Web Security Service – Setup Guide
The Web Security Service is a cloud-based Internet filtering and Web 2.0 security solution. Your organization’s users connect to this service to enable Internet filtering and protection. This Setup Guide provides information for customer network administrators on how to setup and configure the Web Security Service for full or trial deployment.
Overview of Web Security Service Components and Deployment
The Web Security Service is a Software-as-a-Service (SaaS) suite that provides up-to-the-minute Internet security, privacy, and traffic management. Because it is a SaaS solution, enterprises can have the best Web security without the time and cost associated with in-house administration, management, and equipment.
This guide is intended for administrators of the Web Security Service, focusing primarily on the management interface known as the Web Console. This guide covers all tasks for setting up and managing your deployment, including configuration and policy creation.
Features & Benefits
· URL Filtering – The Web Security Service provides a comprehensive database of millions of websites in more than 50 reporting categories. More importantly, the service analyzes the content of websites that your organization is accessing in real-time, looking for malicious code, anomalies and inappropriate material, and preventing access to sites which are a security risk or policy violation to your organization. This ensures that users are protected against threats and offensive material and your network is not compromised by malicious websites.
· Anti-Virus and Malware Security – the service incorporates both traditional anti-virus technology and sophisticated dynamic anomaly detection and traffic modelling systems to protect your organization from viruses, botnets, spyware, browser exploits and other Web 2.0 threats. Downloaded files are scanned using the iSheriff Cloud Scanner which is regarded in 3rd party tests as one of the foremost AV solutions and also provides protection against potentially unwanted applications. Our patented dynamic modelling engine examines web links, scripts and code structures looking for the tell-tale behavioural characteristics of malicious sites and vulnerability exploits – denying these threats from executing and preventing drive-by infections.
· Application Control – the service enables you to gain control over popular Web 2.0 applications such as Social Networking, Streaming Media and Web-based messaging. These applications, if unmonitored or unmanaged, can become a serious security and policy issue for your organization. The service enables you to manage access to these applications or block them entirely.
· Data Leakage Prevention – the Web Security Service allows you to create policies which will prevent users from accidentally exfiltrating information such as credit cards, health information and personally identifiable information. This can help with maintaining compliance with regulations like PCI and HIPPA.
· Data Leakage Prevention – with the service you can control the distribution of sensitive data or private information via the Web. The service enables you to control who can upload important files to the Web or post sensitive content on Web 2.0 sites, blogs, wikis or webmail.
· Acceptable Use Policy Compliance – if your organization has an acceptable use policy, defining appropriate use of Web resources and outlining inappropriate conduct and prohibited content, then the service can actively monitor and enforce those policies. Block pornography, bad language, violence and other inappropriate Web content which could potentially create legal liability risk and ensure a safe and productive workplace for your employees.
· Security & Policy Compliance Reporting – the Web Security Service provides you with ready access to useful and easy to understand reports on your Internet usage and threats. Graphical summary reports are provided as well as more in-depth reports to help you investigate and answer any questions that may arise. You can run reports by site, category, user, bandwidth and by threat type. These reports allow you to measure the real benefits of the service and demonstrate the return on your investment.
The Web Security Service provides your organization with a simple yet powerful Web-based interface to set and manage your own policies and reports. It works with many popular directory services, such as Active Directory, to make it easy to set up and maintain your user accounts and authentication.
Web Security Management Interface (Web Console):
Overview of the Web Console
Before you can begin filtering Web traffic through the Web Security Service, there are a few housekeeping and setup tasks that need to be completed in order for the service to recognize traffic from your domain or IP address. The initial setup is relatively quick and straight-forward; this chapter will discuss the setup items in detail.
The Web Console enables your organization to:
· View data at-a-glance in the Dashboard
· Monitor and configure subscribed services
· Import and manage email user accounts or configure directory services
· Create and modify policies (aka filters)
· Report on users’ Web activity
· Administer your filters and the system, such as defining exceptions for blocked Web content
Logging into the Web Console is as simple as logging in to any other SSL secured website:
1. Open your web browser
2. Navigate to the HTTPS URL for your console (link provided in when you register)
3. Enter your user name and password as seen in the figure below
Now that you are logged in, you can begin filling out the initial configuration information for your organization. To access the setup menu:
