2/18/2014
4.0.4
BESECURE-UM-v4.0.4
Wedge Networks
Suite 238, 3553 31st Street N.W.
Calgary, Alberta T2L 2K7, Canada
Tel. +1.403.276.5356. Fax. +1.403.276.5568
www.wedgenetworks.com
Copyright 2013 Wedge Networks. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Wedge Networks Inc.
BeSecure User Manual
Version BESECURE-UM-v4.0.4
February 18, 2014
Trademarks
BeSecure is a pending Trademark of Wedge Networks. Other product and company names used in this
document are used for identification purposes only, may be trademarks of other companies, and are the
property of their respective owners.
BeSecure and associated software are protected by, or for use under, one or more of the following:
U.S. Patent 7,630,379, and Provisional Patents 60/521,551 and 60/522,513
Regulatory Compliance
FCC Class A Part 15 CSA/CUS, VCCI, PSE, CE, RoHS
For technical support, please visit http://www.wedgenetworks.com/
Send information about errors or omissions in this document or any Wedge Networks technical
documentation to
techdoc@wedgene tworks.com
4.0.4
TABLE OF CONTENTS
TABLE OF CONTENTS ....................................................................................................................III
LIST OF FIGURES AN D T ABLES .......................................................................................................VII
1
INTRODUCTION.................................................................................................................... 10
1.1
PLATFORMS ..................................................................................................................... 10
1.2
KEY F EATURES .................................................................................................................. 10
1.3
M AIN CONCEPTS ............................................................................................................... 11
1.3.1
Services ................................................................................................................. 11
1.3.2
Policies .................................................................................................................. 11
1.3.3
Exclusions .............................................................................................................. 11
1.3.4
Deep Content Inspe ction (DCI) .................................................................................. 12
1.4
NETW ORK M ODES ............................................................................................................. 12
1.4.1
Bridge Mode .......................................................................................................... 12
1.4.2
Router Mode .......................................................................................................... 12
1.5
COMME NTS AND TECH NICA L S UPP ORT ...................................................................................... 14
1.6
ABOUT T HIS USE R M ANUAL .................................................................................................. 14
iii
4.0.4
3.1.11
Backup/Res tore ...................................................................................................... 67
3.1.12
Event Reporting ...................................................................................................... 68
3.1.13
SubSonic................................................................................................................ 69
3.1.14
Multiple Instance M anagement (MIM) Portal ............................................................. 70
3.1.15
System Update ....................................................................................................... 73
3.1.16
Shut Down ............................................................................................................. 74
3.2
PROT ECTI ON .................................................................................................................... 76
3.2.1
Anti-V irus Policies ................................................................................................... 76
3.2.2
Anti-Spam Policies .................................................................................................. 80
3.2.3
AV Setup (Kas persk y or Bitdefe nde r) .......................................................................... 82
3.2.4
Anti-Spam Se tup ..................................................................................................... 85
3.2.5
File Size Lim its ........................................................................................................ 91
3.2.6
Global Exclus ions .................................................................................................... 92
3.2.7
Templates .............................................................................................................. 93
3.3
CONT ENT C ONT ROL ............................................................................................................ 97
3.3.1
URL Policies ............................................................................................................ 97
3.3.2
DLP Policies ...........................................................................................................102
3.3.3
Pattern Matching Syntax for Ke ywords and URLs .......................................................106
3.3.4
WebFilter..............................................................................................................107
3.4
NEXT-GEN F I REWALL .........................................................................................................112
3.4.1
Traffic Blocking ......................................................................................................112
3.4.2
Application Control ................................................................................................113
3.4.3
Server Security.......................................................................................................114
3.5
REP ORTS ........................................................................................................................115
3.5.1
Logs .....................................................................................................................115
3.5.2
Statis tics ...............................................................................................................116
3.5.3
Serviced Clients ......................................................................................................116
3.5.4
Policy De tails .........................................................................................................118
3.5.5
Administrators ......................................................................................................119
3.5.6
System, Service, SubSonic, and Ne twork Graphs .........................................................120
3.5.7
Event List and E vent Summ ary .................................................................................124
3.6
DIAGNOSTI CS ..................................................................................................................127
3.6.1
Configuration Check ...............................................................................................127
3.6.2
Health M onitor......................................................................................................128
3.6.3
Problem Re port .....................................................................................................130
3.6.4
Traffic Capture ......................................................................................................131
3.6.5
Submitting a Problem Re port or Traffic Capture for Analys is ........................................132
3.6.6
Ping, Ns lookup, Trace route .....................................................................................134
4
4.0.4
4.3
ADVANCED NET WORK CONFIGU RATION WITH THE CLI ...................................................................142
4.3.1
network icm p ........................................................................................................142
4.4
ADVANCED C ONFIG URATI ON M ANAGEME NT WITH CLI ..................................................................143
4.5
S ELECTIVE S UBS ONI C C ONTENT RECOG NITION ............................................................................144
4.6
F IBER DATA P ORTS ............................................................................................................145
4.7
S PAM F EEDBACK NETW ORK ..................................................................................................146
4.8
WEBF ILTE R URL CATEG ORIZATI ON F EEDBA CK .............................................................................147
4.9
I NTERNET CON TENT ADAPTATI ON P ROT OCOL (I CAP) ....................................................................148
4.9.1
HTTP Policies and IP Addresses ................................................................................148
4.9.2
Traffic Blocking with ICA P .......................................................................................149
4.9.3
Configuring the ICAP Client to W ork with the BeSecure ICA P Serve r ..............................149
4.10 WEB CA CHE C OMMU NICATI ONS P ROT OCOL (WCCP) ....................................................................149
4.10.1
Service Groups .......................................................................................................153
4.10.2
Configuring the Route r or Switch ..............................................................................153
4.10.3
WCCP CLI Commands .............................................................................................153
4.11 HEALTH M ONITOR ............................................................................................................155
4.12 PROBLEM RE PORT AND TRAFFIC CAPTU RE USI NG THE CLI ...............................................................159
4.13 RAID ...........................................................................................................................161
4.13.1
RAID CLI Commands ...............................................................................................161
5
10
APPEN DIX G: SUPPORT ED FILE FORMATS FOR DLP TEXT EXTRACTION ...................................194
Wedge Networks | Table of Contents
4.0.4
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
11.11
ARCHIVE ........................................................................................................................194
DATABASE ......................................................................................................................194
EMAIL AND M ESSAGING ......................................................................................................195
M ULTIMEDIA ...................................................................................................................195
O THER ..........................................................................................................................196
PRESENTATI ON .................................................................................................................196
RASTER I MAGE .................................................................................................................197
S PREADSHEET ..................................................................................................................197
TEXT AND M ARK UP ...........................................................................................................198
V ECTOR I MAGE .............................................................................................................199
WORD PROCESSIN G AND GE NERA L O FFICE .............................................................................199
INDEX .......................................................................................................................................202
vi
4.0.4
vii
4.0.4
4.0.4
ix
4.0.4
1 INTRODUCTION
BeSecure is a content inspection and filtering network appliance that offers a complete solution for
protecting network endpoints from spyware, Trojan horses, worms, and viruses. Situated on the edge of
the core network, it also provides a spam detection engine and keyword/URL based content filtering
engine that enables administrators to customize and control the quality and quantity of data originating
at and destined for the endpoints on their network.
BeSecure uses Deep Content Inspection (DCI) to scan reassembled application layer (OSI layer 7) data
objects, rather than just concerning itself with patterns associated with individual or multiple packets. In
this way, the actual content and intent of the data can be determined and action taken on it.
1.1 Platforms
This product comes in various form factors. These platform types consist of desktop devices targeting
small to medium sized businesses with a modest number of users, to very large and powerful 2U
appliances for telecom providers servicing thousands of customers. It is also available as a virtual
appliance, for those companies wishing to save on hardware costs and power usage.
Information on each of these platforms is available at www.wedgenetworks.com.
Scanning and inspection of the most commonly used protocols, including SMTP, POP3, IMAP, HTTP,
and FTP (and straight TCP optionally using TCP Stream), using policies based on IP address and
directory service (such as Active Directory) user and group name
Rapid response to new viruses with automatic signature updates (up to 1 hour frequency)
The most extensive virus database, including viruses for mobile devices
Control of network access: no web surfing, no email, no online games, etc., for time of day and day of
week or day of month.
Web page blocking by URL and keyword, for time of day and day of week or day of month.
Works with both wired and wireless (WLAN and cellular) networks.
An XML based interface for supporting differentiated IP data services. This interface has been used to
build value added data services that can be self managed by the subscribers.
10
4.0.4
1 .3.2 Policies
A policy is an application of a service to traffic destined for or originating from an entity or group of
network entities. These entities are normally identified by source (and optionally, destination) IP
addresses. These IP addresses are can be either individual IP addresses, or network addresses. Any
network address specified in a policy must be in CIDR (Classless Inter-Domain Routing) format.
To assist in calculating the network mask in CIDR format, use a subnet calculator such as
http://www.subnet-ca lcula tor.com /cidr.php.
If a deployment includes a directory server such as Microsoft Active Directory (AD) Server, a policy source
can include a user or group name. Appendix E: Active Directory Integration and Appendix F: LDAP
Server Integration contain necessary information on the integration of BeSecure into a network using
directory servers, with the configuration process using the management console. See the policy
configuration documentation for details on entering policies for the various services using a username or
group.
Each policy includes specification of protocols that will be scanned by the service. The OSI Layer 7
protocols (SMTP, POP3, IMAP, HTTP, and FTP) are scanned using deep content inspection (DCI). TCP
(when the license includes the TCP Stream module), as OSI Layer 4, is scanned using a multi-packet
stream-based method.
1 .3.3 Exclusions
An exclusion, or exclusion policy, is a type of policy that indicates that a particular service should never be
applied to the specified IP address or IP address pair. This overrides any regular policies that may be
specified. The format of an exclusion IP address is the same as that of a regular policy. See the previous
section.
Wedge Networks | Introduction
11
4.0.4
Internet
BeSecure
Gateway
Switch
Computer
4.0.4
The client machines that require protection should be configured to have their gateway address to be that
of the BeSecure appliance. In this mode, the pass-through traffic keeps the original IP address. However,
traceroute will show the existence of the BeSecure host. For scanned data traffic, BeSecure behaves
like a transparent proxy to the client (source). Several additional levels of transparency, including IP
address and MAC address transparency for source and destination, are available and configurable via the
System > Network page of the management console. See Section 3.1.3 for more details. Figure 2 shows
the topology of router mode.
Switch
Gateway
Computer
Internet
2
BeSecure
FIGURE 2: BESECURE IN ROUTER MODE
By default, BeSecure supports one interface in router mode (1 in the diagram). A second interface (2) can
be enabled using the System > Network page of the web management console or the command line
interface, if the deployment warrants it.
13
4.0.4
Name
Phone number
Product model
Company
Product name
Description of issue
Product version
Sections such as this will mention issues or features that an administrator should be
aware of.
Sections such as this MUST be strictly adhered to, or serious problems may result.
14
4.0.4
2 QUICK START
This section describes how to rapidly deploy BeSecure to protect an entire network using bridge mode.
Bridge mode
15
4.0.4
2.
Connect a machine with an IP address on the 192.168.0.0/24 network to the INGRESS port
of BeSecure, either with a cross-over cable (for direct connection) or a regular Ethernet cable
through a switch. Avoid the address 192.168.0.88 since this is the default initial IP address
of the BeSecure appliance.
3.
4.
To login, for the Name field, type admin and for the Password field, type admin. This is the
default, and the password can be changed. Additional administrators with different access
privileges can also be added.
It is strongly recommended that for security reasons you change the systems default
password.
Once logged in, the BeSecure main screen will be displayed, as shown in Figure 4. The Port status display
indicates that the INGRESS port is configured, and is connected, and that the EGRESS port is configured,
but is disconnected. The Status screen also shows various graphs and icons displaying the current system
status.
16
4.0.4
2.
3.
4.
17
4.0.4
Access the management console as in Section 2.1, using the IP address configured in Section 2.3.
2.
Select Administrators from the System menu to display the screen shown in Figure 7.
3.
Press the
(edit) button for the "admin" user in the table. The information for that user
appears in the upper part of the screen.
4.
5.
18
4.0.4
Access the management console as in Section 2.1, using the new IP address configured in Section
2.3.
2.
Select Anti-Virus Policies from the Protection menu, to display the screen shown in Figure 8.
3.
Select the Entire Data Network checkbox to the right of the Source IP Address field. The Source
field will be populated with 0.0.0.0/0.
4.
The screen will indicate the successful registration of the policy as shown in Figure 9. The new policy will
show up in the list of existing policies at the bottom of the screen.
The policy can take up to 30 seconds to take effect on scanned traffic after the Add
button is clicked.
Wedge Networks | Quick Start
19
4.0.4
Select Anti-Spam Policies from the Protection menu, to display the screen shown in Figure 10.
2.
Select the Entire Data Network checkbox to the right of the Source IP Address field.
3.
The screen will indicate the successful registration of the policy as shown in Figure 11. The new policy will
show up in the list of existing policies at the bottom of the screen.
The policy will take up to 30 seconds to take effect on scanned traffic after the Add
button is clicked.
20
4.0.4
21
4.0.4
Open a web browser on a protected client. This can be any computer or device connected to the
same network as the INGRESS port on BeSecure.
2.
This will attempt to download a harmless, standard test virus text file. You will get a message in your
browser informing you that BeSecure has detected and blocked a virus (the EICAR-Test-File).
2 .7.2
Se nd Email (SMTP)
To validate that your network can prevent any protected clients from sending out virus infected emails
using the SMTP protocol:
1.
Open up an email client such as Microsoft Outlook or Mozilla Thunderbird on a client that is
protected by BeSecure. This can be any computer or device connected to the same network as
the INGRESS port on BeSecure.
2.
Compose an email with a body containing the content of the test virus file from
http://www.eicar.org/download/e ica r.co m.txt.
In order to accomplish this, you may need to temporarily disable your existing BeSecure
policies for the testing client (or add an exclusion policy on the Anti-Virus Policies page)
and any native anti-virus software on your testing client.
3.
You will get a server error message that contains the statement:
Message contains the following virus: EICAR-Test-File
22
2 .7.3
4.0.4
To validate that your network is protected against receiving malicious emails via the POP3 protocol:
1.
From an unprotected client (or disable AV policies and AV software as described in the previous
section for your testing client), compose an email with the test virus signature retrieved in
Section 2.7.2 in the body of the message.
2.
3.
You will receive an email telling you that the original email body contained the EICAR-Test-File virus,
and it was deleted.
On Shutdown, the system will power itself down. On Restart, the system will restart, and the
management console will return to the Login screen when it is available. Restart Services will perform a
soft restart of the scanning engines only.
23
4.0.4
3 MANAGEMENT CONSOLE
The BeSecure appliance is configured using an integrated web browser-based management console. With
this management console, you can:
This section is an overview of the different console functions available to configure BeSecure. A more indepth discussion of the advanced setup of BeSecure will be covered in Section 4: Advanced Topics.
The console is supported on Microsoft Internet Explorer 8+, Mozilla Firefox 3.5+, Safari 4+ and Chrome
11+.
JavaScript must be enabled for the management console to function. Microsoft Internet
Explorer 8+, Mozilla Firefox 3.5+, Safari 4+ and Chrome 11+ are supported.
