Websense Web Filter to Blue Coat WebFilter Migration Guide

Transcription

1 Websense Web Filter to Blue Coat WebFilter Migration Guide October 2011

2 Websense Web Filter to Blue Coat WebFilter Migration Guide Table of Contents URL Category Map: Websense Web Filter to Blue Coat WebFilter...3 Migration Example...9 Example Policy to Block Executables from Certain Domains...12 Blue Coat's Recommended Web Security Policies...14 This document is designed to assist you in migrating your environment from using Websense Web Filter categories on Blue Coat ProxySG to using Blue Coat WebFilter s categories. The first part of the document contains category mappings to assist you in selecting which Blue Coat mapping to use. In many cases, there is a one to one matching. The second part of the document contains an example on how to migrate from Websense Web Filter categories to Blue Coat WebFilter in our policy engine. During the migration, ProxySG will allow you to run both Websense Web Filter and Blue Coat WebFilter so your web filtering service will not be interrupted during the process. The Recommended Web Security Policies contained in the last part of this guide are suggestions only. When in doubt, we recommend taking a conservative approach. With your migration to Blue Coat WebFilter, you are being backed by Blue Coat s WebPulse cloud service. This is important because of the dynamic and changing landscape with cybercrime. Malware is constantly evolving, so you need a dynamic security strategy that can keep up with the latest Web-based threats. To help protect your Web gateway from sophisticated malware attacks, the WebPulse cloud service leverages real-time URL ratings from a growing community of 70 million users, supports more than 50 languages, integrates multiple threat detection engines and provides more than six billion real-time Web content ratings per day. As soon as Blue Coat WebFilter is enabled, your latest security protection is automatic protecting your network with no requirement software downloads.

3 URL Category Map: Websense Web Filter to Blue Coat WebFilter To start the migration, the first thing that you need to do is review the categories that are being used for policy with the Websense Web Filter categories and map them to the corresponding Blue Coat WebFilter categories. The Websense Master Database is organized into more than 90 URL categories. Websense uses parent categories and some of them may be containers of subcategories. You can find the complete listing and definitions of the categories at this link: The Blue Coat WebFilter is organized into more than 80 URL categories. Blue Coat WebFilter has the ability to rate URLs under 4 different categories. For example, is categorized as For Kids and Entertainment. You can find the complete listing and definitions of the categories at this link: Blue Coat WebFilter also offers a service called Site Review. The purpose of Site Review is to allow Blue Coat customers to check the current database categorization of WebFilter URLs and report sites that they believe are incorrectly categorized. Several Websense WebFilter categories map to more than one Blue Coat category. The table below is meant to help you with making the decision in this mapping exercise. Bold categories denote a Websense parent category. New categories in RED Websense Category Corresponding Blue Coat Notable Differences Migration Recommendations Abortion Abortion Unlike Websense, Blue Coat doesn't distinguish between prolife, pro-choice, or neutral. All sites discussing abortion (pro or con) are categorized as abortion in Blue Coat's filter. Pro-Choice Pro-Life Adult Material Abortion Abortion Adult/Mature Content Adult Content Pornography Websense defines this as sites that display full or partial nudity in a sexual context. Blue Coat defines such sites as pornography. Lingerie and Swimsuit Intimate Apparel/Swimsuit Websense places semi-nudity into their Lingerie and Swimsuit category, Blue Coat places these into the nudity category. Otherwise, the categories are similar. Nudity Sex Sex Education Nudity Pornography Child Pornography Sex Education Websense's definition: Sites that depict or graphically describe sexual acts or activity, including exhibitionism; also sites offering direct links to such sites. Blue Coat categorizes such sites into the Pornography category. If a user wants to block certain abortion sites, but not others, recommendation would be to block the abortion category and allow exceptions for sites that shouldn t be blocked through an allow list. If user wants to block full or partial nudity depicted in a sexual context blocked, use the Blue Coat pornography category. If user wants semi-nudity blocked, but lingerie and swimwear allowed, block nudity category but not Intimate Apparel category. Websense customers that block the Sex category should block the Blue Coat Pornography category.