1. In the upper navigation bar, at the top of the page, click on Filter Management.
2. In the left pane navigation menu, click Web Filter which will expand the menu
3. Click on Setup
Fill out the information on this page to configure the service to accept Web traffic for your organization. There are a few pieces of information to complete:
· Source IP Addresses: labelled as “Enter the source IP Address(es) for Web traffic.” Before your organization can begin using the Web Security Service, you need to add a list of the public IP addresses your organization will be using to connect to the service. If you are unsure of your external IP clicking on “more info” will display your IP address in the right pane, or you can simply click “Add my address” as seen below. Once you have added your IP address, it will remain pending with the service until it can be verified by the system. Note: acceptance of your IP address and service initialization can take up to 24 hours. Once your IP address is verified, traffic originating from that IP will be enabled for the Web Security Service, and you can continue on with configuring proxy settings for your users & network.
· User Authentication: labelled as “Web Filtering with User Authentication” This feature requires users to authenticate with the service using a Log In name and password.
· Connection Settings: These settings allow you to setup filtering services by configuring your user’s Web browsers to direct traffic to the service. You can also define websites (such as Intranet sites) that you wish to bypass for filtering. Proxy Configuration is explored in more detail in the next section.
· Block Page Customization: Here you can customize the notification page that users will see when the service prevents access to a site based on your policies.
Redirecting through the Web Security Service
End user browsing must be routed through the Web Security Service in order to have your policy rules enforced.
There are many ways to connect to the Web Filtering Service. The recommended, and most used option is to install the iSheriff Cloud Endpoint Client. However some organizations may choose to manually configure proxy settings instead. If you choose to use the iSheriff Endpoint Client you do not need to perform manual proxy configuration and can skip to section 3. Here are the multiple methods for manuallyconfiguring browsers to use the service:
· Active Directory Group Policy
· Login script
· Proxy Chaining
Each of these is discussed in this chapter. If you already have a method for rolling out a new proxy to users, in most cases this should be supported.
Manually Configuring Proxy Settings
For initial testing of the policy, before a rollout is done to every user, configuring proxy settings by hand is the least invasive option, and can be easily done on the administrator’s PC without affecting other users. How this is done depends on the browser. Examples of some of the more common browsers and the relevant settings are listed below:
Internet Explorer users:
1. Within Internet Explorer, click on the “Tools” menu
2. Select “Internet Options” from the drop-down
3. Click on the “Connections” tab, then “LAN Settings”
4. Within the LAN Settings menu, tick the box that says “Use a proxy server for your LAN”, then click “Advanced”
5. Enter the proxy address and port provided to you (these can be located under Proxy Configuration in your Web Console). Repeat this for all but Socks.
1. Within Firefox, click on the “Tools” menu
2. On the drop-down, select “Options”
3. On the resultant popup, click “Advanced” on the top pane, and on the tab labeled “Network”, click “Settings”
4. Select the “Manual proxy configuration” option, and key in the proxy URL given to you for the box labeled “HTTP Proxy”, as well the port in the port field.
5. Repeat the same for SSL and FTP, but be sure to leave Gopher and SOCKS empty.
Google Chrome users:
Google Chrome on Windows uses the same proxy configuration settings defined for Internet Explorer, however it is reached using a slightly different method. Note that this is not the case for Chrome on Mac systems, nor Chrome/Chromium on Linux systems. Configuring settings for Internet Explorer should be sufficient to force Chrome through the service as well.
Apple Safari users:
1. Choose Preferences from the Safari menu and click Advanced,
2. Then click Change Settings. The Network pane of System Preferences opens showing the proxy settings for the type of connection you are using.
3. Select the checkbox for the type of proxy server (for example, Web Proxy).
4. Enter the IP address or DNS name provided in the first text box and the port number in the second box. When you're ready, click Apply Now.
Configuring Proxy Settings Using PAC Files and WPAD
The Web Security Service automatically generates a proxy auto-configuration file (PAC file) that can be used as a semi-automated method of instructing browsers to use the Web Security Service. PAC files can either be configured within the browser by hand, as covered in this section, pushed out via DHCP for servers that support the “DHCPINFORM” message, or pushed out through Group Policy within Windows environments.
Obtaining your PAC File
Administrators can view the URL for their PAC file by logging into the Web Console and navigating to the Filter Management & Web Filter Setup.