The management console can always be accessed using a web browser by any machine on the same
network, using the bridge IP address (in bridge mode) or the INGRESS IP address (in router mode). If the
control port (AUX) is enabled, access to the console is restricted to clients on the same network as the
configured control port (see Section 3.1.3). With default settings, the bridge IP address is:
https://192.168.0.88
This allows access to the management console via the INGRESS and EGRESS ports, the two bridged
network interfaces. Of course, if the system has already been configured for use with a new IP address
(as the procedure in Section 2.3 instructs) replace the IP address above with the configured one.
To access the management console (default settings assumed, replace IP addresses with the configured
ones if necessary):
1.
2.
3.
24
4.0.4
Language Selector: the selected ISO 639-1 language code for console display
About: Displays information about the running system, including firmware revision
Current Time and Time Zone: the current time and offset from UTC (Coordinated Universal Time)
3.1 System
3 .1.1 St at us
After login, the first screen displayed is the Status screen. It can always be found by selecting Status
under the System menu. It is shown in Figure 14. It includes the following elements.
25
4.0.4
Port Status
The port status at the top of the Status screen displays the current status of the various ports on the front
panel. These will vary according to the specific platform, but the status images mean the same in all
cases.
Along the top is the front panel label for a particular port. The second row displays one of the following
status images.
26
4.0.4
Warning: Configured and a cable is connected but there is a potential problem such as:
o
Reduced throughput (10 Mb/s when the interface should be 100 Mb/s or greater)
Hold the cursor over the icon in the web browser to get more information (see Figure 15).
Unused: The interface is unused.
Beneath the Port images is the Function row. This row displays the current function of the port listed
above it. This may be, but is not necessarily, the same as the front panel label, which sits above the port
status images. This is because the INGRESS and EGRESS ports can change (due to LAN bypass feature and
HA mode, as well as enabling the FIBER ports) on the NDP-1005D/G, 1020, 1038, and 2040 platforms.
Watch this row as well when making changes to network settings and enabling/disabling high availability
modes.
Below the Function row is the Updates Via row. A green checkmark indicates which of the ports can be
used for system firmware updates, as well as virus, spam, and WebFilter signature updates. See Section
3.1.3 for more details on the behaviour of this indicator.
Protocol Scanners
The protocol scanners are the engines used to scan each individual protocol. These include the mail
protocols SMTP (Simple Mail Transfer Protocol), POP3 (Post Office Protocol v3), and IMAP (Internet Mail
Access Protocol), the web protocol HTTP (Hypertext Transfer Protocol), the file protocol FTP (File Transfer
Protocol), and ICAP (Internet Content Adaptation Protocol). Icons display the status of each of these.
ONLINE: Component is operating normally.
OFFLINE: Component is not running.
27
4.0.4
WARNING: Possible issue. More information may be available by holding the cursor over
the icon as in Figure 15.
DISABLED: The component is disabled, due to current configuration.
Module Status
In Figure 14, we see the licensable modules that are installed on the device and providing services for the
protocol scanners. These typically include the Anti-Virus and Anti-Spam scanning engines. Other modules,
such as WebFilter (Anti-Phishing and SmartFilter) and DLP Text Extraction are also available, depending on
the installed license. The status of each of these modules is indicated by the same icons as the protocol
scanners, as previously discussed.
2.
Type in a Password.
3.
Assign the proper Access Rights to this administrator. The Access Rights field can contain one of
two values:
readwrite: Full access to view and change settings, including CLI access.
readonly: View the current settings and status of BeSecure, with no ability to change settings.
28
4.
4.0.4
Click the
(edit) link next to the listing of the administrator account you wish to modify in the
table on the lower part of the screen. The information for that user appears in the upper part of
the screen.
2.
3.
Click the
(delete) link next to the listing of the administrator account you wish to delete.
3 .1.3 N e twork
Select Network under the System menu to configure the network settings.
displayed here (as shown in Figure 17), as on the System > Status page.
Device Configuration
This section includes IP address settings for BeSecure, as well as the desired network Mode. It needs to
be determined whether BeSecure will be configured in bridge mode or router mode (See Section 1.4 for
network architecture diagrams).
Port Status
At the top of the screen is the Port Status panel. It behaves the same as the one on the Status screen, as
discussed in Section 3.1.1.
The Updates Via checkmark indicator is displayed under interfaces that, considering the current network
configuration, are able to be used to receive system firmware updates and signature updates for the antispam, anti-virus, and WebFilter scanning modules. The indicator takes into account the IP Address and
Subnet Mask of both the Device Configuration and the Control Network (if enabled), as well as whether
auto-route is enabled. For updates to work, at least one interface with the green checkmark indicator
must have network access to the update servers. This usually means Internet access, as the update
servers normally used are hosted by Wedge Networks and its anti-spam, anti-virus, and WebFilter
partners.
29
4.0.4
Bridge Mode
This mode is used for the inline protection of traffic on the same subnet, as has been already shown in
Figure 1.
By default, BeSecure is configured to operate in this mode. INGRESS and EGRESS are the bridge interfaces
through which all scanned traffic passes. In this mode, the management console is accessed via the
bridge interfaces. If you want to ensure that BeSecure can only be controlled by a machine from a trusted
subnet, you can configure the AUX or AUX1 (depending on platform) as the control port (discussed
below). To configure bridge mode:
1.
Under Device Configuration, select bridge as the Mode. See Figure 17.
2.
Enter values for the IP Address, Subnet Mask, and Default Gateway.
30
3.
4.0.4
Under DNS Settings, enter values for Primary DNS, and optionally, the Secondary DNS and DNS
Suffix.
4.
5.
Connect the INGRESS port to the protected network and the EGRESS port to the unprotected
network, in line with the data traffic.
Router Mode
This mode allows handling of traffic for multiple subnets in an out-of-line configuration, or as a router
between two different networks.
If you need to provide selective services without putting the device in line with the data traffic, then
router mode with a single enabled interface should be used. In this mode, only the I NGRESS port needs to
be configured, and EGRESS is disabled. INGRESS is used for both the data traffic and management console
access.
To enable the EGRESS port for a different network, enable it using the Enable router mode egress port
and assign the interface an IP address and network mask.
If you want to ensure that the device can only be configured by a client from a trusted subnet, you can
configure AUX or AUX1 (depending on platform) as the control port (discussed below).
To configure router mode:
1.
Under Device Configuration, select router as the Mode. See Figure 17.
2.
Enter values for the IP Address, Subnet Mask, and Default Gateway.
3.
If required, enable the egress port by selecting Enable router mode egress port and supplying
values for the IP Address and Subnet Mask fields. This address needs to be different from the
ingress address and the control interface address (if enabled).
4.
Under DNS Settings, enter values for Primary DNS, and optionally, the Secondary DNS and DNS
Suffix.
5.
6.
Connect the INGRESS port as you would a regular machine on the protected network.
7.
Add any required routing rules to any clients that wish to use BeS ecure to scan their traffic,
setting BeSecure as the gateway.
Only BeSecure uses the original network gateway as its gateway. This configuration can
be done either by manually configuring each client machine, or indirectly through the
DHCP server.
31
4.0.4
IP Address Transparency
By default, the device operates in a non-transparent proxy mode, and it will use its own IP address,
configured using the Network page, when making requests and receiving responses on behalf of any
protected clients to any server on an external network. See Table 3-1 for more details.
IP Address
MAC/VLAN
MAC
IP
MAC
IP
OFF
OFF
BeSecure
Destination
BeSecure
BeSecure
ON
OFF
BeSecure
Destination
BeSecure
Source
ON
ON
Destination
Destination
Source
Source
2.
Transparency is useful to allow installation into a network without reworking firewall policies or
interfering with downstream policies and accounting. Ordinarily, if protecting an office LAN, firewall rules
will be needed to allow BeSecure traffic to leave the LAN. By enabling IP address transparency, rules do
not need to be added to the firewall to allow BeSecure traffic to leave on the scanned ports. However,
rules may still need to be added to allow device access to virus and spam signature updates, as well as
system updates.
Downstream policies and accounting are not possible when BeSecure is deployed without enabling IP
address transparency because all client connections would be logged with BeSecure's IP address. By
enabling transparency, the client IP addresses are preserved and downstream policies and accounting can
be performed.
Another situation where transparency is useful is when BeSecure is protecting a web server or mail
server. Without transparency enabled, the Internet server will see all connections as originating from
BeSecure. The web server logs will only contain BeSecure's IP address, and mail server IP based relaying
policies are not possible. By enabling IP address transparency, BeSecure can be deployed in front of
internet facing servers without affecting the server's logging and IP address based policies.
Despite the obvious advantages to transparent mode, it is not possible to say whether this feature is
appropriate to a specific situation, and so by default it is disabled.
32
4.0.4
MAC/VLAN Transparency
MAC/VLAN transparency allows this device to be transparent at the MAC / Data Link Layer (OSI Layer 2).
When this option is disabled, as it is by default, this device will use its own MAC address when
communicating with clients and servers on the network, and no VLAN information will be preserved
between the client and server. See Table 3-1 for more details.
2.
Enabling the MAC/VLAN transparency option allows this device to use the client MAC address and VLAN
tags when connecting to the server. Conversely, this device will use the server MAC address and VLAN
tags when connecting back to the client.
MAC/VLAN transparency allows administrators to deploy into an environment where switch or gateway
MAC address filtering policies are used for access control. Without this option, the scanning operations
will modify the MAC addresses presented to switches or gateways, and the MAC address based policies
cannot be enforced.
MAC/VLAN transparency also allows participation in VLAN (IEEE 802.1Q) networks. 802.1Q tags will be
preserved when requests are made to the server on behalf of the client, and to the client on behalf of the
server.
Currently, "Q in Q" or nested VLANS are not supported.
To allowing scanning of VLAN traffic that may be outside of the IP range the system has been configured
for, see the next section, Auto-Route.
Auto-Route
In the event that scanned traffic is destined for an IP address that resides in a network address range that
is unknown to this device, as would be the case when multiple VLANs reside behind a switch attached to
the INGRESS port, special routing rules would ordinarily be required to ensure that the response traffic is
directed to its appropriate IP address endpoint. See Figure 18.
In this case, auto-route, otherwise known as stealth routing, can be used. This enables complete Layer 2
route transparency, allowing the scan and proper routing of traffic that is destined for a network not
directly known to this device.
33
4.0.4
With auto-route enabled, it is possible to use the Control Network as the Updates Via
path by setting the Default Gateway to a value in the Control Network.
To enable auto-route:
1.
2.
In this case, it is important to remember that any configured static routes will NOT be
effective, as the destination routing information (determined for the traffic prior to it
encountering BeSecure) will be used.
Switch
VLAN1
BeSecure
Internet
VLAN2
Gateway
VLAN3
Computer
Explicit Proxy
It is possible to configure this device to act as an explicit proxy for HTTP clients, such as web browsers. It
must be running in router mode and each browser must be configured with this devices IP address as its
HTTP proxy. To enable this mode:
1.
2.
Under Device Configuration, select the Enable explicit proxy mode check box.
3.
Control Network
By default, INGRESS and EGRESS provide authenticated clients access to the device management
functions in bridge mode, and INGRESS in router mode.
34
4.0.4
Optionally, AUX or AUX1 (depending on platform) can be configured as the control port. Access to the
management console is then restricted to clients connected to the network that the control port interface
is on. Ideally, to take full advantage of the security that this configuration provides, this network should
not be visible to clients residing on the INGRESS or EGRESS networks. This can be done in two ways:
1.
Complete isolation of the AUX network. No traffic to anywhere but amongst management
machines would be allowed. This is the most secure option. For maximum security, the control
subnet should be a trusted network, not accessible from the internet. Any clients on the control
network will not have access to external networks.
2.
Specifying an IP address for the AUX/AUX1 interface on a different network, but connect it to
the regular LAN. A less secure option, this would allow any machine with an IP address on the
control network access to the management console as well as external networks, but prevent
any other clients with IP addresses on different networks from accessing the management
functionality.
Enabling the control port disables any ability to configure the device via the INGRESS or EGRESS ports.
The use of ICMP and SSH, also previously usable via INGRESS or EGRESS, are now only available via the
configured control subnet.
To configure AUX/AUX1 as the control port:
1.
Expand the Control Network panel and select Enable Control Network. The fields below it will
be enabled.
2.
3.
35
4.0.4
The control port IP address MUST be on a different network/subnet than the BeSecure
bridge/router IP address.
2.
3.
Specify the User and Password if required. These fields are optional.
4.
2.
For each interface, specify the desired port speed, or use auto to allow auto-negotiation.
3.
4.0.4
In this example, we see two ports bonded as INGRESS (shown by the FUNCTION row) and two ports
bonded as EGRESS. There is no control port in this example. The active ingress and egress port are
indicated by the blue highlight.
On both the Bond to INGRESS and Bond to EGRESS rows, all selected interfaces will share the ingress or
egress address configured on the page below. The active interface in a bond will be highlighted in blue.
Should the active interface in a bond fail, one of the others will become active. When the original
interface is repaired or has recovered, it will once again become the active interface.
Because of the inherent complexities in interface management when bonding is enabled, if an interface
for either the ingress or egress bond is selected, an interface MUST be selected for the other bond.
If all checkboxes are deselected for all the ingress and egress bonds, bonding will be disabled, and the
ingress and egress will be assigned their original default interfaces.
Single interface router mode is the default setting once router mode is selected, and link bonding is
immediately available for the single (ingress) interface. The availability of bonding for the egress network
depends on whether the router mode egress port has been enabled (see the Router Mode section
above). If the egress port is not enabled using the checkbox, the link bond checkboxes associated with
egress will be disabled and not configurable.
37
4.0.4
2.
3.
4.
When the page returns, select the interfaces that you wish to Bond to INGRESS.
5.
Click Save.
6.
To enable link bonding in dual interface router mode (i.e. with the egress port enabled):
1.
2.
3.
4.
Assign appropriate values to the IP Address and Subnet Mask of the egress port.
5.
6.
When the page returns, select the interfaces that you wish to Bond to INGRESS.
7.
8.
Click Save.
3 .1.4 Se t tings
The Settings section allows several system-wide tasks to be performed. See Figure 21.
Host
To change the Host Name:
1.
2.
Enter the new host name into the Host Name field.
3.
ICAP Configuration
BeSecure can operate as an ICAP server providing scanning services for encapsulated HTTP traffic. For
more information, see Section 4.9.
To enable support for the Internet Content Adaption Protocol (ICAP):
1.
2.
38
4.0.4
System Time
To set the system date and time:
1.
2.
Enter the date into the first field of System Date and Time (dd/MM/yyyy format). Optionally, the
icon can be used to select the date in a calendar popup window.
3.
Enter the time of day into the second field of System Date and Time (24-hour hh:mm:ss format).
Optionally, the Now link will synchronize the field contents with the current time of the system
clock on the client machine being used to access the management console.
4.
5.
Optionally, the Network Time Protocol (NTP) can be used to track and adjust the date and time. To
enable NTP clock management:
Wedge Networks | Management Console
39
4.0.4
1.
2.
Enter the NTP server location (as URL or IP address) into the field or leave the default value
(pool.ntp.org).
The pool.ntp.org load balances requests using time servers all over the world. You will
get more consistent results if you use a regional time server pool. The continental server
pools are:
europe.pool.ntp.org
north-america.pool.ntp.org
oceania.pool.ntp.org
asia.pool.ntp.org
There are also many country-based time server pools. These use the following naming
convention: xx.pool.ntp.org where xx is the 2-character country code. See
http://www.pool.ntp.org for details.
3.
4.
