features. The Home page presents an overview of SECURE Web Gateway. It is the first page displayed each time you log in. The Policy Center lets you define and maintain an Acceptable Usage Policy (AUP) for your organisation. This involves creating rules to manage information flowing in to and out of your organisation. Use the Policy Center to block the viewing of particular websites, for example, or to allow specific users access to certain types of content. The Report Center provides access to the monitoring capabilities of SECURE Web Gateway. It collates and presents information on the activities of users, from websites visited to time spent online. As well, the Report Center tracks bandwidth use and detected threats, like malware and phishing sites. The System Center is used to manage some of the more technical aspects of SECURE Web Gateway. The most important settings will have been configured during the Initial Setup Wizard, so there s not too much to worry about with this Center. However, they can be edited from here at any time. The Health Center is the place to view real-time usage information for SECURE Web Gateway. Key metrics available here include number of concurrent connections, bandwidth use and the number of threats prevented from entering the organisation.

4 The Users Center control access to the aforementioned Management Centers. Use it to create new administrative users, allowing access to all or selected Management Centers. This evaluation guide will focus on the most important Management Centers, offering simple guidelines on making the most of them. Before proceeding, though, take pause for a brief (if mildly technical) tip. When evaluating SECURE Web Gateway it can be useful to have two web browsers available. Why? Well, it will help you to better understand the differing experiences of users and administrators. Configuring, say, Internet Explorer, to use SECURE Web Gateway as its proxy will simulate the users experience. Then, use Firefox to access the Management Centers without the proxy to understand how administrators will work. Policy centre We ll start by exploring the Web Policy Routes page, in the Policy Center. We will examine SECURE Web Gateway s default policy and gain an understanding of the policy options. POLICY FEATURES NTLM and Kerberos authentication Flexible and granular policy construction for users, departmental groups, machines and IP addresses Time and quota user web access rights Acceptable usages inform pages BENEFIT To identify users transparently so that individuals or departmental groups can have unique aspects of the policy applied and reporting can be specific to an individual or department. Easily define advanced policies to enable and allow Web 2.0 usage while minimizing risk. Define both times of day and total amount of time per day a user may browse the web. Inform pages highlight individual web usage is being monitored and is subject to company policy. Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

5 To begin, click the Policy tab. Now select Web Policy Routes from the submenu to view SECURE Web Gateway s default policy. Here s what you should see: At first glance there s a lot to take in here but the information is actually very easy to read. The rows represent different types of web content or routes. Notice that access to some routes is allowed (indicated by green Allow symbols), while other routes are blocked (red Block symbols). SECURE Web Gateway s default policy blocks some routes because the content from these categories may be considered inappropriate for the workplace. Blocked routes include Sexually Explicit, Violence/ Offensive, Weapons, Gambling and so forth. Of course, access to any or all of these routes can be allowed or blocked as desired. Regardless, SECURE Web Gateway s default policy provides a good starting place for creating an Acceptable Usage Policy for your organisation. It can also help to gain an understanding of SECURE Web Gateway s key features so let s try out aspects of the default policy right now. Notice that the default policy is to block content that fits the Weapons route. Moreover, Everyone is blocked from this route meaning all users. To see this in action, fire up the web browser configured for users (Internet Explorer, if you followed our earlier suggestion) and visit www. guns.com. SECURE Web Gateway intercepts the request and displays this block message in the browser window:

6 Now, blocking all users from accessing a particular type of web content will sometimes be wholly appropriate but it s a rather blunt tool. As an alternative, SECURE Web Gateway allows administrators to restrict some routes with a soft block. A soft block presents the user with the option to continue if required, but only after they have acknowledged the block page. This may be useful for routes that are blocked primarily for productivity reasons, helping users to respect your organisation s policy while affording them the freedom to continue with essential business. To see a soft block in action, use Internet Explorer to browse to www. gambling.com. This time, SECURE Web Gateway will present a soft block page, distinguished by the option to Continue Browsing : Now refer back to the Manage Policy Routes screenshot on the previous page. Examine it a little more closely and you ll notice that the block symbol on the Gambling route is complemented by a secondary symbol the soft block symbol. It looks like this: While we re focused more closely on this screen, you may spot another symbol a little clock: This clock symbol indicates that access to the relevant route is restricted by a time schedule, which could be specific hours during the day (the company lunch hour, say) or for a limited amount of time throughout the day. Note, too, that the Web Policy Routes screen summarises which users are allowed or denied access to particular routes. The default policy either blocks, soft blocks or allows Everyone. However, much more flexibility is possible. As we ll see later, it s possible, for example, to define specific user groups, such as Sales, Marketing and Finance, and apply different policies to the various departments within your organisation. Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

7 Web Policy Routes & Content Rules SECURE Web Gateway policy routes are supported by content rules. These determine the content that is allowed to flow between the organisation and the websites defined by the route. Routes may have any number of content rules added, with seven applied by default. These are: Block Virus Block Encrypted Data Block Spyware Block Spyware Call Home Remove Tracking Cookie Block Executables including ActiveX Processing of requests or response Fails The presence of these default rules is indicated by the 7 in the Rules column on the Web Policy Routes screen. We ll explore rules in more detail in just a moment but before we proceed, notice that the Trusted Sites route lacks content rules. This means that the traffic flowing via the Trusted Sites route will not checked against any rules but this is intentional. The route exists as a place to categorise automatic update servers, such those used by Microsoft or Clearswift. Applying content rules to such servers, or indeed deleting this route, may cause any automatic updates to fail an undesirable situation. Let s take a closer look at how policy and rules work together. Click Show Printable Version on the left-hand side of the GUI. You should see something like this: Show printable version of policy Web Policy Routes are selected top down, first to match Content Rules are processed left to right

8 If SECURE Web Gateway detects web content that matches a particular rule then a block or allow action will be triggered. The content rules included with the default policy are all set to block. If the user attempts to access content that contravenes one of these rules then a block page will be shown in their web browser. Here, for instance, the user has attempted to download an executable file and has been blocked by the Block Executables including ActiveX content rule: As we ve already seen, SECURE Web Gateway s default policy includes a number of ready-made content rules for each route. However, it is simple to define new content rules or edit existing ones. We ll demonstrate by editing route number 8, which relates to Non-Business Related traffic. To do this, simply double-click the route or click once to highlight and then click the Edit button. Notice that the route has five editable sections: Overview, Traffic, Default Action, Schedule and Content Rules. The last four are the most important, so we ll explore these one at a time. Web Policy Route: Traffic The Traffic section is the key to building flexible policies. It is possible, for instance, to allow different groups within the organisation to have different rules applied to their browsing activity. The selected route, remember, is concerned with traffic between Everyone and websites considered Non-Business Related we call this an Internet Zone. This is how the Traffic section looks currently: Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

9 It is very easy to edit this route in order to apply it to different groups within the organisation or to different Internet Zones. To explore this further, click the Click here to change these setting link on the right. Here s what you ll see: Between Policy > User Names Policy > Machines And Policy > Internet Zones As you can see from the above screenshot, this particular SECURE Web Gateway has various departmental groups set up, such as Marketing, Product Management and Sales; and also a couple of groups based on machines, rather than departments. Of course, these are just examples to aid clarity: you will need to define your own groups. Changing the route is a simple case of placing ticks in the appropriate category boxes listed below the Between and And headings. To aid understanding, we ll consider the Between and And lists in a little more depth. Between User Name Lists and Machine Lists SECURE Web Gateway draws on Clearswift s renowned MIMEsweeper policy engine. This is a very powerful tool that can be used to specify granular policies for users grouped by department or even individuals. Grouping users by department offers both administrative simplicity and flexibility when setting policy for the many job functions within an organisation. An IT support department, for instance, may require unfettered access to large downloads or executable files, while marketing staff may be granted unrestricted use of social-networking websites and services. Groups also aid SECURE Web Gateway s powerful reporting features, because generated reports can be focused on the activities of specific departments. By the same token, the ability to apply policy right down to the level of individual users means an organisation has the freedom to fine-tune enforcement for job-specific needs. And Internet Zones As noted earlier, we refer to a route s destination as an Internet Zone. An Internet Zone is made up of one or more URL categories. The Non- Business Related Internet Zone, for example, includes URLs categorised as Gaming, Hobbies, Job Search, Personal Ads and Dating. Not all businesses are the same, of course, so you may wish to review the Non-Business Related Internet Zone in order select different nonbusiness categories. To do this, click the Policy tab at the top (to go to the Policy Center) and then select Internet Zones.