Administrators can then push out the PAC file using DHCP or users can manually enter the PAC script in their browser settings as follows:
Configuring Browsers to Use a PAC File
Internet Explorer users:
1. In Internet Explorer, click on Tools à Internet Options à Connections à LAN Settings
2. In the LAN Settings window, tick the box next to “Use automatic configuration script”
3. Copy and Paste the location of your PAC file as found earlier in this section, and click OK to exit and save.
1. In Firefox, click on Tools à Options àAdvanced à Network
2. Click “Settings”, and under “Automatic Configuration URL” key in the path to the PAC file found as demonstrated above.
3. Click OK and then reload.
Configuring Proxy Settings with Group Policy
Proxy settings for supported applications can be configured using Group Policy. This enables an administrator to define proxy settings for their entire domain in one place.
In order to push out a Group Policy, you will need the Group Policy editor. If you find this tool unavailable by default on your version of Windows, a copy can be downloaded directly from Microsoft.
You can create the Group Policy by:
1. Open Group Policy Editor by clicking Start à Run, and typing “gpedit” into the run dialog.
2. In the Group Policy Management window, right click the desired domain name and select “Create” followed by ”Link a GPO Here”, which should bring up the GPO window.
3. Give the GPO a name then click OK.
4. Select this newly created GPO, and on the Details tab change the GPO Status to “User configuration settings disabled”.
5. In the left pane, right-click the newly-created policy and select “Edit”
6. In the Group Policy window, select User Configuration à Windows Settings à Internet Explorer Maintenance à Connection, then double-click Automatic Browser à Configuration
7. Select “Automatically Obtain Settings” followed by “Enable Automatic Configuration”
8. Copy and Paste the URL for your PAC file, and then click OK.
9. Users should be using the new policy once they log off and back on.
10. Navigate to User Configuration à Windows Settings à Internet Explorer Maintenance.
11. Clear Automatically detect configuration settings
12. Select Enable Automatic Configuration.
13. Select Auto-proxy URL. Type the URL of your PAC file as found on the web interface
To prevent users from changing their browsers’ settings, the following should be done within Group Policy:
1. In the Group Policy window, in the left pane, select User Configurationà Administrative Templates à Windows Components à Internet Explorer.
2. In the right pane, scroll down to and right-click Disable changing proxy settings. On the context menu that appears, select Properties, and then select Enabled.
3. Click Apply, and then click OK twice.
Note: By default, there is no mechanism to configure Firefox or other browsers in this manner using group policy. One package, which does provide this functionality, is FirefoxADM, found at http://sourceforge.net/projects/firefoxadm/
Configuring Browsers via Login Script
Administrators comfortable with crafting login scripts can simply deploy a batch file that updates the users’ connection profiles to browse through the service.
The connection profiles can be updated directly through the registry via batch or VBScript. This is done by altering the following registry values:
Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer (string) defines the hostname or IP of the proxy server, as well as the port
ProxyEnable (dword) Boolean value, setting this to 1 enables the proxy configured in the ProxyServer value.
AutoConfigURL (string) the web path to your PAC file if one is available (the service generates one by default)
Proxy Chaining or Proxy Forwarding
Environments with an existing proxy server can be configured to use the Web Security Service via proxy chaining. Most common proxy servers support chaining to an upstream proxy server. Please consult your relevant Technical Support resources for your proxy type.
3: User Account Management
The Web Security Service allows administrators to define per-user or per-group policy, either directly through the management interface, or imported from a pre-existing list or directory. This provides administrators with a simple and intuitive way of applying different policies to subsets of users based upon the needs of your organization. This can be based on internal departments, executive/power users or the need to maintain different policies for branch offices in other cities for example.
There are three main ways of populating a user list within the Web Console:
· Uploading a user list from a text
· Synchronizing with a directory
· Adding user details individually
Upload User Account File
Administrators can upload a list of user accounts in bulk for filtering with the Web Security Service. This is the easiest way to quickly and simply provide your user account information if you do not have a user directory. If you do have a user directory please refer to the directory synchronization section on the following pages. To upload a list of users:
· Login to the Web Console if you have not already done so
· Expand the User Management option in the left pane, and click on Users
· Add and/or upload users from a text file as seen below.
For environments with a directory server set up that already contains users, the Web Console allows you to connect to any LDAP server and import your users and groups. Note that you may need to open the requisite port on your firewall in order for the service to successfully connect to your directory server.