Click the Save and Sync button. This will set the current time and save the settings.
At any time, the Save and Sync button can be used to validate the operation of the NTP server. Should an
error message be displayed upon clicking, a new NTP server needs to be specified to keep the time
correctly synchronized. See the
information above.
Directory Agent
Source and destination endpoints can be defined as usernames or user groups names (instead of IP
addresses) for most Protection and Content Control policies, if a Microsoft Active Directory (AD) server or
LDAP Directory server (such as OpenLDAP or Apple Open Directory) is available. The network clients must
be configured as in Section 9 (Appendix E) and Section 10 (Appendix F), and a configured Wedge Directory
Agent (the component used to communicate with the AD/LDAP server) needs to be installed on a network
visible to BeSecure.
This section outlines the options used to configure the access to the configured user and group name / IP
address mappings that exist on the directory server.
To configure use of a directory server for username/user group name policy support:
1.
2.
Specify the Agent URL. A host name (known by a configured DNS server) or an IP address is
necessary to locate the directory agent.
3.
Click Test Settings (No Save) to validate the connection to the server and determine if the
configured Agent URL is visible and contains the required user and group information.
4.
40
When the settings are confirmed, click Save to enable the directory agent integration.
4.0.4
You may now enter the user or group name in any policy page that supports it. The policies will match
only if the source IP address and user or group name match the client making the request.
Reset Policy
This clears all of the following policies and rules from the system:
To reset all system policies and rules, under Reset Policy, click the Submit button.
Reset Statistics
This button resets the scanning statistics displayed on the Reports > Statistics page (see Section 3.5.2),
the contents of the graphs related to scanning on the System > Status page (Viruses Blocked), as well as
the content of the scanning and service graphs on System > Service Graphs and SubSonic Graphs pages.
If Also clear system statistics is selected, the contents of the system graphs (CPU Usage, M emory Usage,
and Flash Usage) on the System > Status page, as well as the contents of all the graphs on the Reports >
System Graphs and Network Graphs page are cleared as well.
To reset the statistics, under Reset Statistics, click the Submit button.
If problems are ever encounter with the system or scanning graph display on any page,
Reset Statistics can be used to reset all the graph databases and fix any issues. Of
course, past data will be lost, but future data gathering functionality will be restored.
41
4.0.4
Ports
Any incoming port can only be monitored for one type of protocol.
following ports for each of the following protocols:
SMTP
POP3
IMAP
HTTP
FTP
TCP Stream**
25
110
143
80
21*
23
42
4.0.4
2.
Enter the port number or range into the Port / Port Range field, e.g. 34 or 34-37.
3.
Click the
2.
Enter the new port value in the Port / Port Range field.
3.
Click the
It is not possible to delete all the ports for a specific protocol. The last remaining
configured port for any protocol in the list cannot be deleted.
SSL/TLS
BeSecure can scan SSL/TLS encrypted traffic.
To do so, it must act as the server to the requesting client and as the client to the destination server, in
effect creating two separate, secure connections. The encrypted traffic must be decrypted and scanned
prior to re-encryption for the second leg of its journey to its final destination.
The request from the client is intercepted, and BeSecure makes the request to the destination server on
behalf of the client. Upon receipt of the server certificate, BeSecure determines whether the server is
trusted based upon its own internal CA (certification authority) trust certificate store.
If the server can be trusted, BeSecure completes the connection to the remote server, and presents its
own signed certificate to the client, creating a second secure connection between the client and
BeSecure.
Upon first exposure to this certificate provided by BeSecure, a warning will typically appear in the client
(such as a web browser), indicating that the certificate is self-signed (not signed by a CA that is trusted by
default by the client). To prevent this message from appearing again, the CA information from the
BeSecure certificate must be imported into the clients CA certificate store. The way to do this varies by
browser.
BeSecure can be configured to provide two types of certificates to the client for SSL/TLS scanning: static
and dynamic.
A static certificate is one signed certificate that will be presented to all clients that are attempting to make
secure connections to remote servers. A dynamic certificate will be created on the fly, with certain
information from the original server certificate copied into the new certificate, to ensure that the client
Wedge Networks | Management Console
43
4.0.4
accepts it. This emulated information includes all server DN (distinguished name) information, as well as
alternate subjects (names of other servers that this certificate may be used by). This information is
required in certain situations to be the same, to prevent client software from complaining that the server
that is responding to it (in this case, BeSecure) does not present the same name as the server that the
client made the request to.
Either type of certificate method can be select for use while scanning a specific protocol. For static
certificates, a certificate suitable for presentation to any client and an associated private key must be
generated or uploaded for use. For dynamic certificates, a CA certificate and private key that will be used
to sign the newly generated dynamic certificates for each destination server must be uploaded.
To configure SSL/TLS scanning:
1.
2.
3.
Select the Enable SSL/TLS checkbox for any protocol to enable the SSL/TLS scanning on that
protocols configured ports. Be sure to add any ports to be scanned to the Ports tab (other than
the default port already included there).
SSL/TLS traffic is automatically detected on any of the configured protocol ports. For
SSL/TLS scanning to occur, the port MUST be specified on the Ports tab. For example, to
scan HTTP and HTTPS traffic on port 443 (the default HTTP SSL port), port 443 must be
added as an HTTP port on the Ports tab.
44
4.
4.0.4
Select the Use Dynamic Certificates for any protocol to use dynamic (emulated server)
certificates when scanning SSL/TLS data over that protocol. For each selected protocol, the
Signing (CA) Certificate (configured below) will be used. For unselected protocols, the Identity
Certificate (configured below) will be used.
5.
Select Use Dynamic Untrusted Certificates for any protocol to generate an untrusted self-signed
certificate to provide to the client when the destination server it has requested supplies
BeSecure with a certificate that is not trusted (i.e. self-signed, not signed by any known CA). In
this way, the client can elect to accept the untrusted content using its client (i.e. browser)
warning dialog in the same way as it would when BeSecure is not present. If this option is not
selected, on encountering an untrusted certificate a blocking page will be displayed with an SSL
error message, and the connection will be terminated.
6.
Select Enable public download of CA certificate at: to enable public download of the uploaded
CA (signing certificate) by anyone on an accessible network. This certificate file can be imported
into the client system or browser certificate store, to enable the acceptance of the generated
dynamic certificates without a warning message being displayed. The download is accessible at
the URL listed to the right of this label, and also by clicking the link directly, once the Save button
has been pressed.
7.
The HTTPS Domain Whitelist allows configuration of specific domains NOT to be intercepted and scanned
by BeSecure. This may include extra sensitive sites that provide access to banking or health information,
sites that an administrator may want to avoid the BeSecure decryption of content from. The whitelist of
domain patterns will be compared to the Subject Common Name of the server certificate, as well as any
Alternative Names that may be listed. These are easily viewed in the certificate information provided by
the browser on connection to the remote server.
A file formatted with one domain pattern per line is used to specify the whitelist. The domains must be of
the form
prefix.mydomain.suffix
Example domains are www.mybank.com or mail.mymail.org. A wildcard can be used in place of the
prefix in order to handle multiple hostnames. For example, to include both mail.mymail.org and
www.mymail.org, specify
*.mymail.org
Wedge Networks | Management Console
45
4.0.4
Prepare a file with one domain name pattern per line, as specified above.
2.
3.
4.
5.
Click Upload Domain Whitelist File. The Upload Domain Whitelist File dialog window will be
displayed.
6.
Click the Select button, and choose the prepared list file. The file will automatically upload. If
there is a format issue, the error message will specify which entry in the file is not valid.
Otherwise, the message shown in Figure 25 will be displayed.
7.
Click Done. The page will refresh and the panel will contain the file contents in a text area, as
well as the upload time and date.
Certificate Revocation is an important consideration when dealing with SSL/TLS certificates and security.
Should a destination website or mail server present a certificate that is no longer valid (according to the
original CA), the connection can no longer be deemed secure, as the certificate and associa te key may
have been compromised in some way. In these situations, the connection should be terminated.
BeSecure supports two methods of checking certificate revocation: certificate revocation lists (CRL), and
46
4.0.4
the Online Certificate Status Protocol (OCSP). Either or both of these can be used. Both are triggered by
information contained within a certificate.
If a CRL location is provided in a certificate, a list is downloaded and the certificate status is verified.
If OCSP responder information is provided in a certificate, a single request using this protocol is sent to
the responder (typically managed by the CA itself), and the response will indicate whether the certificate
is valid.
OCSP will be checked first, as less work is necessary. A single small request is used to determine the
status of one certificate. CRL downloads an entire list of certificate information and looks up the
necessary information in the list for the one certificate.
If OCSP is able to make a determination, then CRL checking is skipped. So it is up to the system
administrator to determine the tradeoff between added security and greater data processing overhead.
BeSecure also includes support for specifying an OCSP responder directly. Third parties may provide OCSP
services, or an organization can deploy its own OCSP responder server. In this case, BeSecure needs to be
configured to search only this custom responder. This is also done in this section.
To enable certificate revocation checking:
1.
2.
3.
4.
5.
47
4.0.4
6.
b.
Certificate Subject Name: the subject name field from the certificate information
c.
Certificate Issuer Name: the issuer name field from the certificate information
d.
For the static or dynamic certificate methods to work, certificate and key information must be generated
or pasted into the appropriate fields, and upload into the system key store.
For dynamic certificates, a CA certificate and private key must be provided. For the static certificate
mode, a non-CA certificate and private key must be provided. The certificate must be X.509 and base64
encoded. This can be generated using the Generate button in the appropriate panel. If providing an
existing certificate, paste it into the appropriate field with the -----BEGIN CERTIFICATE----- and -----END
CERTIFICATE----- lines included.
The associated private key must be non-encrypted RSA, PKCS#8 and base64 encoded. This will also be
generated at the same time as the certificate if the Generate button is pressed, because the private key
needs to correspond to the public key included in the certificate. If providing an existing key, paste it into
the appropriate field with the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines
included.
To generate a certificate and key:
1.
2.
Expand the Signing (CA) Certificate (Dynamic Server Certificates) or Identity Certificate (Static
Server Certificate). This is shown in Figure 27 or Figure 28.
48
4.0.4
3.
Enter information into any or all of Common Name, Organization, Locality, and Province/State.
This information will be provided to the end user in the form of a CA certificate through client
software such as a web browser, when attempting to access secure URLs. The fields are
optional, but recommended.
4.
5.
Specify a Validity Period. Using a CA or server certificate beyond this period will result in an SSL
warning message in a users browser. Management (i.e. certificate re-generation) will be
periodically required, depending on the validity period selected.
6.
Click Generate. This will populate the certificate fields, as shown in Figure 29.
7.
Click Save to upload and install the certificate and key information.
49
4.0.4
Paste the X.509 certificate (base64 encoded) into the Certificate field.
50
2.
4.0.4
Paste the associated non-encrypted RSA PKCS#8 (base64 encoded) private key into the Private
Key field.
3.
If it is desirable to view the plain text version of the Private Key from display in the UI after
upload, uncheck Do not allow future access to private key. Otherwise, after saving, the key
value will be replaced with *****NOT AVAILABLE FOR VIEWING*****, in the interest of
increased security. Warning: the key will not be accessible for copy and paste in the future
should this be selected. If the key is desired later, the certificate and key will need to be
regenerated.
Click Save to upload and install the certificate and key information.
should show Active, indicating that the certificate has been added to the key store and is ready for use.
SSL/TLS scanning is now enabled for the configured protocols on their configured ports.
HTTP
This section contains HTTP configuration that may apply to various HTTP policy types, depending on
licensed modules.
GreenStreaming applies to all AV policies. It permits the scan and forwarding of traffic prior to receipt of
the complete payload. Every GreenStreaming Threshold number of seconds, a malware scan occurs on
the data retrieved so far, even if it is only a portion of the requested data. Scanned data can then be sent
on to the requesting client sooner. This has several advantages. First, with large files, this prevents the
large latency that would be introduced as BeSecure downloads the entire file and scans it prior to
forwarding it on to the requesting client. Second, should a malware signature be present at the beginning
Wedge Networks | Management Console
51
4.0.4
of a requested file, the download can be terminated immediately, without complete retrieval being
necessary.
To enable GreenStreaming for HTTP anti-virus scanning:
2.
3.
4.
5.
Specify the GreenStreaming Threshold. This is the length of time before the next scan and
forward action occurs. A value that is too high will cause the client to wait a longer period for the
next portion of its requested data. A value that is too low will consume more CPU cycles due to
frequent scanning. Proper selection of a value will depend on the network speed. The slower
the network, the smaller the threshold value should be.
A lower value for GreenStreaming Threshold will result in smoother delivery of large
content on low-bandwidth networks, but will increase BeSecure resource usage which
could impact overall performance.
YouTube for Schools is associated with the licensable Safe Search module. By setting up an account at
http://www.youtube.com/schools, configuring it, and creating a URL policy that enforces it, any scanned
traffic with YouTube as a destination will be restricted to the settings in the account for the specified
school ID. The setting of the school ID here is required for the use of the associated Compliance
Enforcement policy setting on the Content Control > URL Policies page. If this is not configured, selected
the option for a particular URL policy will have no effect. See Section 3.3.1 for more details.
FTP
The FTP tab contains configuration for GreenStreaming for FTP. This works in exactly the same manner as
GreenStreaming for HTTP. See HTTP above for the details.
52
4.0.4
Syslog Configuration
To configure the storage location(s) for the event and system logs:
1.
2.
Enter the IP address or domain name of the server in the Syslog Host field. Optionally, a custom
port can be specified. Otherwise, the default syslog port is assumed. The information will be
stored locally if the field is left blank.
3.
4.
Repeat steps 2 and 3 for any additional servers that are required.
5.
53
4.0.4
messages for that level, as well as more severe messages. For example, if WARN is selected, all WARN,
ERROR, and FATAL messages will be logged. If FATAL is selected, only FATAL messages a re logged.
To set the system-wide log level:
1.
2.
Select the desired file (BeSecure or System) under Download Log Messages.
2.
Click Download.
3 .1.7 N ot ification
E-mail notifications can be sent to any e-mail via any SMTP e-mail server visible to BeSecure. Notifications
on the following selectable Incidents are available:
Virus detected
URL blocked/detected
Keyword blocked/detected
WebFilter
blocked/detected
Spam detected
Notifications are available for certain System Events as well. When selected, these events also send
SNMP notifications to configured trap sinks, assuming that the BeSecure SNMP agent is configured (see
Section 3.1.9). These system events are:
Failed Service Updates If the Anti-Virus, Anti-Spam, or WebFilter signatures download fails
License Expiration If the system license is near expiry or expired. A warning notification is sent 14 days prior to
the expiration date, every day within 7 days of license expiry, and every day after expiry has occurred.
Health Monitor System health monitor events. This includes the Protocol Scanners, the AV, AS, and WebFilter
engines, and CPU/memory/disk/proxy usage warnings. See Section 4.11 for more details on the Health Monitor.
54
4.0.4
RAID Status Change If the device model has a RAID configured, an e-mail will be sent if a RAID drive fails.
Bypassed Traffic If the device goes into bypass mode (due to exceeding safe CPU or connection count limits).
Home Server Status If communication with the home server fails (provides periodic updates to the device,
such as remote support server and update server locations).
Select Notifications from the System menu. The screen shown in Figure 34 will be displayed.
2.
Under the Enable E-mail Notification heading, select the checkbox next to the incidents to
trigger e-mail notifications. This includes Virus, Keyword, URL, Oversize, and Spam detection and
blocking incidents.