4 Websense Category Corresponding Blue Coat Notable Differences Migration Recommendations Advocacy Groups Political/Activist Groups Websense's definition: Sites that promote change or reform in public policy, public opinion, social practice, economic activities and relationships. Blue Coat's category is similar but includes political groups or movements. Bandwidth Educational Video Entertainment Video Internet Radio and TV Internet Telephony Peer-to-Peer file sharing Personal Network Storage and Backup Streaming Media Surveillance Viral Video Business and Economy Financial Data and Services Audio/Video Clips Audio/Video Clips Radio/Audio Stream TV/Video Stream Internet Telephony Peer to Peer Online Storage Radio/Audio Stream TV/Video Stream Audio/Video Clips TV/Video Stream Audio/Video Clips Business/Economy Financial Services Brokerage/Trading Blue Coat differentiates between Audio and Video categories. Websense's definition: Sites that offer news and quotations on stocks, bonds and other investment vehicles, investment advice, but not online trading. Includes banks, credit unions, credit cards, and insurance. If blocking the Political/Activist category, a customer can allow exceptions to certain Web sites. Use Blue Coat s Financial Services category for Banks, Credit Unions, and Credit cards. Hosted Business Applications Web Applications Blue Coat categorizes sites that offer news and quotations on stocks, bonds and other investment vehicles, investment advice, insurance, and online trading into Brokerage/Trading. Banks, credit unions, and credit cards are classified as Financial Services. Drugs *See notes Illegal drugs fall under the Illegal Drugs category. Prescription drugs fall under the health category. Abused Drugs Illegal Drugs Marijuana Illegal Drugs Websense has a separate category for marijuana. Blue Coat places marijuana in the Illegal Drugs category. Prescribed Medications Supplements and Unregulated Compounds Health Health Use Blue Coat s Brokerage/ Trading category for insurance, online trading, stock, bonds, investments, and investment advice. Use Blue Coat Health category for legal prescription, over the counter medications, and nutrition supplements. Use Blue Coat Illegal Drugs category for Abused Drugs, Marijuana, and questionable substances.

5 Websense Category Corresponding Blue Coat Notable Differences Migration Recommendations Education Cultural Institutions Educational Institutions Educational Materials Reference Materials Entertainment Education Art/Culture Education Education Reference Entertainment MP3 and Audio Download Services Audio/Video Clips Blue Coat's Audio/Video Clips category includes Sites that provide streams or downloads of audio or video clips typically 15 minutes or less in length. This also includes sites that provide downloaders and players for audio and video clips. Extended Protection Dynamic DNS Dynamic DNS Host Elevated Exposure Suspicious Emerging Exploits Hacking Potentially Damaging Content Placeholders WBSN: Sites likely to contain little or no useful content Gambling Games Gambling Games Government Government/Legal Websense's category does not include lawyers, adoption, legal services, and legal reference; Blue Coat's does. Military Political Organizations Military Political/Activist Groups Health Health Websense's Health category does not include prescription drugs, Blue Coat's does. Illegal or Questionable Scam/Questionable/Illegal Blue Coat's category includes educational cheating or related questionable activities. Websense does not make this distinction in their category definition. Information Technology Computer Security Hacking Proxy Avoidance Search Engines/Portals URL Translation Sites Web and Spam Web Collaboration Web Hosting Computers/Internet Computers/Internet Hacking Proxy Avoidance Search Engines/Portals Translation Spam Suspicious Online Meetings Web Hosting If a user wants to allow health sites but block prescription drug sites, they can add prescription drug sites to a block list, or block the health category and allow exceptions. Customers blocking Spam may also want to consider blocking Suspicious.