Starting out you will need to define a new LDAP host, and provide the connectivity details. To define a new host:
1. Click on the tab labelled Filter Management in the upper navigation bar
2. In the left pane select User Management then Directory Services
3. Once in the Directory Services screen, click on New Host.
From there you will need to provide details on your directory structure.
For every host you create or modify, you must fill in the following data under the Server tab:
1. Server Type: select from the server type you are using from the drop-down (e.g. Microsoft Active Directory, Oracle Internet Directory, OpenLDAP, etc.)
2. Host description: an optional friendly name for identifying the host.
3. Protocol Version: this is the LDAP connection protocol version, and will be set to either 2 or 3. If unsure, use the default
4. Hostname: this is the name or IP address of the host. This needs to be an externally-resolvable FQDN, or a public IP address for your directory server.
a. Example: myserver.mynetwork.org
b. Example: 192.168.0.45
5. Port: connection port of the host. The default value normally used is 389. If unsure leave this option blank and will be replaced by default value.
6. Login name: this is the login user, CN (common name), DN (distinguished name) needed to make a connection with the host.
a. Example: cn=admin, dc=myserver, dc=mynetwork, dc=org
7. Login password: the password the host needs to make a connection.
8. Use SSL: put a check mark on this option if the connection is encrypted (secure socket layer)
9. Anonymous login: put a check mark on this option if the host is able to make an anonymous connection.
Connection & Filters Tab
The fields on this tab are used for filtering the LDAP query, and ensuring the correct user data is returned. This tab has the following fields to be filled out.
1. Base DN: most directory servers will require a base search DN used for connect to the database.
2. Example: dc=mynetwork, dc=org
3. Query: This is not normally needed, and can be left blank. See inline help for more information.
4. User search filter: contains an attribute that can be used to identify an object as a user account.
a. Example: (objectclass=person)
5. Group search filter: Depending on the Group Type option selected, specifies the attribute that can be used to identify an object as a group (see Group Type option on Attributes), and is used upon the retrieval of the group list.
a. Example: (objectclass=posixgroup)
6. Email alias search filter: this field is used to search for attributes that hold email aliases.
a. Example: (objectclass=email)
On this tab you define the field names used on your directory services host for data storage.
· Login attribute: user login attribute defined on the host (default: cn)
· First name attribute: user first name attribute defined on the host (default: givenname)
· Last name attribute: user last name attribute defined on the host (default: sn)
· Password attribute: user password attribute defined on the host.
· Primary email address attribute: email attribute and “key” for retrieving email aliases for the user (see Email alias attributes and Email alias search filter)
· Email alias attributes: use these options to specify an email search attribute (typically 'mail’), as well any additional attributes that might hold users’ e-mail aliases. The primary e-mail address attribute field should contain only one attribute, however the e-mail alias attributes field accepts a comma-separated list of attributes that store secondary, tertiary, etc e-mail aliases for a user. A new query using “Email alias search filter” will be done to retrieve the list, and the values must match the “Primary email address attribute” as a key.
§ Primary email address attribute = mail
§ Email alias search filter = (objectclass=email)
§ Email alias attributes = aliasmail,cn
· Group type: this option defines the way the group should be retrieved: as a new query or as a normal field from the user database
· Group attribute: group attribute on the user database (default: gidnumber).
· Member of attribute: if the group comes from a new query, this is the field for group value (default: cn). Group configuration
· Group Type retrieval options: there are two options for retrieving groups from the directory server.
· User field: the group value name is stored for each user, and will be retrieved on the same query for the users list.
· Group subset: The query that matches all the attributes (Login, First Name, etc.) for the users in the LDAP database, will also get the group attribute from the value declared on ‘Group Attribute’:
In this example, the group value will be retrieved from a field named ‘gidnumber’, which should exist for each user on the LDAP query.
The query string used for users and group retrieval is declared on the “Connection & Filters” tab, under Filters and in the ‘User search filter’ value. The ‘Group search filter’ value is not used in this option (User field).
Group subset: the group value is stored in another table, and should be retrieved with a new query. The first query will get the users list, and a second query will read the group list. The query string used for users retrieval, will also be the same declared on ‘User search filter’ and the query string used for groups will be ‘Group search filter’.
When the first query is done, a user field will look like this:
Query used: (objectclass=person) <user search filter>
This ‘20’ number is the group number to which the user belongs, and the name of the group will be read in the second query.
The group field name will be retrieved from the field ‘Member of attribute’ and requires the ‘Group attribute field’ be declared.