10 FEATURES URL FILTER CATEGORIES URL filter with Security Risk categories included Real-time categorisation Embedded URL Classification BENEFIT Prevents access to high risk Malware, Phishing, Remote Proxy and Hacking sites. Assigns a category to previously uncategorised sites in real-time to ensure undesirable content is prevented from entering the organisation. Provides a greater depth of analysis and categorisation for embedded URLs to categorise and prevent inappropriate content delivered from Google or Yahoo! cached pages. Web Policy Route: Action As we ve already seen, SECURE Web Gateway presents block pages when it detects content that contravenes policy. These are the result of Actions. The default Action for a route can be set to either Allow or Block the request. The default s policy s Non-Business Related route that we re exploring, for instance, is set to Allow but only during scheduled periods (and we ll cover SECURE Web Gateway s scheduling options in just a moment). Here s what it looks like: Again, it is easy to change the way this works. To block Non-Business Related browsing at all times, for example, hit the Click here to change these settings link and use the dropdown menus to choose Block the communicating using and Generic Route Block Page. Like this: Policy > End User & Block Pages Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

11 A handy tip here: to create a soft block, as discussed earlier, just place a tick in the box labelled Allow the user to continue browsing if they acknowledge the block page. Remember, this will still result in the user being presented with a block page, reminding them of your organisation s Acceptable Use Policy, but they will be offered the option to continue browsing. This is typical of the flexibility provided by SECURE Web Gateway, protecting your organisation while allowing employees freedom to conduct essential business. Web Policy Route: Schedule SECURE Web Gateway s schedule controls allow you to specify quotas or periods during which users can browse websites matching a particular route. Here, for example, is the schedule for the default policy s Non- Business Related route: Drag mouse to set time quota colour Select time quota colour before filling schedule The green cells indicate access is allowed but users will be unable to access the route during periods marked by white cells. The orange cells, incidentally, signify a period during which quotas apply. So, in this example, no access is allowed after 8am and before 5pm, Monday to Friday, but there is a three-hour window in the middle of the day when users are allowed up to 60 minutes access to web content covered by the route. A schedule like this helps keep minds focused on work during business hours, while affording freedom to conduct personal activities during lunch breaks.

12 Web Policy Route: Content Rules SECURE Web Gateway s content rules define the type of information that is allowed to flow to and from your organisation. It s possible, for example, to create a rule that allows Word and Excel documents to be downloaded but not uploaded limiting data leaks. We ll explore now how text within documents can also be examined, using SECURE Web Gateway s powerful Detect Lexical Expressions content rule. A common policy requirement is to prevent document uploads only when specific watermarks are detected within the document. Similarly, you may wish to scan documents uploads for other sensitive information such as credit card, National Insurance or Social Security numbers. Given their importance, let s explore content rules in more detail. Policy > Content Rules Ability to copy Content Rules from an existing Route to save time That completes the overview of the Web Policy Routes. We shall now explore the content rules in more detail. Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

13 Content Rules SECURE Web Gateway s content rules provide the real-time protection when a website is being accessed. Their purpose is to examine all data that flows into and out of your organisation, protecting against known and unknown malware threats and performing deep, contentaware inspection. FEATURES HYGIENE AND CONTENT AWARE INSPECTION Bi-directional anti-malware scanning Bi-directional anti-spyware scanning Deep content-aware inspection True binary file-type identification Real-time categorisation Suspicious script detection BENEFIT Stops known and unknown malware infection, entering or leaving the network. Stops spyware, adware, key loggers and spyware call homes, and identifies infected user machines. The ability to look inside containers being uploaded or downloaded and detect and prevent policy violations even when the file type is embedded in other file types/containers. Provides accurate identification of file types, embedded attachments and direction. File identification is based on the binary type and NOT the file name or reported MIME type which can be misrepresented. Prevents undesirable content from new or uncategorised sites such as pornography. And prevent access to remote proxy sites that appear every day. Protection from web content that includes suspicious script commands.