6 Websense Category Corresponding Blue Coat Notable Differences Migration Recommendations Internet Communication *See notes Websense's Internet Communication category is a parent category of Web Chat and Web-based . General Organizational Text and Media Messaging Chat/IM Blue Coat's category includes instant messaging sites and sites that support the download of chat and instant messaging clients. Web Chat Job Search Chat/IM Job Search/Careers Militancy and Extremist Violence/Hate/Racism Websense defines the Militancy and Extremist category as sites that provide information about or promote or are sponsored by groups advocating antigovernment beliefs or action. Blue Coat categorizes such sites as Violence/Hate/Racism. Miscellaneous Content Delivery Networks *See sub categories Content Servers Dynamic Content Web Advertisements Websense's Dynamic Content definition is included in Blue Coat's Web Advertisements definition. File Download Servers Software Downloads Image Servers Media Sharing Websense defines their Images Servers category as Web servers whose primary function is to deliver images. Blue Coat categorizes such sites in the Media Sharing category. Images (Media) Not Applicable See notes Websense describes this category as sites ending with image filenames. Blue Coat currently does not have an equivalent category. But such categorization is not necessary under Blue Coat's system since images are categorized based upon the type of image they are. Network Errors Unrated Websense describes this category as sites with hosts that do not resolve to IP addresses. Users that want to block militant and extremist sites should use the Blue Coat Violence/Hate/Racism category. Network errors do not have a need for filtering. This is for proxy reporting and handled through Blue Coat Reporter. Private IP Addresses Unrated Private IP addresses do not have a need for filtering. This is for proxy reporting. Uncategorized Unrated Users should not block the Unrated category, but can make exceptions as needed. News and Media News/Media

7 Websense Category Corresponding Blue Coat Notable Differences Migration Recommendations Alternative Journals Society/Daily Living Art/Culture Websense defines this category as the online equivalent of supermarket tabloids and other fringe publications. Blue Coat typically categorizes these types of publications as Society/ Daily Living or Art/Culture unless there is adult content or nudity involved. Parked Domain Productivity Advertisements Freeware and Software Download Instant Messaging Message Boards and Forums Online Brokerage and Trading Pay-to-Surf Racism and Hate Religion Non-Traditional Religions and Occult and Folklore Traditional Religions Security Bot Networks Keyloggers Malicious Embedded iframe Malicious Embedded Link Malicious Web Sites Phishing and Other Frauds Potentially Unwanted Software Spyware Sucpicious Embedded Link Shopping Internet Auctions Real Estate Social Organizations Professional or Worker Organizations Service and Philanthropic Organizations Social and Affiliation Organizations Society and Lifestyles Placeholders Web Advertisements Software Downloads Chat/IM Newsgroups/Forums Brokerage/Trading Pay to Surf Violence/Hate/Racism Religion Alternative Spirituality/Belief Religion Malicious Sources Malicious Sources Hacking Malicious Sources Malicious Sources Malicious Sources Phishing Potentially Unwanted Software Malicious Sources Malicious Outbound Data/Botnets Suspicious Shopping Auctions Real Estate Charitable Organizations Political/Activist Groups Business/ Economy Charitable Organization Charitable Organization Society/Daily Living Society/Daily Living Blue Coat differentiates between Malware sources and outbound data (call home traffic). Websense's Professional or Worker Organizations and Blue Coat's Political/Activist categories are similar. Blue Coat would also categorize such sites as Business/Economy. Websense customers familiar with the Alternative Journals category should use the Blue Coat Society/ Daily Living and Art/Culture categories. Users can make allowance and blocking exceptions as needed.