After this data is retrieved, a second query will be performed which should look like so:
Query used: (objectclass=group)<member of attribute)
· gidnumber: 20
· cn: Sales
Once the directory synchronization is complete, you will be presented with two options for testing and confirming data has been imported successfully:
1. Test users
2. Test email alias
These options should always be tested after filling out the connection and attribute details, so that you can confirm each field has been populated correctly.
The Groups option enables you import only specific groups from Active Directory rather than the entire directory.
To access the User Groups page:
1. In the upper navigation bar, at the top of the page, click on Filter Management.
2. In the left pane navigation menu, click User Management which will expand the menu
3. Click on User Groups
This page lets you view user lists already synchronized with the service. You will only be able to see and modify users that have been successfully synchronized. The User Groups also allows you to change the password stored for each user, as used to access spam quarantine data or authenticate for the service.
Host Synchronization tab
The synchronization option lets you schedule the day/hour for the automatic synchronization process.
Important: before scheduling synchronization, test the process with the “Test synchronization” button and verify the resultant list. The synchronization process could notify you about warnings or errors.
A typical Test synchronization session will ends with:
test synchronization with Server [Test
Synchronization actions to be performed:
Update users: 1396
Create users: 0
Total users: 1396
New email alias: 0
The values for synchronization settings are as follows:
· Synchronize this host: enable/disable automated synchronization
· Schedule synchronization: tick this to enable scheduled synchronization
· Connection retry times: number of times the process will retry synchronization if cannot connect.
Common Sync Errors
· Cannot read group. Check Group search filter and Group type
o If you are using a new query (different database for user and group) for group retrieval, there is an error on the query filter or in the group field value. See Group configuration and check the values of: Group type, Group attribute, Member of attribute.
· Host name empty or incorrect
o Check the value of Hostname field on Server tab. Check if you can reach the host address with a ping. Verify there is no firewall blocking the connection.
· Cannot connect to LDAP host. Check Host Name, Login Name and verify Anonymous Login
o If you are using Anonymous Login, verify that the host is able to accept this connection. Check password and Hostname.
o Note: the connection could be established, but the host is denying access.
· Cannot connect with anonymous user
o The host is not configured to allow anonymous login.
· Cannot bind to user. Check Login Name and password
o The credentials are not valid.
o Note: the connection could be established, but the host is denying access.
· Cannot read alias list. Check Email alias attribute and Email alias search filter
· You must also include the primary email alias attribute within the email aliases field, in addition to any secondary email alias attributes
Once users are imported into the service, you can begin adding them to workgroups for use within policies.
Workgroups are an internal organization unit within the service that are used as containers for multiple user-defined groups, or groups defined in a company’s directory structure.
To create a workgroup, login to the Web management interface (if you haven’t done so already), and do the following:
· Click on the Filter Management tab, and in the left pane select Web Filter followed by Policy.
· Locate the policy in which you wish to create a workgroup, and click “Add Group” as seen below
· Select a name for the workgroup, as seen below, and hit “Save”
Adding Workgroups With No Policy
These are groups from your LDAP or Active Directory that you have unloaded to
Directory Services so there is no need to create new workgroups instead
You can use your internal groups
Once you have imported users and groups to your liking, they should appear under Unused Members in the right pane of the Policy section of the web interface.
Adding them to a workgroup is as straightforward as dragging them from the right pane, and dropping them onto the relevant workgroup in the central policy display, as seen below.
Manual Account Creation
In addition to the two options above for adding users in bulk, you can create any additional users you need to include in your policy by adding them directly into the policy configuration interface.
To manually add a user, do the following:
1. Click on Filter Management in the left pane, and select Policy
2. In the right pane, a text field will appear as follows, which allows you to add users individually. At this time only IP users and IP Groups are accepted for web policy.
3. Add your groups or IP addresses so that group of user’s will Authenticate to this policy and also allow for reporting per user/group/IP
As soon as users are dropped onto a workgroup, click Save at the bottom of the page, and the policy should take effect within minutes.
4: Policy Management
This section will provide administrators with information to create and manage policies for their organization’s needs within the service. At the end of this chapter the reader should have a sound understanding of how to create and modify policy.