3.
Under the Enable E-mail Notification heading, select the checkbox next to the System Events to
trigger e-mail notifications. Failed Service Updates represents the failure of any service that
downloads periodic updates. This includes Anti-Virus, Anti-Spam, and WebFilter.
4.
Edit the values for the SMTP Host and SMTP Port. This is the SMTP server that BeSecure will use
to send its e-mail notification messages.
5.
Edit the values for From Address, To Address and E-mail Subject. The From address will be
the return address placed in the e-mail From field. The To address will be the address to which
the message is sent.
55
4.0.4
6.
Edit the values for Subject, Body Title Line, and Incident Line. These control the notification
message format.
7.
8.
Optional: Test the new settings using the Send Test E-mail Message button.
Bridge Mode HA
BeSecure bridge mode HA uses the Rapid Spanning Tree Protocol (RSTP).
typically as shown in Figure 35.
With RSTP, a cluster of BeSecure systems can be deployed in a redundant parallel bridging scenario with
one BeSecure system handling traffic management (in Active mode), with the others waiting to take over
in case of a failure in the active machine (in Stand By mode). The priority of the standby machines can be
specified separately, determining the order in which machines tak e over traffic responsibility.
Failover (system failure where handoff to another BeSecure appliance is necessary) is defined as when
either the INGRESS or EGRESS network interface on the active appliance goes down, or ceases handling
traffic. Failover from the current active machine to a standby system typically takes less than 2 seconds.
Note that the status displayed on the HA Mode screen is only updated every 5 seconds via HTTP request,
so it doesnt reflect the actual instantaneously HA status.
By default, BeSecure is configured with HA off in bridge mode. In this mode RSTP data
packets are forwarded over the bridge. If two BeSecure appliances are connected in
parallel to the network in the default configuration a network loop will be created. To
avoid a network loop when configuring two or more BeSecure's in HA mode connect one
BeSecure at a time. Before connecting a second BeSecure to the network, ensure that
the first BeSecure has HA enabled.
56
4.0.4
All platforms except the older NDP-1005 platform bridge the INGRESS and EGRESS ports when in
powered-off state (known as hardware or LAN bypass), so that in case of power failure traffic is not
blocked by BeSecure. However, in the case of HA, a network bypass would be introduced if one BeSecure
in the configuration bridged INGRESS/EGRESS, which would defeat the purpose of having a backup
BeSecure available. To account for this, the AUX2 port on the BeSecure must be used for EGRESS
functionality when HA is enabled. When enabling HA, the cable must be physically switched from EGRESS
to AUX2.
Insert one of the BeSecure appliances into the network as shown in Figure 35 and configure the
network settings under System > Network.
2.
3.
4.
5.
Select a value for the Bridge Priority. The priority value can be between 0 and 8, with 0 being
the highest priority. This determines which appliance in a HA group will be active, and in which
order the other appliances will take over on a failover occurrence.
6.
7.
Connect the next BeSecure into the network as shown in Figure 35, and repeat the above steps
for that appliance. Set the Bridge Priority appropriately in relation to the other BeSecure
appliance already in the HA configuration.
8.
All platforms except NDP-1005: Move the cable from the EGRESS port to the AUX2 port. The Port
Status display will show the updated interface status.
57
4.0.4
Router Mode HA
In this mode, a cluster of BeSecure devices can be deploy ed in a redundant router scenario with one
device handling traffic management (Active mode), with the others waiting to take over in case of a
failure in the active machine (Stand By mode). The current release only supports a cluster with two
nodes. One is a master host which is the active node. The other host remains in standby. These two nodes
communicate with each other using heartbeats. The heartbeat signals are carried via a crossover Ethernet
cable or a switch that connects the control ports of the two devices.
Since the two nodes refer to each other with host names, it is mandatory that they each
have unique host names.
System failure (failover) is defined as when the heartbeat stops and the device cannot ping a g roup of
network entities, referred to as the Ping Group, in the network . Failover from the current active device to
a standby device typically takes around 2 to 5 seconds.
Router mode HA is a heartbeat-based solution similar to the Virtual Router Redundancy Protocol (VRRP).
It works by assigning a Virtual IP Address to the active device, and if that device becomes unavailable, the
Virtual IP Address is assigned to another device, ensuring continuous service. In a cluster with 2 devices,
3 IP addresses are required: one for each device, and a Virtual IP Address, which is the service address
that clients of the device will use.
58
4.0.4
High Availability is only provided on the Virtual IP Address. All equipment sending traffic
to the device should send it to the Virtual IP Address of the HA cluster.
Ensure the Control Port has been configured on the Network Settings page.
2.
Select HA Mode from the System menu. The screen in Figure 37 will be displayed.
3.
4.
Specify the Virtual IP Address. This address should not correspond to any address in use on the
INGRESS network, and should be the same on both BeSecure devices operating in HA mode. This
must be in CIDR format (xx.xx.xx.xx/xx) specifying both the virtual IP address and the netmask of
the virtual network. This is the address that should be used to access the BeSecure services.
5.
If the EGRESS port is enabled and servicing a second network, specify the second Virtual IP
Address and netmask. This address should be different than the INGRESS address and should not
correspond to any address in use in the EGRESS network.
6.
Add in a set of network entities, usually including a router, into the Ping Group. This group is
used by BeSecure to decide if a failover should happen. The Ping Group should be on the same
subnet as the INGRESS IP address (not on the Control Port network).
7.
If the router mode EGRESS port is enabled, specify the second Ping Group. Network entities in
this ping group should be on the same subnet as the EGRESS network.
8.
Specify the host name of the peer device in the Peer Host field. It should be the Host Name as
specified by the Host Name field under System > Settings on the peer appliance.
9.
Select the Use peer as master to indicate that this device will allow its peer to be the master
host. Only one of the two devices operating in HA mode should have this box checked.
10. Specify a Shared Secret (i.e. a password) for the nodes to communicate with each other.
Click the Update button to activate the changes.
When HA is in operation for router mode, the HA Status can be controlled using the buttons appearing
next to the HA Status at the top of the HA Mode page.
59
4.0.4
When in Stand By mode, Go to Active Mode will force the current device into Active mode, and its peer
into Stand By mode. See Figure 37. When in Active mode, Go to Stand By Mode will force the current
device into Stand By mode, and its peer into Active mode. See Figure 38.
Configuration Sync
BeSecure can be configured to automatically synchronize changed settings, ensuring that no difference in
service is visible and no additional configuration changes are required should failover occur.
Configuration sync, when enabled, automatically occurs on most configuration changes, when another
sync-enabled device is added to a control network with existing sync-enabled devices, or when the device
returns to normal operation after a failover has occurred.
60
4.0.4
Virtually all settings accessible via the management console are automatically synchronized, with the
exception of the Configuration Sync configuration parameters, visible in
Figure 36 and Figure 37. Sync can be enabled only if certain requirements are met:
1.
The control (AUX/AUX1) port must be configured. See Section 3.1.3. The devices must have
their control port interfaces connected to the same control network.
2.
If any of these requirements are not satisfied, a message will appear above the Sync settings, and the
checkbox and text fields will be disabled. If the requirements are satisfied, to enable sync:
1.
Under HA Mode in the System menu, select the Enable Configuration Sync checkbox.
2.
Enter an appropriate Broadcast Port, or use the default. This port is used for broadcast of
synchronization change events.
3.
Enter an appropriate Sync Port, or use the default values. This port will be used to communicate
the updated configuration data to synchronize.
4.
Connect the control port interfaces on each device in HA mode to the same control network.
5.
The devices synchronizing with one another must be of the same firmware revision, otherwise
synchronization will fail. They must all use the same sync settings, as shown on the screen in
Figure 36 and Figure 37. These settings are NOT synchronized, and must be entered and changed
separately on each machine.
HA Sync settings (the bottom half of System > HA Mode) are NOT synchronized when
Configuration Sync is enabled. These settings must be entered separately on each
machine, and they must be the same for Configuration Sync to work as expected.
3 .1.9 SN MP
The current release supports the Simple Network Management Protocol (SNMP) v2, a protocol allowing
mass management and configuration of network appliances using various network management s erver
(NMS) software packages. The SNMP agent provides data from the following management information
base modules (MIBs):
61
4.0.4
General Configuration
The General tab includes configuration that pertains to the SNMP agent identity, and also allows the
administrator to enable or disable the SNMP agent, as necessary. See Figure 39.
To configure the SNMP agent:
1.
Select SNMP from the System menu. Select the General tab if it is not currently selected. The
screen in Figure 39 will be displayed.
2.
Check the Enable SNMP Agent check box to enable the agent that responds to remote queries,
and sends traps upon certain system events. Unless this is selected, no SNMP support is
available.
3.
Fill in the values for the Name, Location, and Contact fields. These are strictly for administration
purposes.
4.
Under Enable SNMP Trap, select all events upon which an SNMP notification (or trap) will be
sent out.
62
5.
4.0.4
SNMP Communities
Communities are the SNMP method of managing and classifying client requests for SNMP information.
1.
Select SNMP from the System menu and select the Communities tab. The screen in Figure 40 will
be displayed.
2.
Enter the IP Address (check the Entire Data Network if the community is the whole network)
from which client requests using this community are allowed.
3.
Trap Sinks
Trap sinks are server applications, such as a network management server (NMS), waiting on remote
machines to receive notifications from the BeSecure SNMP agent (SNMP traps).
Select SNMP from the System menu and select the Trap Sinks tab. The screen in Figure 41 will be
displayed.
63
4.0.4
Fill in the values for the Host and Port fields. Host must be the IP address of the listening NMS.
The default port for SNMP traps is 162, but can be changed if desired.
2.
3.
Click the
next to the trap sink to delete it from the trap sink list.
64
4.0.4
BeSecure System
Anti-Virus Kaspersky
Safe Search
Anti-Virus Bitdefender
WebFilter Anti-Phishing
Anti-Virus Streamdefender
WebFilter SmartFilter
Anti-Spam
DLP Keyword
Figure 42).
The License Status table includes the maximum number of users allowed (Max. Users) to use each
licensed component, the number of licensed Days Remaining for each component, the Expiry Date, and
Wedge Networks | Management Console
65
4.0.4
an Effective Date, if an installed license will enable a component at some future time (see Effective Date
below).
The BeSecure System (the System entry in the table) represents the license state of the entire BeSecure
appliance. Each component below it is a sub-component of System. When the System license expires, all
other components expire.
Icons in the left column graphically indicate the status of each component:
License is valid
License has expired
License will expire within 14 days
A future license exists (see Effective Date
below), component currently disabled
By default, BeSecure is installed with a limited-usage trial license valid for 45 days, beginning on activation
of the appliance. Wedge Networks or a qualified reseller can provide a long term production license
appropriate for specific needs.
On a newly installed BeSecure appliance, there is a pre-installed trial license valid for 45
days, with no WebFilter license included. This 45 day period begins on power up of the
BeSecure appliance.
1.
Figure 42.
2.
Under Install License, click the Browse button to browse to the license file or enter the file
location into the License File field.
3.
Effective Date
A new license, such as a renewal license, may be installed prior to the end of the previous licensing
period. Such a license may contain newly licensed components, previously not enabled, that will be
enabled on a future date. The Effective Date column will display the date when these components
features will be available. See the Anti-Spam service in
Figure
42 .
At other times, if a component will expire on a specific date but a license has been installed that will reenable it on a future date beyond the expiry date (i.e. a gap exists in the components license), the Expiry
66
4.0.4
Date column will show the date of expiry, and the Effective Date column will show the date upon which
the component with be available again.
If the Effective Date is empty for a licensed component (the usual state), this means that the component
is currently licensed until the indicated Expiry Date, and not available beyond that date with the current
licenses available on BeSecure.
3 .1.11 Backup/Restore
BeSecure provides a means to save all user configured settings and policies on the system to a remote
computer for later restoration. It is useful for transferring settings to another BeSecure appliance of the
same version, and is also a recommended precaution before any System Update is attempted (see Section
3.1.12). This console page also includes the ability to reset BeSecure to its default settings.
Select Backup/Restore under the System menu, to display the screen in Figure 43.
Backup/Restore is only possible across the same BeSecure version build level. The
version format is major.minor.patch-build. For example, in 3.1.4-123, 123 is the build
number. A backup file created in 3.1.4-222 or 3.1.6-123 will NOT work with 3.1.6-336.
However, a backup file should still be created when updating to a later version, in case a
downgrade is necessary.
On a Restore, the bridge/router IP address will be set to the IP address stored in the file
used to restore the settings. If this IP address is not known, access to the console could
be lost, and connection via serial port or direct access to the appliance with a keyboard
and monitor may be required to determine the IP address needed to connect to the
console.
Remember that the new IP address from the backup is required to access the console
once a restore or reset is completed.
Backup
To back up the system configuration:
1.
2.
Save the file as prompted to the client machine. Please save this file in an area you can access
for system recovery purposes.
Restore
To restore your system to a saved configuration:
1.
Under Restore, enter the configuration filename saved as in the above section into the Get
Configuration File field, or click on the Browse button. This will allow you to browse the
directories that are accessible from the machine on which your browser is running. Select the
appropriate file.
2.
67
4.0.4
68
4.0.4
Two operations are possible here, enabling/disabling the data collection, and clearing the collected data
from the database.
The database size is determined by the specific BeSecure platform. All newer platforms with 4GB of flash
storage will be limited to 500MB of event data in the database. Once this limit is reached, the oldest
events will be replaced with new events. The NDP-1038, equipped with a hard drive, is allowed to retain
50GB of event data. Platforms with only 2GB of flash storage are limited to only 40MB of stored events
before the oldest events are overwritten.
3 .1.13 SubSonic
In many situations, the same data traffic is transferred many times over the same network path, between
various source and destination endpoints. Fully scanning repeat traffic that we know is identical is a
waste of system resources. With SubSonic Content Recognition enabled, this redundant scanning is
eliminated, with no reduction in security, and BeSecure performance and throughput is enhanced as a
result by freeing up CPU cycles for other scanning tasks.
To enable SubSonic:
1.
Select SubSonic from the System menu to access the screen displayed in Figure 45.
2.
3.
4.
69
4.0.4
The Reports > Statistics page (see Figure 90) contains various statistics for SubSonic activity, shown in
detail in Figure 46:
SubSonic Cache Hit/Miss: A cache miss indicates a scan occurred on data that has not been seen before.
A cache hit indicates that a previous scan result was used for data that has already been seen and
scanned (perhaps a response for a request from a different client or a previous request by the current
client), and the result of this previous scan on the same data was deemed still valid, and re-used.
SubSonic Scan Savings: This shows the number of bytes of data that didnt require a re-scan, due to the
SubSonic mechanism. This number illustrates more clearly the BeSecure scanning effort savings and
increase in performance. It can be compared to the Scanned Traffic values, the number of actual scanned
bytes.
Figure 46 shows a simple example of SubSonic in action. A 4.5 KB file was downloaded three times. We
see the Scanned Traffic for HTTP (the fourth stat column) shows a total of 13.5KB scanned (4.5KB x 3).
The SubSonic Cache Hit/Miss is at 2 / 1 (two cache hits, one cache miss). The cache miss occurs when the
content is new, and a full scan of that content occurred. Two cache hits indicate that the second and third
downloads of the same file did not required a full scan, only a cursory SubSonic scan. BeSecure
recognized the content, and the previous scan results for that same file were taken into account.