8 Websense Category Corresponding Blue Coat Notable Differences Migration Recommendations Alcohol and Tobacco Blogs and Personal Sites Gay or Lesbian or Bisexual Interest Hobbies Personals and Dating Restaurants and Dining Social Networking Alcohol Tobacco Blogs/Personal Pages LGBT Sports/Recreation Personals/Dating Restaurants/Dining/Food Social Networking Blue Coat differentiates between Alcohol and Tobacco. Special Events *See notes Websense defines this category as; sites devoted to a current event that requires a separate categorization. Blue Coat would categorize these based on the type of event. i.e. A sporting event would be classified Sports/ Recreation a concert would be Entertainment, and a religious conference would be Religion. Sports Sport Hunting and Gun Clubs Tasteless Travel Sports/Recreation Sports/Recreation Adult/Mature Content Travel User-Defined *See notes Blue Coat ProxySG also allows users to define their own categories. Vehicles Violence Weapons Vehicles Violence/Hate/Racism Weapons Websense Social Web Control Categories: Facebook, LinkedIn, Twitter, YouTube, Craigslist and WordPress. Categories and Operations: Blue Coat Web Application Policy Engine, 80+ Applications: Note: Websense does not have equivalent categories for the following: Users can add sites to allowed and blocked lists as needed. Informational: is a modifier category only and can be used to select out informational sites from broader categories. For example, sites that provide information about gambling would be categorized as both Gambling and Informational.

9 Migration Example 1. Download BCWF database. Enter Username and Password. Click Download now. Click View Download Status. 2. Take a coffee or tea break. Approximately 20 minutes. Check the Download status. It should be done by now. 3. Check the box to enable BCWF:

10 4. Launch the Visual Policy Manager: 5. Go through each Layer and check the Destination Field for Request URL Category Objects or any Combined Destination Objects as they may contain Category Objects. An example of what your policy might look like:

11 6. For the above example you would right-click AlwaysDeny and choose Edit. 7. Expand Blue Coat to see the available categories. The categories currently enforced for this rule can be seen on the right. Use the category mapping chart in this document to identify the 3rd party category (as seen on the right) and check the box under Blue Coat for the corresponding BCWF category. 8. Do this for each category in the Request URL Category Object. Do this for every rule where Category Objects are used, you only have to check the Destination field. 9. Install the policy when done. You should now be running BCWF and a 3rd party database concurrently. Make sure to test the policy to make sure it works as expected. When you are comfortable with the BCWF categories you can go back into the Visual Policy Manager and remove the check boxes for all the 3rd party categories. If you want to cut over immediately, simply uncheck the 3rd party categories once you have added all the corresponding BCWF categories. 10. Finally, you can disable the 3rd party content filtering database by selecting None:

12 Example of Policy to Block Executables From Certain Domains (see Recommendation #1 Below) 1. In VPM create a new Web Access Layer rule and place it above the Allow Rule: 2. Right click Destination in rule #3 and choose Set New Combined Destination Object. On the lower left select New Request URL Category and add the following categories: 3. Click OK. On the lower left select New Apparent Data Type. Select DOS/Windows Executable and click OK:

13 4. Click on BlockExecutableCategories and click the top Add. Click on Executables and click on the bottom Add: 5. Click OK and then OK. Install the policy.