Defining Specific Policies
In addition to defining a global policy as a baseline for all users (such as anti-malware filtering), you can create separate policies that apply to defined groups of users. This enables your organization to apply different policies to different groups or individual users according to your needs. For example, in an education environment you may want to apply tight monitoring policies to students, but enable teachers and faculty greater freedom to access Web content. Or, in a corporate environment you might want to apply different policies to different departments or job functions in alignment with the needs of those users (e.g. block EXE files for all users except the IT department).
The first step before you can begin implementing your policies is to create an initial Filter Group for your users. This process enables you to establish different filtering policies and assign different groups of users to these filter groups. To create your initial filter group:
1. Click on Filter Management in the upper navigation bar
2. Click on the Web Filter section in the left pane to expand the menu and then click on Policy.
3. To add a new policy, click the button labeled “Add New Filter”, which will bring up the dialog seen below. Define a name for the policy, for example “Default Policy” and click Save. It is also necessary to click Save at the bottom of the page.
4. Click the Add Group button. This will open a new dialog prompting you to name the group. Give the group a name of your choosing, for example “Default Policy Group”, and click Save next to the box.
5. Now you need to populate the Policy Group. To the right is a box containing Unused Members. This box should contain your domain, IP address or directory groups if you have performed a successful LDAP directory synchronization. Simply drag and drop the desired members from the Unused Members box into the pale blue box under your new Filter Group. This ‘drag and drop’ procedure should turn the pale blue box green to indicate that those members are accepted by the Filter Group.
6. Click Save at the bottom of the page to confirm your user group selection for this Policy Group.
Now that you have created a new filter group and populated this filter with your users, you will need to edit the policy to suit your needs.
1. Click the Edit Policy button on your default Filter Group. This will open the page seen below.
2. On the Category tab, you will find a color-coded list of preset Web content filters. By default you should find Adult Sites, Offensive and Illegal Sites, and Malware categories are red for “Block at all times”. All other categories should be green for “Allow at all times” by default. Please review this list and change the status of any categories you wish to block or restrict (yellow) to certain hours (see step 5)
3. The YouTube for Schools Filtering is a speciality option for schools and education providers. It requires a YouTube School ID account provided when you sign-up to the program with YouTube. This option enables schools to limit access to YouTube content to only pre-approved education material.
4. Under Additional Filter Rules, you will find “Block All Web Traffic” is OFF by default. Use this feature if you wish to block all Web traffic for all users or specific user groups quickly.
5. Under Policy Hours, you can define time windows for Work Hours and Lunch Hours and use these to restrict access to Web content categories using the yellow “Block during work hours” setting. For example, you could set a policy to restrict access to the Shopping and Auctions category to Lunch Hours.
Once you have configured the Category tab settings to your default preferences, click Save located at the bottom of the page to save your preferences. The Data Protection, Exceptions and Application Filter tabs allow you to create more defined policies for file type control, domain-based policy exceptions (such as an Intranet site) and Web 2.0 applications like streaming media. These are explained in the following sections.
General Policy Elements
The Web Security Service is designed to make policy configuration as simple and easy as possible. Once you have created a default Filter Group and populated this group with your users you only need to enable the default Category policies (as described in the previous section) to get up and running. These default policies are preset to immediately secure your users against malware, adult and offensive content.
However, the Web Security Service enables you to apply specific, complex policies for different types of Web content and user groups. This section describes the different types of filter policies you can define and how to configure them.
As covered in the previous section, the Category tab enables you to define what types of categorized Web content you wish to block or restrict access to. It also enables you to define SafeSearch support preferences and establish Working Hours / Lunch Hours for time-based category access.
The Data Protection policies enable administrators to define file types and content policies that should be filtered for a given Filter Group. This can be to control access to large or non-business files. There are four ways administrators can define content types for Web traffic based upon how you wish to set your policies. These options include:
· Standard: A quick-reference list of common file/data types arranged into groups, such as:
o Microsoft Word documents
o Microsoft Excel spreadsheets
o Flash files
o Video Content
o Adobe PDF
· Advanced: A detailed list of multiple content types that allows administrators to select individual or specific files for filtering; enabling even more granular policies for what is blocked or allowed
o Archive Files
o Video or Audio files by type or extension
o Images by type
o Executable files
· Custom: Allows administrators to define their own content types and file extensions. This enables you to define special files that may be unique to your organization (such as CAD files).
· Quota Limit: Enables administrators to set size limits on files. For example, block files that are ‘Greater Than or Equal to’ [X] megabytes. These limits can be defined for different user groups if desired.