The SubSonic Scan Savings value displays the amount of data that only underwent a
SubSonic scan, out of the total traffic scanned by BeSecure (the Scanned Traffic value).
Fully Scanned Traffic Amount = Scanned Traffic - SubSonic Scan Savings
A graphical display of the SubSonic statistics is available by navigating to Reports > SubSonic Graphs. See
Section 3.5.6 for details.
70
4.0.4
When the MIM portal is enabled on the primary instance, access to the management interface will display
a list of hyperlinks to all configured instances.
Access to each of the instances will require separate login. The description entered for the instance
during configuration on the primary instance will be displayed in the upper part of the screen, along with
a SELECT link allowing return to the instance selection list. Logout, System > Shut Down (Restart Services
and Restart), and System Update actions will also trigger a return to the instance selection list.
To configure the MIM portal:
1.
2.
Click the
3.
Enter the IP Address/Hostna me. This value will be used to construct the hyperlink in the
instance select list. There is no validation that this address or host exists before it is added, so be
sure that it is accessible.
71
4.0.4
4.
Enter a Description of the instance. This value will be used at the top of the page of the instance
management console, when it is accessed via the instance selection list. Its purpose is to help
determine which instance is currently being configured.
5.
6.
7.
8.
To access the list of instances, click the logo in the upper left or the SELECT hyperlink next to Portal
Instance (the description of this primary instance).
From this list, any instance can be selected, logged into, and configured. Any instance will always show
the configured description along with a SELECT link to return to the instance select list (as long as the
instance was accessed via the portal).
The behaviour allowing the return to the selection list from any instance, as well as
display of the instance description requires that all instances are at a firmware version
that supports the MIM Portal.
72
4.0.4
Log out of any accessed instances to clear the session on those instances.
2.
Access the System > MIM Portal screen of the Primary Instance.
3.
4.
Once this is done, all instances will need to be accessed by their individual addresses or hostnames.
2.
Provide the User ID and Password for the Wedge Networks update server provided to you by
Wedge Networks or a qualified reseller. Note that this is NOT the BeSecure administrator
password.
3.
Select a version from the Available upgrades list, or specify the desired BeSecure Version. The
format is major.minor.patch-build.
By default, only versions of the same major.minor.patch number are shown. Select the Include
higher major.minor.patch releases checkbox if you wish to see new versions beyond these. For
example, if you are running 3.1.6, only newer 3.1.6 builds will be shown. If a 3.1.8 v ersion
existed, it would be hidden until the checkbox is selected.
To update to the latest build of your current major.minor.patch, leave the BeSecure Version field
blank (for example, if you are at 3.1.6-200, it will select the latest 3.1.6-XXX build).
4.
If your customer service representative has instructed you to specify a different update server,
select the radio button by the blank field and enter in the location of the custom update server.
Otherwise, leave Default selected.
5.
6.
When the system has restarted, verify that the version number on the About page (using the
hyperlink in the upper right of the console window) is correct. See Figure 53.
73
4.0.4
Select Shut Down from the System menu, to display the screen shown in Figure 54.
2.
From the drop down menu, select Restart Services, Reboot, or Shut Down.
3.
Click Go!.
74
4.0.4
75
4.0.4
3.2 Protection
BeSecure provides the machines on your network with comprehensive protection from viruses, mal-ware,
and spam.
This section outlines the creation and maintenance of protection policies and the
configuration of the engines responsible for the signature databases.
Policies are (typically) IP address-based rules that determine which services apply to the different
protected clients, as well as how these rules should be applied. These services can be applied to a whole
network, a certain address range or a specific client IP address, for both the source and the destination of
the scanned traffic. Any added policy will apply to any data traffic if the IP address requesting the data
matches the specified Source address and the IP address sending the response matches the specified
Destination IP address.
A matched policy indicates that the data scanning associated with the
appropriate service will occur for this address pair.
The Source endpoint can also be associated with a user or group name, if System > Settings > Directory
Agent (see Section 3.1.4) and a Wedge Directory Agent has been configured to communicate with an
AD/LDAP server configured as described in Appendix E. This enables more useful logging of client traffic
scanning activity and results, as well as more criteria for policy matching. IP address-based rules with
dynamically assigned addresses will spread the activity of one user over several addresses, with no
indication of a connection between them. Only the IP address will be logged with the scanning events
that occur. However, a user or group name policy will allow association of the activity of the various IP
addresses, as the user and group name will also be logged in these cases when available. This allows for
more extensive reporting.
On supporting policy configuration pages, the Group? Checkbox (when entering a new policy) and the Is
Group? column (in the list of existing policies) indicate whether the name associated with the policy
specifies a user or a group.
Exclusion Policies can be specified in the same manner as regular policies for both anti-virus and antispam, by selecting the Exclude this policy from the specified protocol scans checkbox. Exclusion policies
indicate that any data traffic matching the policys criteria is to be excluded from any of this type of
scanning. Exclusion policies override any regular policy matches that would indicate scanning is required.
Exclusion policies are displayed in the Exclusions tab at the bottom of the Anti-Virus and Anti-Spam
screens, and can be manipulated in the same manner as regular policies.
76
4.0.4
1.
Enter the specific IP address or address range into the Source field. An address range must be in
CIDR format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network
checkbox to use the value 0.0.0.0/0, representing all source IP addresses.
2.
If AD/LDAP is configured, enter the user or group name into the Name field. If the name
represents a group, select the Group? checkbox.
3.
Enter the Destination IP address or network address. A network address needs to be in CIDR
format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network checkbox
to use the value 0.0.0.0/0, representing all IP address destinations.
4.
If desired, de-select Block Viruses. If it remains selected, any detected virus for the
corresponding source and destination and selected protocols will be blocked; otherwise they will
only be logged as detected events.
5.
6.
The new policy will show up in the list of existing policies. The screen should change to indicate the
successful registration of the policy as shown in Figure 56. In this figure, a policy for the entire network,
with an IP address for the source endpoint, has been added.
77
4.0.4
The policy may take up to 30 seconds to take effect on scanned traffic after the Add or
Update button is clicked.
To edit/delete an anti-virus policy:
1.
Select or deselect the desired protocols next to the policy in the list in the lower half of the page.
Deselect all protocols to remove the policy completely. The Select All column contains
checkboxes that can be used to select all/deselect all of the protocol checkboxes rapidly.
2.
Enter the specific IP address or address range into both of the Source and Destination fields.
2.
Enter a user or group Name if desired, and AD/LDAP is configured. Select Group? if the Name
represents a group name.
3.
Select the Exclude this policy from the specified protocol scans checkbox.
4.
Choose the e-mail protocols to be excluded from scanning. All are selected by default.
78
5.
4.0.4
Data requested by this source from this destination for the selected protocols will now not be scanned for
viruses, even if they are included in a regular anti-virus policy.
2.
3.
4.
The list of existing URLs is shown in the lower half of the screen. Clicking the
next to the
policy will bring up the details in the upper half of the screen for editing.
2.
3.
79
4.0.4
1.
A list of existing URLs is shown in the lower half of the screen. Click on the
Enter the specific IP address or address range into the Source field. An address range must be in
CIDR format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network
checkbox to use the value 0.0.0.0/0, representing all source IP addresses.
2.
If AD/LDAP is configured, enter the user or group name into the Name field. If the name
represents a group, select the Group? Checkbox.
3.
Enter the Destination IP address or network address. A network address needs to be in CIDR
format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network checkbox
to use the value 0.0.0.0/0, representing all IP address destinations.
4.
If desired, select Block SMTP Spam Messages. If selected, the SMTP messages for the
corresponding source and destination will be blocked; otherwise they will be only marked as
spam and reported as detected. If the SMTP protocol checkbox is not selected, this setting not
relevant.
5.
6.
The new policy will show up in the list of existing policies. The screen should change to indicate the
successful registration of the policy as shown in Figure 60. In this figure, a policy for the entire network,
with an IP address as the source endpoint, has been added.
80
4.0.4
Policy changes will take up to 30 seconds to take effect on scanned traffic after the Add
or Update button is clicked.
Select or deselect the desired protocols next to the policy in the list in the lower half of the page.
Deselect all protocols to remove the policy completely. The Select All column contains
checkboxes that can be used to select all/deselect all of the protocol checkboxes rapidly.
2.
Enter the specific IP address or address range into both of the Source and Destination fields.
2.
Enter a user or group Name if desired, and AD/LDAP is configured. Select Group? if the Name
represents a group name.
3.
Select the Exclude this policy from the specified protocol scans checkbox.
4.
Choose the e-mail protocols to be excluded from scanning. All are selected by default.
5.
Data requested by this source from this destination for the selected protocols will now not be scanned for
spam, even if they are included in a regular anti-spam policy.
81
4.0.4
82
4.0.4
Contact Wedge Networks Product Support and download the signatures file.
2.
Open the management console and go to Protection > Anti-Virus Setup. See Figure 61.
3.
If necessary, select neverfor the Virus Update Interval, and click the Save button. This
disables the automatic signature update mechanism.
4.
The upload order is important. For each of files downloaded in Step 1, in the same order as listed
in Step 1, Browse to the file location and Upload the file.
Configuration
To configure the anti-virus engine settings:
1.
Select the Virus Update Interval. This changes the virus signature database update frequency.
The first update of any day will occur at this number of hours after midnight, and at every
interval of this number of hours thereafter.
2.
Select the number of minutes after the hour to Start Updating at. The virus signature update will
occur at this number of minutes past each hour calculated using the Virus Update Interval value
entered in Step 1.
If Virus Update Interval is set to 3, and the Start Updating at minutes set to 28 (as in
Figure 61), each day the signatures will update at 03:28, 06:28, 09:28, etc. For a setting
of 8 hours and 45 minutes, the signatures will update at 08:45, 16:45, and 00:45.
3.
Select the Region for Signature Update (Kaspersky only). This allows the closest update server to
the region selected to be used for virus signature updates.
4.
Set the Max. Scanned File Size (Bitdefender only). This allows setting an upper limit to increase
performance.
5.
Set the Max. Archive Scan Depth (Bitdefender only). This allows limiting the depth of scanning in
recursive compressed archive files. The deeper specified, the more memory is needed for
scanning, and performance is impacted.
83
4.0.4
6.
Set the Max. Extracted File Size (Bitdefender only). This allows a maximum set on files extracted
from archives to scan. Larger files use more disk space and impact performance to a greater
degree.
7.
Set the Max. Archive File Size (Bitdefender only). Larger archive files than this will not be
extracted and scanned.
8.
Select the Enable Heuristics checkbox to allow the engine to use heuristics to detect possible
mutations and permutations of existing signatures in the virus database, in effect detecting more
types of viruses than there are exact signatures for in the database.
9.
84
4.0.4
Configuration
The Last Update Time states the last time the database of spam signatures was updated.
To configure the anti-spam engine settings:
1.
Set the Required Score. This is the threshold at which the message is classified as spam
expressed as a percentage confidence level the lower the number the higher the sensitivity.
2.
Select Enable IP Address Reputation Scoring, if desired. This enables the use of an algorithm
that adjusts the spam score of a message based on its origin information. This can increase the
identification rate of spam messages, but can potentially increase the false positive rate as well.
This is enabled by default.
3.
If desired, select Block SMTP Spam Messages. If selected, any detected SMTP spam is blocked.
By default, the messages are marked with a customizable string placed in the subject line (see
Wedge Networks | Management Console
85
4.0.4
next section, Headers) and allowed into the users inbox. If a global setting is not desired, there
is an option of enabling the blocking on a per policy basis on the Protection > Anti-Spam Policies
page (See Section 3.2.2).
POP3 and IMAP spam e-mail messages cannot be blocked. They can only be marked.
Rules based on the Message Subject Marker and the X-Spam headers (see next section,
Headers) placed in scanned messages must be used in an e-mail client to manage marked
spam messages, such as moving them to a special folder or deleting them.
4.
If desired, select Disable Anti-Spam when no policies exist. If selected, the anti-spam engine will
not run if no anti-spam policies exist. This prevents unnecessary bandwidth usage for regularly
scheduled spam signature updates.
5.
If desired, select Enable SMTP tarpitting. If selected, the scanning engine will actively delay
SMTP server greeting messages at the beginning of a transaction and server responses during a
transaction every five recipients. The delay in each of these cases defaults to 20 seconds. This
discourages large-scale spamming.
6.
Select Log Spam Analysis String to log additional information about why a message is classified
as spam. This analysis string can be used by Product Support to determine causes for false
positives, etc., and prevent them from happening again.
7.
The Advanced Settings section can be expanded to display settings that may be used in certain specialized
network deployments to customize the anti-spam scanning behaviour. See Figure 63.
The SMTP Error Reply for Spam Messages allows customization of the reply code and message that is
sent to an SMTP MTA when a message from that source is classified as spam (and Block SMTP Spam
Messages is selected) by the anti-spam engine. This reply code is only used when the SMTP spam is
configured as being blocked. By default, the code is 554, the subcode is 5.6.0, and the message text is
Message contains spam. In some deployment environments, it may be desirable for the code to be
adjusted to induce different MTA behaviour or reduce its knowledge of BeSecures actions.
To further combat spam, several options exist to prevent suspicious SMTP behaviour, without actually
detecting the message as spam. This can prevent spam messages from getting sent before they are
added to the spam signature database. These include limiting the number of recipients and the number
of sessions per IP address.
Limit SMTP Recipients Per Message will block any message with a number of recipients that exceeds the
specified Maximium Recipients Per Message. This can help prevent mass spamming of large mailing lists.
Limit SMTP Sessions Per IP Address will prevent a single SMTP client from using many separate SMTP
sessions to avoid the restrictions placed on them by tarpitting (see above) or limitation of recipients per
message. The maximum number of simultaneous sessions is specified as Maximum Sessions Per IP
Address. Sending will be blocked for this client should this maximum be exceeded.
86
4.0.4
Both of the above limits have a customizable reply code and message, just as the regular blocking of
detected SMTP spam messages does.
See Appendix D: SMTP Reply Codes for a list of standard SMTP reply codes and their meanings. There are
three ranges of error codes allowed:
5xx Permanent Failure This is a range of codes indicating that an error has occurred with sending, and
the error is not likely to be resolved by resending the message in the current form. The sending MTA
should not retry to deliver the message. By default, BeSecure uses 554, indicating a permanent failure .
The sending MTA will not resend its message, as it has been informed that its message has been denied.
Any false positive spam e-mail can be judged as such if this type of feedback is sent back to the sender.
However, this behaviour can also inform a spammer that a security device is in place, and they can
attempt to adjust their own behaviour or strategy to compensate.
4xx Persistent Transient Failure This is a range of codes indicating that the message as sent is valid,
but some temporary event is preventing the successful sending of the message. In this case, the sending
MTA may try to automatically resend the message later. Using a 4xx series code is allowed, but is not
recommended, as it may cause the MTA to retry an undetermined number of times, increasing network
traffic for no good purpose.
2xx Success This range of codes indicates acceptance of the message for delivery. This will cause the
sending MTA to believe the spam message has been accepted for delivery. No failure feedback is given.
Wedge Networks | Management Console
87
4.0.4
Blocked false positives will appear to be delivered. However, a spammer will be no wiser that his or her
spam message has been blocked and swallowed by BeSecure.
Whitelist Editing
The spam whitelist allows regular expression matching against the headers and body of e-mail messages.
If a match is found, a message that ordinarily would be marked as spam will not be classified as spam.
It is also possible, in on this page, to whitelist IP addresses that should not be score using the IP reputation
scoring algorithm (see above).