14 SECURE Web Gateway includes comprehensive set of default content rules that have been set to detect various types of web content. To view them, click the Policy tab and then select Content Rules. This is what you ll see: Policy > Content Rues As noted, SECURE Web Gateway s powerful content rules make real-time decisions about the information that is allowed to flow into and out of your organisation. So, how do content rules apply in practical situations? Well, consider these three questions: Should a document containing the phrase top secret be allowed to leave the organisation? Should a document with multiple credit card numbers be allowed to leave the organisation? Should a virus-infected file, concealed within a compressed zip file, be allowed to enter the organisation? Most companies, of course, would answer a resounding No! to all three. And it is for exactly these kinds of situations that SECURE Web Gateway s content rules exist. The purpose of the content rules included as part of SECURE Web Gateway s default policy are reasonably self-explanatory and also demonstrate the power and depth Clearswift s content-inspection technology. Take Block Confidential Office Documents rule, for example: rather than place a block on the transfer of all documents, it inspects document content for words and phrases that may indicate the presence of confidential information. Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

15 Editing the default content rules to reflect the specific needs of your organisation is straightforward as is creating rules from scratch. To see how this is done, click the Policy tab, select Content Rules and then click New. This is what you ll see: Policy > Content Rues > New All rules in SECURE Web Gateway including those provided with the default policy are built from a base set of content rules. This table provides an idea of how these base content rules were used to build the content rules that make up default policy.

16 To explain what s going on here, the leftmost column one lists SECURE Web Gateway s default content rules, while the middle column details the base rule on which each content rule was built. The right-hand column, by the way, shows the lexical expression list (if any) that the rule draws on. So, for example, the Block Confidential Office Documents rule has been built on the Detect Lexical Expressions base rule, and draws on the Confidential Material lexical expressions list. Of course, deciding which base content rule is the most appropriate for a particular policy depends on the desired outcome. However, it is fair to say that Detect Media Type and Detect Lexical Expressions are the most powerful and the most frequently used base rules. For example, if wanting to detect a particular data format or file type then use the Detect Media Type base rule. To scan for particular words or phrases, regardless of whether the focus is an upload, download, web page or URL, begin with the Detect Lexical Expression base rule. Let s consider a few examples of desired outcomes and see how they can be achieved by building on SECURE Web Gateway s base content rules: To prevent the usage of unauthorised browsers (Chrome, Safari, and Opera, for example), use the Detect Lexical Expression base content rule to search HTTP headers for the appropriate User Agent Header string. To stop the viewing of specific YouTube videos, use the Detect Lexical Expression base content rule to search requested URLs for the video s identification number. To prevent the upload of Microsoft Office documents (Word, Excel, etc), use the Detect Media Type base content rule and set the direction to Leaving the Company. To prevent data leaks, use the Detect Lexical Expression base content rule, set the direction to Leaving the Company and search for phrases such as Top Secret, Sensitive and Confidential. As we ve seen, all content rules reference other policy components, be it Block Pages or Lexical Expression Lists. These referenced items are referred to as Policy References and can be found on the lower part of the main policy page. We have already seen examples of how some of these Policy References can be used within the content rules and Web Policy Routes but here s a summary. Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