In certain situations, administrators may wish to define a list of websites for specific policy exemptions (whitelist) or special sites for blocking (blacklist). The Web Console provides two options for populating such lists within the Exceptions tab under Web Policy:
· Upload a bulk list of Web domains from a flat text or CSV file
· Manually enter individual website domains for exemption or blocking
The whitelist is used to determine a collection of sites which will always be accepted, irrespective of filter policy
The blacklist is used for an opposite reason, to ensure certain domains are never accessed.
For organizations that already have a well-maintained blacklist or whitelist, they have the option of uploading a the list as a file.
The file containing the URLs should have one per line, in either a .txt or .csv format.
For any new URLs you come across that should belong to either list, it is as simple as browsing to the Exceptions tab and adding the new domain by hand.
The Endpoint Client tab is used to configure the optional client application which can be installed on laptops and other Web-capable devices. The Endpoint Client can be used to ensure user authentication with the service and secure specific applications that would otherwise not be normally controlled by the Cloud Security Service.
The Endpoint Client enables you to lock down specific applications such as:
· Remote Access (e.g. PcAnywhere, MyIVO)
· Web Browsers (e.g. Firefox, Google Chrome or Opera)
· Streaming Media (e.g. RealPlayer, PeerCast)
· Messaging (e.g. MSN Messenger, Yahoo!Messenger)
· VoIP (e.g. Skype, Google Talk)
· P2P File Sharing (e.g. BitTorrent, Pando, uTorrent)
Additionally, the Endpoint Client can be configured to work with other, on-premise URL filtering solutions such as software or appliances. This option is configured on the Endpoint Client Custom tab. The client can be configured to change its connection type when connecting to a defined IP address. This allows the Endpoint Client to enforce security policies when out of the office but default to standard on-premise filtering when in the office.
Thus, if your organization already uses a Web security solution for office protection, but it doesn’t support filtering for out of office workers, you can use the Cloud Security Service just to secure these roaming users.
On the Custom tab for the Endpoint Client you can also define if roaming is enabled as well as specific ports you might wish to block on the laptop or device.
The Quota tab enables you to define bandwidth usage limits enforced by the Endpoint Client. Here you can set the volume for the quota and the frequency at which the quota resets (daily, weekly, etc).
Reporting is a key function of the Web Security Service. Reporting enables your organization to see, and understand, how the Internet is being utilized and your policies enforced. The Web Security Service provides two key reporting functions:
· The Dashboard – at-a-glance information on the state of your Web environment.
· Reports – detailed and definable reports covering Web statistics, user activity, bandwidth and data security.
PLEASE NOTE: The dashboard and reporting functions require 24 hours of email processing though the service before they will be available for you to view.
Using the Dashboard
The dashboard timescale can be changed between different time settings on-the-fly so you can specify the overall time window that you wish to view. The Web Security Service dashboard features three tabs.
· Web Security Overview
o Blocked Viruses and Spyware
o Malicious Sites Blocked
o Policies Triggered
o Top Sites Blocked
o Top Categories Blocked
o High Risk Users
· Web Traffic Overview
o Bandwidth Utilization by Protocol
o Protocol Usage Trend
o Top Web Sites
o Top Categories and Users
· Application Overview
o Browser Applications
o Operating Systems
o Web Email Applications
o Instant Message Applications
· Social Overview and Data Leakage Overview
o Social Networking and Social Media Stats
o Streaming Media Stats
o Web Email Applications
o FileSharing and Data Leakage Stats
In addition to the Dashboard, the Web Console also provides the ability to perform detailed traffic analysis and generate reports both on-demand, and on a schedule. This allows administrators to view specific information on how the Internet is being used and what policy events have occurred.
Web Security Service reports include:
· Web Reports
o Bandwidth Summary
o Action Summary (Allowed vs. Blocked activity)
o Top Users
o Top Sites
o Top Categories
o Top Content Types (applications)
o Top File Types
o Top Blocked Users
o Top Blocked Sites
o Top Blocked Categories
o Top Blocked File Types
o Blocked Viruses
· Category Reports
o Detailed breakdown of websites allowed and blocked in each Reporting Category (Adult, Entertainment, News, Government, etc)
· User Reports
o Drilldown detail reports on the Web activity of specified users covering sites requested, bandwidth consumed, file types accessed and applications used.