To add a spam whitelist entry:
1.
Select the Whitelist Editing tab under Protection > Anti-Spam Setup.
2.
3.
4.
Specify the regular expression, or for IP reputation, a CIDR-formatted IP address, that should be
used for this whitelist match
5.
The list of existing entries is shown in the lower half of the screen. Clicking the
entry will bring up the details in the upper half of the screen for editing.
2.
3.
88
next to the
4.0.4
A list of existing entries is shown in the lower half of the screen. Clicking on the
next to the
Click the
2.
Headers
When a message is scanned for spam, BeSecure inserts several default headers that contain details of the
scan results. The character string that is pre-pended to the subject line of the message (if the message is
classified as spam) can be customized, as well as the contents of several of the default headers written to
the scanned message by BeSecure. See Figure 65.
These default headers are:
X-Spam-Status
X-Spam-Flag
X-Spam-Checker-IP
X-Spam-Level
X-Spam-Checker-Version
Each of the value fields for these headers includes variables specified using %% symbols (See Figure 65).
These are replaced at scan time by the actual results of the scanning of the message whose headers are
being rewritten. The available variables are:
SPAMSTATUS: A Yes or No value, indicating if the given message has been classified as spam.
SPAMINFO: More information, of the format Score=<calculated score>, <extra spam signature
info>
SPAMLEVEL: Anywhere between 0 and 10 of * symbols, each representing 10% confidence level
in the spam classification of this message. Messages that are not spam have 0 * symbols.
Messages with a score of 100 (that is 100% confidence level) have 10 * symbols.
SPAMFLAG: A YES or NO value, with the same meaning as the SPAMSTATUS variable.
CLIENTIP: The IP address of the client machine initiating the request (sender of SMTP, receiver of
POP or IMAP).
If no value is inserted into any of the fields, the associated header will not be added to
the e-mail message.
It is possible to customize the spam-classified message subject line and spam scanned message default
header contents (Message Subject Marker).
89
4.0.4
To do this:
1.
2.
Specify the Message Subject Marker. This value is pre-pended to the original subject line of a
spam message before it is delivered to the client inbox.
3.
Edit the Status header, if desired. This is the value written for X-Spam-Status in the message
headers. By default this value states whether the messages is spam, and includes the score.
4.
Edit the Level header, if desired. This is the value written for X-Spam-Level in the message
headers.
5.
Edit the Flag header, if desired. This is the value written for X-Spam-Flag in the message
headers.
6.
Edit the Checker Version header, if desired. This is the value written for X-Spam-CheckerVersion in the message headers.
7.
90
Edit the Checker Original IP header, if desired. This is the value written for X-Spam-Checker-IP in
the message headers.
Management Console | Wedge Networks
8.
4.0.4
It is important to note, however, that should it be desirable to use Unicode characters, or multi-byte
characters from any other character set, the encoding and character set used by BeSecure for the
message subject marker must match the character set and encoding used by the e-mail clients that are
used to view the e-mails that will be marked as spam. Otherwise, the client will attempt to interpret the
subject line characters using a different encoding, and gibberish will result.
To set the anti-spam encoding and character set, the CLI (command-line interface) must be used (see
Section 4.1):
1.
2.
3.
One Custom Spam Header (name and value) can be specified, should the situation require it, for example,
if an e-mail server or client is preconfigured to use a mail header with a custom name and value.
To add the custom e-mail header to scanned messages:
1.
2.
Under Custom Spam Header, enter the Name and Value of the custom header to be added to
any e-mail message scanned by BeSecure.
3.
De-select the Insert only when messages are classified as spam checkbox if the header should
be added to all messages scanned. Otherwise, only those actually marked as spam will contain
the header.
4.
91
4.0.4
Select File Size Limits under the Protection menu (Figure 66).
2.
Specify the maximum size of files (or in the case of e-mail, messages) scanned, in megabytes
(MB) for each of the scanned protocols SMTP, POP3, IMAP, FTP, and HTTP.
3.
Specify whether to set Block oversize files for each of the scanned protocols, using the provided
checkbox.
If selected, a message will be returned to any client requesting an oversize file, stating that the
threshold has been exceeded. The file download will not proceed. If not selected, the file or
message will be allowed to pass through without being scanned for viruses or spam.
4.
2.
Enter the specific IP address or address range into the Source field. An IP address range needs to
be in CIDR format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network
checkbox to use the value 0.0.0.0/0, representing all source IP addresses.
3.
Enter the Destination IP address or network address. A network address needs to be in CIDR
format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network checkbox
to use the value 0.0.0.0/0, representing all IP address destinations.
4.
92
5.
4.0.4
Click Add.
Select or deselect the desired services next to the policy in the list in the lower half of the page.
Deselect all services to remove the policy completely. The Select All column contains checkboxes
that can be used to select all/deselect all of the protocol checkboxes rapidly.
2.
3 .2.7 Te m plates
Any protected client requesting content that is blocked by the device due to an existing policy is given
feedback that the content was blocked, and the reason why it was blocked. In several cases, the feedback
takes the form of error messages that the e-mail client or FTP client handles the display of. In other cases,
such as POP3 downloaded e-mail that is determined to contain a virus, the infected message will be
replaced. In the case of infected HTTP downloaded files, or web pages containing forbidden key words or
located at a forbidden URL, the error message is displayed in a replacement web page in the client
browser. In some policy types, a means of rejecting the block and proceeding anyway can be enabled on
the replacement page.
The Protection > Templates console page allows the customization of the replacement e-mail messages
and web page content shown when content is blocked.
Wedge Networks | Management Console
93
4.0.4
Figure 68 shows the template for the replacement message given when a scanned e-mail is blocked due
to virus content.
The template contains several markers for variable values that are replaced when a specific message is
created, based on the message header information and virus information in that particular instance. Ea ch
of these values can be placed in the template message, between % symbols (as in the default message
shown in Figure 68):
CLIENTIP: the IP address of the protected client accessing the mail server
SERVERPORT: the port number of the connection on the mail server side
94
2.
3.
4.0.4
2.
The HTTP Template tab contains the templates for the replacement web pages served by BeSecure when
HTTP content is blocked due to an existing policy. This page is formatted with the first part of the HTML
page in the HTML Header field. The HTML Footer field allows customization of the HTML page after the
message content. The message content for each of the possible content blocking situations can be edited
using the fields in between. See Figure 69.
To edit the HTTP template:
1.
2.
Edit the Common Title, if desired. This is the message displayed at the top of the HTML page.
3.
4.
95
4.0.4
2.
The Shared Template Messages tab contains common messages used in both the e-mail and HTTP
template. See Figure 70.
To edit the shared template messages:
1.
Edit the Blocked Virus, if desired. This is the message displayed when the content is blocked due
to a detected virus. See Section 3.2.1.
2.
Edit the Blocked URL, if desired. This is the message displayed when the content is blocked due
to a URL blocking policy. See Section 3.3.1.
3.
If available, edit the Blocked WebFilter value, if desired. This is the message displayed when the
content is blocked due to a WebFilter blocking policy. See Section 3.3.4.
4.
Edit the Warning WebFilter, if desired. This is the message displayed when the content is
potentially malicious, is blocked by a WebFilter policy, and a warning message is displayed.
96
5.
4.0.4
Edit the Warning WebFilter Proceed Link, if desired. This is the message displayed as a link to
allow the rejection of a block page (i.e. proceed at own risk).
6.
Edit the Blocked Keyword, if desired. This is the message displayed when the content is blocked
due to a keyword blocking policy. See Section 3.3.2.
7.
Edit the Blocked Oversize, if desired. This is the message displayed when the content is blocked
due to a file whose size exceeds the allowed limit. See Section 3.2.5.
8.
Edit the Engine Error, if desired. This is the message displayed on an internal scanning engine
error.
9.
97
4.0.4
Select URL Policies from the Content Control menu. The screen in Figure 71 will be displayed.
2.
Specify the Source endpoint of the machine to which the rule shall apply. Check the box Entire
Data Network to apply the policy to the entire visible network, if desired.
3.
If AD/LDAP has been configured, a user or group Name can be used here. If the Name
represents a group name, select the Group? checkbox.
4.
Select the Action to take on policy match from the drop-down list:
a.
b.
98
Detect only access to the specified URLs will be detected and logged.
Block access access to the specified URLs will be detected, logged and BLOCKED.
4.0.4
(Block access).
If a specific time period or repeat type is desired, expand the Time Period panel and edit the
following:
a.
Select the Time Zone. This is the time zone that the following time period values are
relative to.
b.
Select the Repeat Type. This indicates how the rule will be applied. Allowed values are
EveryDay, DayOfWeek or DayOfMonth.
c.
Select the Start Day and End Day. This specifies the start and end days of the interval
during which the rule will be enforced. The interval can be specified using days of the
week, Monday to Sunday, or a day of the month between 1 and 31. NOTE: If the
EveryDay repeat type is selected, the Fields Start Day and End Day are disabled.
d.
Select the Start Time and End Time. This specifies the start and end time of the interval
during which the rule will be enforced. 24 hour format must be used for these fields.
If the time period is not specified, then the policy will apply all the time.
6.
Select any Safe Search types (these are only available if the Safe Search module is licensed), if
desired. See Figure 72. Examples are YouTube for Schools and Google SafeSearch. See Section
3.1.5 for any configuration related to these options. By selecting these, headers may be added,
or request URLs rewritten to enforce these safe search types. YouTube for Schools allows
filtering of requested YouTube videos. Enforcing strict Google, Bing, or Yahoo SafeSearch will
prevent inappropriate links and images from showing up in web page and image search results.
The filtering criteria for these are managed by the search engines.
7.
Expand the URLs panel. See Figure 73. Add URLs to the URL list by entering the values into the
text fields and clicking the Add links or pressing the Enter key. This is the criteria that will be
used to determine whether the selected action will take place. Any URL access attempt will be
checked against any URL specified here. Based on the Action to take on policy match drop-down
list, the list will be labeled differently.
99
4.0.4
Do Not Detect/Block: all URLs EXCEPT those in this list will match this policy, and will be
blocked or detected based on the action selected. These URLs will display in green in the policy
list at the bottom of the screen.
Detect/Block: URLs matching the patterns in this list will match this policy, and will be blocked
or detected based on the action selected. These URLs will display in red in the policy list at the
bottom of the screen.
The Do Not Detect/Block list is checked first and the entries in the Detect/Block list are
checked next. It is redundant to enter URLs into the Detect/Block list already excluded
by the Do Not Detect/Block list selections. See Figure 54 for details.
The Do Not Detect/Block list will impact all traffic that flows through BeSecure, including
traffic from other BeSecure appliances that are downstream. This includes spam and
virus signature update traffic. This should be taken into consideration during policy
construction, and care taken to avoid this side effect.
If both Do Not Detect/Block and Detect/Block entries are specified, the decision whether to take action
on a URL access attempt proceeds as shown in Figure 74.
URL access
attempt
Do Not Detect/Block
empty?
No
Yes
No
URL is detected/
blocked
URL is NOT
detected or blocked
100
Yes
No
Yes
Detect/Block
matches?
Do Not Detect/Block
matches?
Yes
Detect/Block
matches?
No
8.
4.0.4
Expand the URL List File panel. Here you can upload a .txt list of URLs in the format
http://www.mywebsite.com/moreurl/evenmoreurl
Each URL must be on its own line, and each line separated by a CR (carriage return). An invalid
file will trigger an error message, and the upload will fail.
Only one file can be uploaded and saved at any given time. If a new file is uploaded, it will
replace the current file, and all existing policies that referenced the original file will then
reference the new file instead. Figure 75 shows the dialog box used to upload the URL list file.
The Select button allows selection of the file, Upload uploads it. Cancel will close the dialog
without uploading. CANCEL next to the file name will remove the file from the window and allow
file reselection. The Done button will be enabled after the upload is successful. When clicked, it
will close the window and show the newly updated file name and policies on the URL Policies
page, along with the date that the file was last uploaded (see Figure 76).
To use the URL list file in the current policy, select the checkbox shown in Figure 76.
9.
The list of existing policies is shown in the lower half of the screen. Clicking the
policy will bring up the policy details in the upper half of the screen for editing.
2.
next to the
101
4.0.4
3.
A list of existing policies is shown in the lower half of the screen. Clicking on the
policy will delete the policy.
next to the
3 .3.2 DL P Policies
DLP (Data Leakage Prevention) policies include the ability to specify various keywords and keyword
categories to search for in scanned data. Typically, the intention is to prevent outbound leakage of
sensitive data matching specified patterns. However, because the policy configuration allows the
selection of scan direction, these policies can also be used to prevent receipt or download of this type of
data. See Figure 77.
102
4.0.4
BeSecure base license includes the ability to specify Individual Keywords using wildcard patterns specified
in Section 3.3.3. It also includes Keyword Categories, as shown in Figure 78. Keyword categories are
more advanced regular expressions that can be used to detect several types of data with advanced
alphanumeric patterns.
The available categories are those seen in Figure 78. Any additional information available regarding a
match on any of these categories will be reported in the BeSecure log, for example, the type of PCI card
matched.
The limitation of these features is that only the readily available plain text portion of downloaded data
can be scanned for these keywords and categories. Binary, formatted, and compressed file types cannot
be scanned with a base license.
If obtained with an extra license, Text Extraction is used to extract plain text from hundreds of proprietary
binary, formatted, and compressed file types (such as Microsoft Word and Excel, and ZIP and RAR
archives, see appendix in Section 11), which can then be scanned for the specified keywords and
categories. The presence and status of this module can be seen in the Text Extraction panel. See Figure
79. If the module license is installed and the text extraction is active, it will display an ENABLED status. If
not, it will be DISABLED. To enable it, a license must be obtained.
Policies Tab
To add a new DLP policy:
1.
Select DLP Policies from the Content Control menu. The screen illustrated in Figure 77 and
Figure 78 will be displayed.
Wedge Networks | Management Console
103
4.0.4
1.
Specify the Source endpoint of the machine to which the rule shall apply. Check the box Entire
Data Network to apply the policy to the entire visible network, if desired.
2.
If AD/LDAP has been configured, a user or group Name can be used here. If the Name
represents a group name, select the Group? checkbox.
3.
Specify the Destination IP address endpoint to which the rule shall apply. Check the box Entire
Data Network to apply the policy to the entire visible network, if desired.
4.
Select the Scan Direction. Source -> Destination will scan only the request. Destination ->
Source will scan only the response. Both will scan in both directions.
5.
6.
Select the Action to take on policy match from the drop-down list:
a.
b.
Detect only access to documents with matching keywords will be detected and
logged.
Block access access to documents with matching keywords will be detected, logged
and BLOCKED.
If a specific time period or repeat type is desired, expand the Time Period panel and edit the
following:
a.
Select the Time Zone. This is the time zone that the policy times are relative to.
b.
Select the Repeat Type. This indicates how the rule will be applied. Allowed values are
EveryDay, DayOfWeek or DayOfMonth.
c.
Select the Start Day and End Day. This specifies the start and end days of the interval
during which the rule will be enforced. The interval can be specified using days of the
week, Monday to Sunday, or a day of the month between 1 and 31.
d.
Select the Start Time and End Time. This specifies the start and end time of the interval
during which the rule will be enforced. 24 hour format must be used for these fields.
8.
If the time period is not specified, then the policy will apply all the time.
9.
If category matching is desired, expand the Keyword Categories panel. See Figure 78. Select the
desired category checkboxes.