17 Define user groups and use to specify the From on a Web Policy Route Define machine groups and use to specify the From on a Web Policy Route Define groups of websites by URL and category and use to specify the To on a Web Policy Route. Create or amend the pages used to inform users about policy violations. Create lists of words and phrases that can be used with the Lexical Expressions content rule to prevent data leaks. Create an inform to alert IT or HR immediately when a potential policy violation occurs. Identify your own internal servers to be categorised as Intranet Allows specific file names to be specified and used with the Detect File Names content rule. Tip: to stop certain files types use the Detect Media Types content rule to look for binary signatures. Reporting Clearswift SECURE Web Gateway includes versatile management and reporting facilities, all controlled from a simple web-based interface. Dozens of ready-made report templates are included and new ones can be created quickly and simply. Better still, SECURE Web Gateway s reports are interactive: drill down on the fly to get to the data you need quickly and avoid producing useless reports. FEATURES REPORTING Intuitive web-based interface Pre-defined customizable reports Scheduled reporting Multi-gateway policy and reporting Active Directory (AD) and LDAP integration Scheduled spyware reporting BENEFIT Ease of use and no requirement to learn complex syntax or Linux commands. Easy to modify, run and share reports with interactive drilldowns. Allows create once, run and distribute many times report circulation via . Consolidated policy and reporting view of user s activities for centralised management and analysis. Full user-based policy control for flexible policy and audit reporting by group or indi vidual. Better control of spyware and the identification of user devices requiring remediation.

18 We d suggest starting your evaluation of SECURE Web Gateway s reporting facilities using the reports grouped under the Route heading. To do this, click the Reports tab and followed by the + to expand the Route reports group. The Route reports show how the users web requests are being processed by the Web Policy Routes. As you will now appreciate, the Web Policy Routes represent the organisation s policy and the Route reports show how that policy is being processed, showing the most popular routes, users, time and bandwidth usage. Here s what it looks like: The provided reports display activity for all users. However, it is easy to create a new report that focuses on specific user groups or individuals. First select a report and click Copy. This will create a copy of the original report and place you in editing mode. This is what you can expect to see: From here you can rename the report, change the many report filters and even schedule the report for automatic delivery. The filters and their meaning should be self-explanatory. In order to produce reports focused on specific user groups ( Marketing or Sales, say), first create the necessary user lists and then use these in some policy routes. Clearswift SECURE Web Gateway Evaluation Guide / Revision 1.1

19 As mentioned, SECURE Web Gateway reporting system is interactive, so you can drill down on the fly. To see this in action, first run the Top Routes to Top Categories report. Now, to drill down on a particular route, simply click on the route in the report screen. Drill down still further by clicking a category like this: Tip: After drilling down into a report, use the Back button in the web browser to return to the previous level. Note that when doing this, it may be necessary to press F5 to have the browser refresh the page. We hope that this brief guide has given you a head start in your evaluation of Clearswift SECURE Web Gateway. Of course, there s plenty more to explore. For more help or guidance either follow the links below or simply give us a call we d love to hear from you. For further information Technical Guides: resources/technical-guides Clearswift knowledge base: Technical Support: Clearswift user discussion forums:

20 Contact Clearswift UK - International HQ Clearswift Limited 1310 Waterside Arlington Business Park Theale Reading Berkshire RG7 4SA UK Tel : +44 (0) Fax : +44 (0) Sales: +44 (0) Technical Support: +44 (0) info@clearswift.com Australia Clearswift 5th Floor 165 Walker Street North Sydney New South Wales, 2060 AUSTRALIA Tel : Fax : info@clearswift.com.au Germany Clearswift GmbH Amsinckstrasse Hamburg GERMANY Tel : Fax : info@clearswift.de Japan Clearswift K.K 7F Hanai Bldg Shibakouen, Minato-ku, Tokyo JAPAN Tel : +81 (3) Fax : +81 (3) info.jp@clearswift.co.jp Spain Clearswift España S.L. Cerro de los Gamos 1, Edif Pozuelo de Alarcón Madrid SPAIN Tel : / Fax : info.es@clearswift.com United States Clearswift Corporation 161 Gaither Drive Centerpointe Suite 101 Mt. Laurel, NJ UNITED STATES Tel : Fax : info@us.clearswift.com