14 Blue Coat s Recommended Web Security Policies Recommendation #1: (see instructions above) Use policy to block executable content from these categories. This is a blended rule which you would pick the category and the action is block executables. 1. None: In rare incidents there may be URLs that have not been rated in the WebPulse ecosystem. If this is the case, it is important to block executables as a precaution that it is malware content. 2. Adult: Many malware vectors begin with search engines, and many searches for Adult-themed material return links to malware. 3. Open/Mixed Content: Many malware sites use open content servers to host parts of their site, and occasionally their payloads. Legitimate business sites generally don't use these hosts. There are some consumer sites like that use open content servers, so don t block the category outright just block executables. 4. Online Storage: As with Open Content above, many malware sites use OS servers to host parts of their site, which frequently includes payloads. However, many popular (or at least widely used) sites fall into this category: e.g., file sharing sites like megaupload.com and rapidshare.com, and many photo-upload sites. 5. Web Advertisements: There has been a major increase in "malvertising" where major ad networks (including even "name brands" like doubleclick and yieldmanager) get duped into serving malicious ads from affiliate networks. 6. Non-viewable: Similar in threat profile to Web Advertisements. Sites in this category tend to be tracker/ analytics type services, typically serving such "non-viewable" content or small chunks of Javascript; the intent is to track users' visits to sites. 7. Web Hosting: A lot of malware is distributed via subdomains that are created on free or low-cost Web Hosting domains. 8. Software Downloads: Depending on the size of your organization and the autonomy of your users, you may want to use an Allow list approach for domains in this category, and block the rest. This is a great vector for a malware author to target, since the victims are actively looking for software to install making this a risky area. If you block executables, you have a chance to vet what your users are trying to download, and decide if it is safe or not. 9. Content Servers: Unlike sites in the Open Content category, these sites are run by larger, reputable companies and typically are used to store and serve images and videos and not executables. Recommendation #2: We strongly recommend blocking the following categories as we have found through our Web security labs that certain type of Web traffic have a high potential risk of containing some type of malware content. 1. Phishing, Malicious Sources, Malicious Outbound Data/Botnets 2. Pornography, Extreme: There are a lot of sites that include malware content masquerading as Pornography. 3. Hacking: Most of the remaining one-third of masqueraded content as Hacking related ("warez"). 4. Gambling: There are a large number of on-line casino sites that attempt to persuade you to load a malware client on your computer. 5. Suspicious: There is a large spectrum of sites that fall into this category. Many, if not most, of these are part of malware or spam networks.

15 6. Placeholder: These are generally "undead" domains, no longer truly alive and have become "search engine zombies" many with ties to malware networks' search engine optimization schemes. 7. Potentially Unwanted Software: This category includes adware-/spyware-relate and other "borderline" malware. 8. Scam/Questionable/Illegal: Many scammers, whose sites are flagged as Questionable, are also involved in malware-related activities. 9. Proxy Avoidance: If not blocked, then any of the above may be reached. 10. Dynamic DNS Host: This category identifies sites that do Dynamic DNS "hosting" or "aliasing". These sites have been used as "phone home" data sites in many high-profile targeted attacks. Customers should consider blocking all content, not just executables from Dynamic DNS sites. Recommendation #3: Include as much information as possible in the requests to WebPulse : The SG gives you the option of sending malware info; please use it. If you're running with a ProxyAV, and it finds malware in a download, the SG can let WebPulse know about it. This helps keep the whole Blue Coat WebFilter community safer. The SG gives you the option of sending the Full URL; please use it. To get the maximum anti-malware protection from WebPulse, it needs to have the full path and querystring available to it. Recommendation #4: Use Reporter to look for evidence of botnet activity on your network. 1. In addition to the "usual suspects" (Spyware/Malware Source, Spyware/Malware Effects, Suspicious, and Phishing), consider the categories named above as being worth an extra look. 2. Review the amount of "Unrated/None" traffic as an infection indicator: a normal SG customer sees around 90-95% of their traffic rated on ProxySG, so only about 5-10% of their traffic goes to WebPulse for a rating. If you see a lot of unrated traffic coming from a computer on the network, it may be an infected machine trying to "phone home" to a brand-new malware command-and-control domain. Recommendation #5: Many bots attempt to be stealthy by utilizing port 443 for their "phone home" communications to their Command and Control (C&C) servers. There are two steps you can take in your policy to block this sort of traffic: 1. Ensure that SSL protocol is using valid certificates. We recommend blocking SSL that isn't using a valid cert backed by a legitimate authority. We also recommend that you consider blocking SSL traffic to sites using self-signed certs. Any false positives in this traffic would need to be whitelisted. 2. We recommend blocking all non-ssl traffic that attempts to use port 443. Many botnets use custom encryption for their traffic, and this will stop them in their tracks. However, many legitimate apps also use custom encryption over port 443, and so this will generate some false positives, which must be investigated and whitelisted.

16 Blue Coat Systems, Inc BCOAT Direct Fax Copyright 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. v.websensewf-to-bcwf-migration-guide-v2c-1011