10. Expand the Individual Keywords panel. Add keywords to the keyword list by entering the value
into the text field and clicking the Add link or pressing the Enter key. This is the blocking criteria
that will be used. Any web page access will be checked for any keyword specified here.
11. Click on the Add button to save the new policy.
Hold the cursor over either IP address value in the Source or Destination column of the
existing policy list, and a tooltip will be displayed showing the keywords and names of the
selected categories that apply to this policy.
104
4.0.4
The list of existing policies is shown in the lower half of the screen. Clicking the
policy will bring up the policy details in the upper half of the screen for editing.
2.
3.
next to the
Policy changes may take up to 30 seconds to take effect on scanned traffic after the Add
or Update button is clicked.
A list of existing policies is shown in the lower half of the screen. Clicking on the
policy will delete the policy.
next to the
6.
7.
8.
The list of existing URLs is shown in the lower half of the screen. Clicking the
next to the
policy will bring up the details in the upper half of the screen for editing.
2.
3.
105
4.0.4
4.0.4
3 .3.4 We bFilter
The WebFilter module uses a combination of technologies to provide blocking and detection of websites
(the action taken) that are either malicious or belong to specified categories. Based on the user license,
Cloudmarks Anti-Phishing and/or McAfees SmartFilter are used for scanning and detection.
These engines are used by a WebFilter policy that specifies IP address and time period based rules for
matching on HTTP URL requests, at which time the action selected in the policy is taken.
To add a new WebFilter policy:
1.
Select WebFilter from the Content Control menu. The screen shown in Figure 81 will be
displayed.
2.
Specify the Source endpoint of the machine to which the rule shall apply. Check the box Entire
Data Network to apply the policy to the entire visible network, if desired.
3.
If AD/LDAP has been configured, a user or group Name can be used here. If the Name
represents a group name, select the Group? checkbox.
4.
Specify the Destination IP address to which the policy shall apply. Check the box Entire Data
Network to apply the policy to the entire network visible to the INGRESS interface, if desired.
5.
Select the Action to take on policy match from the drop-down list:
a.
b.
c.
Detect only access to URLs belonging to selected categories will be detected and
logged.
Block access access to URLs belonging to selected categories will be detected, logged
and BLOCKED.
Warn access access to URLs belonging to selected categories will be detected, logged,
and BLOCKED. This behaves similar to the block, however in this case, a choice to ignore
the warning and reject the block is offered as a link on the replacement page. In this
case, subsequent access to this page will be allowed for a period of time.
107
4.0.4
6.
If a specific time period or repeat type is desired, click on and expand the Time Period panel and
edit the following:
a.
Select the Time Zone. This is the time zone that the policy times are relative to.
b.
Select the Repeat Type. This indicates how the rule will be applied. Allowed values are
EveryDay, DayOfWeek or DayOfMonth.
c.
Select the Start Day and End Day. This specifies the start and end days of the interval
during which the rule will be enforced. The interval can be specified using days of the
week, Monday to Sunday, or a day of the month between 1 and 31.
d.
Select the Start Time and End Time. This specifies the start and end time of the interval
during which the rule will be enforced. 24 hour format must be used for these fields.
If the time period is not specified, then the policy will apply all the time.
7.
Click on and expand the Anti-Phishing panel, as shown in Figure 82. Selecting this checkbox
enables the Cloudmark Anti-Phishing engine to check the requested URL against a database of
malicious URLs, which is constantly updated along with the anti-spam signatures.
108
4.0.4
8.
Click on and expand the SmartFilter panel, as shown in Figure 83. Here, available URL categories
are shown on the left and selected categories are shown on the right. Specify categories for this
policy by highlighting them and using the buttons in the center to move them from the left list
box to the right list box.
9.
Click the Add button to save the new policy. The new policy will appear in the list below.
The McAfee SmartFilter column in the existing policy list shows the number of categories
selected / total number of categories. Hold the cursor over this value, and a tooltip will be
displayed showing the names of the selected categories.
A list of existing policies is shown in the lower half of the screen. Clicking on
will bring up the policy details in the upper half of the screen for editing.
2.
3.
A list of existing policies is shown in the lower half of the screen. Clicking on the
next to the
Enter the URL into the field next to the Show Me button. See Figure 84.
2.
Click the Show Me button. The matching categories will be moved to the top of each list and
highlighted.
109
4.0.4
2.
3.
4.
110
1.
The list of existing URLs is shown in the lower half of the screen. Clicking the
4.0.4
next to the
policy will bring up the details in the upper half of the screen for editing.
2.
3.
A list of existing URLs is shown in the lower half of the screen. Clicking on the
policy will delete the URL from the whitelist.
next to the
111
4.0.4
Select Traffic Blocking from the Next-Gen Firewall menu. The screen shown in Figure 86 will be
displayed.
2.
Specify the IP Address of the machine to which the rule shall apply. Check the box Entire Data
Network to apply the policy to the entire visible network.
3.
112
Select the Time Zone. This is the time zone that the policy times are relative to.
4.0.4
4.
Specify the Start Day and End Day. This specifies the start and end days of the interval in which
the rule will be enforced. The interval can be specified using only days of the week, Monday to
Sunday.
5.
Specify the Start Time and End Time. This specifies the start and end time of the interval in
which the rule will be enforced. 24 hour format must be used for these fields.
6.
A list of existing policies is shown in the lower half of the screen. Clicking on
will bring up the policy details in the upper half of the screen for editing.
2.
3.
A list of existing policies is shown in the lower half of the screen. Clicking on the
next to the
2.
Select either Detect or Block for any desired categories. Detect will only log any rule matches.
Block will prevent passage of the traffic.
3.
Click Save. A green icon next to the category indicates that the category is active.
113
4.0.4
Recognized attack behaviour can be detected or blocked, based on the perceived risk and experienced
frequency.
The available categories and their descriptions are list on the Next-Gen Firewall > Server Security screen,
as shown in Figure 88. Selection of any of these categories will apply to all traffic source and destination
endpoints.
114
4.0.4
2.
Select either Detect or Block for any desired categories. Detect will only log any rule matches.
Block will prevent passage of the traffic.
3.
Click Save. A green icon next to the category indicates that the category is active.
3.5 Reports
BeSecure provides you with comprehensive reporting features, allowing you to review the system log
information, statistics, serviced clients, policy details, and administrator accounts.
3 .5.1 L ogs
To access the logs summary information:
1.
Select Logs from the Reports menu. The screen shown in Figure 89 will be displayed.
These Logs are a short summary of what is visible using System > Logging Setup, and show:
System Start Time: the last time BeSecure was powered on or restarted
Last Clean Shutdown Time: the last time BeSecure was shut down
Last Configuration Modification Time: the last time the configuration was changed
Last Modification Admin Name: the last administrator to modify the configuration
Last Anti-Virus Signature Update: the last time the virus database was updated
Last Anti-Spam Signature Update: the last time the spam database was updated
Last WebFilter Signature Update: the last time the WebFilter database was updated
115
4.0.4
3 .5.2 St at istics
To view specific scanner statistics, select Statistics from the Reports menu. The screen in Figure 90 will be
displayed. Statistics grouped by protocol are shown.
Select Serviced Clients from the Reports menu. The screen in Figure 91 will be displayed.
2.
3.
Click the Display button. The screen shown in Figure 92 will appear providing a complete listing
of the policies that are active for the selected services.
116
4.0.4
117
4.0.4
Select Policy Details from the Reports menu. The screen in Figure 93 will be displayed.
2.
Enter the Source and Destination endpoints for which a list of active policies is desired.
3.
4.
Click the Show Policies button. The screen shown in Figure 94 will appear, providing a complete
listing of the policies applicable to the specified addresses.
118
4.0.4
119
4.0.4
120
4.0.4
System Graphs
The following graphs are currently available:
CPU Usage: Shows the percentage of CPU time spent in
121
4.0.4
sys: The percentage of CPU spent on processes running in System Mode. For advanced diagnostic
purposes.
nice: The percentage of CPU spent on handling niced tasks. For advanced diagnostic purposes.
idle: The idleness of the CPU. This is the indicator of how much stress the system is under in handling
standard tasks.
iowait: The percentage of CPU spent on handling I/O wait for the processes. For advanced diagnostic
purposes.
Memory Usage:
cached: Memory in the page cache (disk cache) minus the swap cache.
System Temperature: Both CPU and system temperature over time measured in Celsius
Fan Speed: The speed of the various system fans in revolutions per minute (RPM)
Processes: Event/sec tracking of new processes, process forks, and process blocking
File System Usage: Percentage measurement of file system usage for
Flash memory: The primary BeSecure mode of persistent storage. Log files are stored here
periodically when localhost is specified as the syslog host (see Section 0).
RAM disk for logging: Log messages are stored here, until the size exceeds a pre-defined limit. At
that point, the older logs are backed up onto the flash memory.
Temporary RAM-based file system for storage of files and messages while
Service Graphs
Service Graphs contains graphs relating to the BeSecure services and policies. As the time scale is
adjusted, the values in the legend show the total number of viruses blocked, spam detected, or traffic
scanned for that range of time. The following graphs are currently available:
Viruses Blocked: The number of viruses detected and blocked, colour coded by protocol.
Spam Detected:
protocol.
122
4.0.4
Scanned Traffic for Each Protocol: The bytes/sec measurement of scanned traffic for each protocol.
This is only traffic that is scanned as a result of an active policy. Larger values indicate greater
volumes of traffic for that protocol at that point in time.
SubSonic Graphs
SubSonic Graphs displays statistics related to the performance of the SubSonic Content Recognition
mechanism of BeSecure. These provide a more graphic representation of the numbers available on the
Reports > Statistics page. The following graphs are available:
SubSonic Cache Hit Percentage: The percentage of request/response scanning accelerated by the
SubSonic mechanism. The gray area represents ALL protocols, and the value for each separate
protocol is displayed as a different coloured line. The legend displays the current cache hit
percentage for each protocol.
SubSonic Scan Savings: The bytes/sec measurement of traffic accelerated by SubSonic for each
protocol. This can be compared to the total Scanned Traffic for each protocol on the Reports >
Service Graphs screen. As the time scale is adjusted, the values in the legend show the total number
of bytes accelerated by SubSonic during that range of time.
Network Graphs
Network Graphs contains graphs relating to the traffic throughput of each of the active network
interfaces. Each graph shows incoming and outgoing data rates in bytes/sec. The positive y-axis shows
the incoming data rate and the negative y-axis shows the outgoing data rate. The following graphs are
currently available:
Control Interface: Traffic passing through the control port (when configured).
123
4.0.4
Description
Possible Values
Time Stamp
YYYY-MM-DD hh:mm:ss
Protocol
Action
Reason
DETECTED, BLOCKED
VIRUS, SPAM, KEYWORD,
URL, WEBFILTER, OVERSIZE
Source IP Address
A valid IP address.
Destination IP Address
User Name
Source Info
Destination info
Detail
A valid IP address.
A user name character
string.
A valid e-mail address.
Navigate to Reports > Event List. The event list filter will be displayed, as in Figure 99.
2.
Provide any desired filtering criteria, or if all events are desired, leave the fields blank.
3.
The Clear Filter button can be used to reset the filter parameter and content of the generated list.
The top of the Event List page displays whether the Event Reporting is enabled. Clicking
the ENABLED/DISABLED link (see Figure 99) will take you to the System > Event
Reporting page, where reporting configuration (including enabling/disabling) can be
done. See Section 3.1.12.
124
4.0.4
125
4.0.4
The Reports > Event Summary page presents an overview of the events from the event list in a visual
manner. See Figure 101 and Figure 102 for details.
Each section of the summary is a pie chart and table of data displaying:
Event Distribution by Reason See Figure 98 for list of reasons
Top Destinations most common servers providing data to clients, as IP addresses
Top Source IP Addresses most common client IP addresses making requests
Top Detail Information virus names, keywords blocked, WebFilter categories matched, etc.
2.
Enter a Start Date and/or an End Date. Leave the fields blank if all events are desired.
3.
Each panel of the event summary will appear similar to the one shown in Figure 102. The details that
each panel displays can be limited by selecting a Protocol or Reason from the drop down lists. The chart
and table will be updated appropriately.
126
4.0.4
3.6 Diagnostics
The Diagnostics menu contains several tools that can be used to test configurations and troubleshoot
network issues.
Select Configuration Check from the Diagnostics menu. See Figure 103.
2.
127
4.0.4
2.
Any changes made here will only apply until the next Restart Services, Reboot, or Shutdown.
128
4.0.4
Any changes made to the Diagnostics > Health Monitor configuration will only last until
the next Restart Services, Reboot, or Shutdown, found on the System > Shutdown
screen.
The various states that can be displayed as an icon to the left of the test names are as follows. The bold
labels are visible as tooltips when the cursor is held over the icon:
Passing, initial (no check has occurred yet), or recovered (passing again after failure).
Disabled, but was passing before it was disabled.
Failing.
Disabled, and was failing prior to being disabled.
129
4.0.4
This screen also allows direct control over the Health Monitor triggered online/offline. If Health Monitor
puts the system into OFFLINE mode (shown in the header of any web management console page, as in
Figure 105), the Go Online button can be used once the failure condition has be rectified.
Normally, if extremely high CPU usage is consistently experienced over a period of time, the CPU Usage
Health Monitor system check can put the system into OFFLINE mode to prevent network performance
degradation. If high stress situations are typical, such as heavy traffic with a large number of sessions
with small payloads, rather than allowing the Health Monitor to take the system offline it can be desirable
to instead bypass a percentage of the traffic. Enable traffic bypassing on high CPU usage allows the
bypass of a percentage amount of traffic based on how consistently high the CPU load is. Note that this
bypass will not begin until the CPU is consistently at a very high value (above 95%), and this will occur very
rarely. The longer that the CPU usage is above this threshold level, the greater the percentage of traffic
bypassed. The system will return to its regular scanning levels when it is determined that the network
performance or stability will not be adversely affected.
Should a critical failure cause the device to go offline, steps should be immediately taken to rectify the
situation. Usually, the failure mode is temporary, and the test can be re-enabled and the device brought
back online. See Section 4.11.
130
4.0.4
1.
Select Problem Report from the Diagnostics menu. See Figure 103.
2.
Click the Generate new problem report button to generate a new problem report. Note that
this will overwrite any previously generated problem report available as a link below this button.
Click the link below the Generate new problem report button to download the most recently
generated problem report.
Select Traffic Capture from the Diagnostics menu. See Figure 107.
2.
Optionally, enter values for Port and/or IP Address to limit the capture data to that port number
and/or host IP address. This will apply to requests and responses.
3.
Click the Start button to generate a new traffic capture report. Note that this will overwrite any
previously generated traffic capture report available as a link below this button.
131
4.0.4
4.
At this time, generate the traffic to be captured and analyzed. For example, make the HTTP
request, or check the e-mail account that is experiencing unusual behaviour.
5.
Click the Stop button when finished to complete the generation of the traffic capture report. The
report download will be available via the hyperlink below the buttons.
Click the link below the Start button to download the most recently generated traffic capture
report.
132
4.0.4
2.
Generate the diagnostic file using the steps outlined in Section 3.6.3 or 3.6.4.
3.
At the base of the page, expand the Submit to Product Support panel.
4.
Enter the Ticket No., if you have one. If not, leave it blank and a new ticket will be opened.
5.
Enter a Contact E-mail. This is only required if an existing ticket number is not entered in Step 4.
6.
Enter a Description of the problem. This is important for Wedge Networks personnel to
understand what the nature of the problem is.
7.
If a new ticket is issued (if an existing Ticket No. isnt entered), an automated e-mail will be sent to the
Contact E-mail specified. Otherwise, the upload is associated with the existing ticket number.
Regardless, Wedge Networks support staff will contact you as soon as possible.
133
4.0.4
Enter the IP address or host name into the Host field. See Figure 109 for the Ping tool.
2.
The results will be similar to those shown in Figure 109 for Ping.
Several of the Diagnostics console pages wait until the system command is complete
before returning a command result. Please allow several seconds for the command to
complete and the result to be returned.
134
4.0.4
4 ADVANCED TOPICS
This section provides you with more in-depth discussion of advanced BeSecure configuration.
Connect your client machines serial port to the BeSecure console port. This is the 9-pin serial
port or the RJ-45 jack labeled
2.
or CON.
Using a terminal client such as HyperTerminal, create a new connection that uses your clients
serial port (example: COM1) and the following settings.
9600 bps
8 data bits
No parity
1 stop bit
At the prompt, log in using the default administrator username admin and password admin.
To access the CLI via SSH:
1.
Using an SSH client on a network connected to a BeSecure interface, connect to the BeSecure
machine using:
ssh admin@<your BeSecure IP address>
Login using the default password admin.
Administrator accounts can be added and edited using System > Administrators in the
management console, or using the admin CLI command (see below). Only readwrite
administrators can access the CLI. CLI accounts created using the admin command are
readwrite users of the management console as well.
135
4.0.4
Command
Description
admin
backup
bdav
bitdefender
cd
cloudmark
cm
cwd
exit
Exit CLI.
gen
generate
healthmonitor
help
kaspersky
kav
license
log
Edit logging settings, such as log level and remote syslog host.
ls
net
network
pwd
quit
Exit CLI.
quota
raid
reboot
reporting
restore
reset
route
scanner
scp
4.0.4
scr
sdav
service
shutdown
snmp
statistics
status
streamdefender
subsonic
system
tcp
traffic
usage
webfilter
wf
Help Usage
The help command will get you the above list of commands. Using help <command> will get you
detailed help on usage of the specified command. Some standards used in the usage messages:
[ ] - the item is optional
{ | } - select one of the items within '{}' and between '|'. For example: { control | device }
means the user needs to type 'control' or 'device'
<string> - a value/string is required. 'string' is replaced with an useful identifier to remind users
what is required. For example, <ip> means an IP address is required.
token - A character sequence with no whitespace and none of the following characters:
This represents a string that needs to be entered as it is shown. Examples: host, add.
[]{}|<> .
show
host add <ip> [ gateway <ip> ] via { control | device }
host { rm | remove } <ip> [ gateway <ip> ] via { control | device }
net add <ip> netmask <netmask> [ gateway <ip> ] via { control | device }
net { rm | remove } <ip> netmask <netmask> [ gateway <ip> ] via { control |
137
4.0.4
All commands can end with an optional ';'. Therefore, either of these are valid:
route show
route show;
This also allows multiple ;-separated commands to be typed in and executed on the same line.
CLI History
The CLI has a built-in history. It can be accessed with the:
1. The Up/Down arrow keys.
2. The Ctrl-p/Ctrl-n key combinations.
Either method allows access to the previous or the next command in the history list. The history is NOT
saved between login sessions.
138
4.0.4
Upgrading from 3.1.2: Because there is no way of knowing the current value of the admin
password when a System Update occurs, the CLI password will need to be manually reset
in order to synchronize it with the current management console admin account
password. To do this:
1.
2.
3.
4.
The management console and CLI admin user account passwords will now be
synchronized.
Connect a client machines serial port to the BeSecure console port. This is the 9-pin serial port
or the RJ-45 jack labeled
b.
or CON.
Using a terminal client such as HyperTerminal, create a new connection that uses your clients
serial port (example: COM1) and the following settings.
c.
9600 bps
8 data bits
No parity
1 stop bit
At the prompt, use the username resetpassword and the password default! to login. The
following will be displayed:
Reset password for admin (y/n)?
d.
Press y to reset the admin password to admin and exit. Press n to exit without resetting the
password.
139
4.0.4
Normally, when scanning resources are fully utilized, new connections will wait until scanning resources
are available (scanner bypass is disabled). By enabling scanner bypass, any new connections will bypass
the scanning engine. This eliminates any latency that will occur when the device is under constant heavy
load. However, it also means that some traffic is not scanned, increasing the chance of malware entering
the network.
2.
Scanner bypass when an IP address has too many concurrent scans occurring.
scanner bypass ip { enable | disable }
scanner bypass ip set max <number>
Enabling the scanner bypass by IP address limits a particular IP address to the set number of concurrent
scans.
3.
Certain browsers allow a previously canceled download of compressed or archived content to be resumed
with the client browser requesting only the remainder of the content that wasnt previously downloaded
(due to the initial part of the file existing in the browser cache). In these cases, BeSecure does not have
access to the beginning portion of the file content, so it cannot decompress it to perform an effective scan
on this compressed partial content.
To handle these types of cases, BeSecure can be configured to pass (allow through without scanning) or
block the remaining bytes of these partial archives.
Configuring BeSecure with block, the user whose browser requests a remainder of compressed partial
content will see an error when attempting this type of download. They are required to clear their
browser cache to eliminate this error. This will ensure that the file is downloaded again in its entirety, and
a proper decompression and scan will occur.
With pass, the end user will receive their content without any error, but neither portion of the
compressed content will have been scanned for malware.
4.
If it known that a particular type of file has a very low chance of containing malware, the HTTP AV
scanning can be configured to not scan that MIME type. This can increase performance by lowering the
number of scans taking place, especially if that MIME type is normally getting scanned very frequently. To
return the list of MIME type exclusions to default, use
scanner http content-type exclude default
5.
4.0.4
By default, when SMTP spam is blocked, a 554 5.6.0 reply code with a message Message contains spam
is returned to the sending MTA. This can be customized here should circumstances require it to change.
This can also be changed using the web user interface, on the Protection > Anti-Spam Setup page. See
Section 3.2.4 for more details. The commands to do this with the CLI are:
scanner smtp block show
scanner smtp block set code <number> text <text>
The number is the reply code in the format XXX X.X.X (example: 554 5.6.0) and the text is the
message desired. Following the standard outlined in RFC 2821, this means:
a. The error code is a number between 200 and 554 and must start with 2, 4, or 5.
b. The error code can be followed with an optional status.
This status is composed of 3 digits separated by dots (example: 5.6.0). The first digit must match
the first digit from the error code. The other two digits can be any numbers between 0 and 999.
c. The text message can only contain ASCII characters and is limited to 500 characters. Quotes are
not required when specifying the message using the CLI.
A list of SMTP reply codes can be found in Appendix D: SMTP Reply Codes.
7.
The SMTP protocol RFC outlines a means of sending e-mail message content using a technique known as
CHUNKING. BeSecure does not support the scanning of messages using this capability, so must be
configured to pass through or block the CHUNKING technique from be used to transfer data.
scanner smtp chunking { block | pass }
By default, this is set to pass. This means that the message content will NOT be scanned. If set to
block, BeSecure will prevent the CHUNKING from occurring. The SMTP server will send the data in
another manner, and the content will be scanned normally.
8.
This command allows specifying a fixed value to be sent as a parameter with any SMTP EHLO command
sent by a server on the protected network, regardless of what the server has already specified as the
parameter.
141
4.0.4
This prevents situations where multiple SMTP servers behind a NAT gateway, each of which may be
sending different parameters with their EHLO, from causing the NAT external address to be blacklisted by
reputation authorities. Random EHLO parameters from the same address are seen as suspicious
behaviour. The result is regular email from behind that NAT address getting classified as spam.
9.
Longer socket timeouts required for scanning of any of the supported protocols.
The default timeout settings for all protocols are 60000 ms for read and 30000 ms for write. It may be
found in some deployments that the BeSecures default protocol socket timeout values are not adequate,
resulting in incomplete downloads or terminations of server connections with errors. This usually occurs
during downloads of larger files.
Adjusting the read and write timeout values can be helpful in these cases. The write timeout determines
how long BeSecure will wait to send data. The read timeout determines the length of time BeSecure will
wait to receive data. In these cases, the read and write socket timeouts can be set on a per protocol
basis using:
scanner <protocol> timeout show
scanner <protocol> timeout { read | write } set <milliseconds>
The <protocol> is one of ftp, http, icap, imap, pop3, or smtp. The timeout value must be
between 2000 and 1800000 milliseconds. It can be difficult to determine which of the read or write
timeouts should be adjusted, so experimentation may be required. Please contact Wedge Product
Support for assistance if required, as this is an advanced feature and can impact performance if set
incorrectly.
Changing the timeout settings will cause a brief interruption in the traffic that is being
scanned. This command should only be run if you are prepared for the network traffic
interruption.
network
icmp block is only applicable to 2-interface router mode, with HA turned off.
This command is only applicable to 2-interface router mode, with HA turned off. Normally, the BeSecure
142
4.0.4
will respond to ICMP requests on the INGRESS and EGRESS ports unless the control interface is active. In
that case, ICMP requests are blocked on the INGRESS and EGRESS ports.
The behavior changes in 2-interface router mode with HA off, and this command controls this new
behavior.
By default, this is set to always. ICMP (ping) is blocked on the INGRESS and EGRESS ports in 2-interface
router mode with HA off. It doesnt matter if the control interface is configured or not, ICMP (ping) will be
blocked.
In certain situations, it is desirable to allow ICMP requests, such as when deploying BeSecure into an
Alteon load-balancing environment, which requires ICMP for regular operation. In these situations, the
command
network icmp block auto
should be used to allow ICMP requests on the INGRESS and EGRESS ports, until the Health Monitor (see
Section 4.11) determines that a failure mode has occurred, at which point ICMP will be blocked until the
failure is resolved.
143
4.0.4
This enables and disables the SubSonic mechanism, just as the System > SubSonic page does using the
management console.
Include list
empty?
File is accessed
No
Include
matches content
type of file?
Yes
Yes
No
Exclude
matches content
type of file?
Yes
Regular Scan
Yes
Exclude
matches content
type of file?
No
SubSonic Scan
No
subsonic
subsonic
subsonic
subsonic
mime
mime
mime
mime
{
{
{
{
include
include
include
include
|
|
|
|
exclude
exclude
exclude
exclude
}
}
}
}
show
clear
add <mime-type>
{ remove | rm } <mime-type>
This set allows the specification of a content (MIME) type include and exclude list. The list of include
entries is checked first, and then the exclude list is checked. By default, all types are included. Specifying
include entries allows SubSonic to be applied to only a subset of content types. Specifying exclude entries
further refines the list by listing types that should not be SubSonic scanned, of the types that are included.
See Figure 110 for a graphical explanation.
subsonic
subsonic
subsonic
subsonic
subsonic
subsonic
144
filesize
filesize
filesize
filesize
filesize
filesize
4.0.4
This set of commands allows a maximum file size to be used to determine whether data with a particular
content type should be SubSonic scanned. As stated above, the performance increase enabled by
SubSonic is greater when used with larger data sizes.
As with keywords and URLs specified in Keyword and URL Policies, the syntax used when specifying the
MIME type is:
? - matches any single character
* - matches zero or more characters
+ - matches one or more characters
For example, text/* will match text/html and text/plain. See Section 3.3.3 for further details.
2.
Under Fiber Support (near the bottom of the screen), select Use fiber ports as data ports. See
Figure 111.
3.
The port status displayed on the System > Status page will update the Function to show that the fiber
ports are now INGRESS and EGRESS.
145
4.0.4
Go to the File menu and select New >Mail Message to compose a new, empty e-mail message.
2.
146
4.0.4
3.
From the message list in Outlook/Outlook Express, grab the e-mail icon for the misclassified email and drag it into the new e-mail created in step 1. You may drag and drop as many e-mails as
you like into the report, up to the size limit of your out-going e-mail.
4.
2.
3.
4.
5.
Go to File->New Message.
6.
7.
8.
Click Send.
2.
3.
4.
5.
Go to File->New Message.
6.
7.
8.
Click Send.
2.
Create an Account, using the link in the upper right corner, and activate the account using the email message sent to you.
3.
147
4.0.4
4.
5.
6.
Type in the URL you want to check, and then click on Check URL.
7.
On the results page, suggest any category changes that you feel are appropriate. Add a detailed
note explaining your reasoning, if desired.
8.
9.
On the E-mail Notification page, enter an e-mail address to which status updates will to be sent.
Click Submit.
10. Click Track URL Ticket Status under the Feedback menu. Your request will be displayed along
with its ticket ID and status.
At any time, the status can be checked under Track URL Ticket Status. E-mail messages will be sent to the
e-mail address specified in Step 8, as the status of the request changes. If approved, the URL category
changes will be included in the next signature update.
4.0.4
4 .9.3 Configuring the ICAP Client to Work with the BeSecure ICAP Server
BeSecure has three services:
reqmod-scan: For the ICAP REQMOD method, use this service.
respmod-scan: To use the ICAP RESPMOD method, use this service.
scan: This service can be used with both the ICAP REQMOD and RESPMOD. It is intended for those
devices or applications in which only one ICAP URI can be specified (ex. Websense)
Each service can be configured in the ICAP client with the following URI structure:
icap://<BeSecure IP Address>:1344/<service name as in list above>
The port number is the default ICAP port of 1344. It may or may not need to be specified directly in the
URI. This depends on the ICAP client being configured.
Here are sample entries for a Squid 3.0 ICAP client configuration:
icap_service service_1 reqmod_precache
0 \
icap://<BeSecure IP address>:1344/reqmod-scan
icap_service service_2 respmod_precache 0 \
icap://<BeSecure IP address>:1344/respmod -scan
149
4.0.4
BeSecure WCCP supports scanning of SMTP, POP3, IMAP, and HTTP. NOTE: FTP is not supported.
2.
The router or switch encapsulates the request (to prevent any modifications to the original
packet) using WCCP and redirects it to the BeSecure appliance.
3.
The BeSecure appliance then makes the request to the destination server on behalf of the client,
scanning the request, and provides the response supplied by the destination server, scanning it if
necessary.
BeSecure services provided without being in-line with the data traffic
Manage BeSecure failover without HA, with the router deciding on the fly what to do on failure
detection
There are two basic modes of BeSecure WCCP operation, router and switch. The router mode is the
default, and is meant to operate with various routers that use GRE tunneling for forwarding and return of
data. The switch mode is for switches that use L2/MAC redirection for its forwarding and return
methods. Table 4-1 outlines the default method settings for these two modes.
The WCCP version is set to 2 by default. Version 1 can be selected using the version
command. Only router mode is available under version 1. If the version is changed to 1, the mode will
automatically be set to router, and the defaults set as in Table 4-1.
As well, when router or switch mode is selected using the CLI command, all the methods are changed
back to the default settings as listed in Table 4-1.
TABLE 4-1: WCCP MODES DEFAULT SETTINGS
Mode
Methods
Forwarding
Return
Assignment
Router
GRE tunneling
GRE tunneling
hash
Switch
L2/MAC redirection
L2/MAC redirection
mask
150
4.0.4
For some WCCP-enabled network appliances that behave differently from the default, the forwarding and
return methods of BeSecure can be overridden using the forwarding and return commands, and the
assignment method using the assignment command. See Table 5-3. The documentation for any WCCP
router or switch should be consulted to determine the correct settings for each of these BeSecure WCCP
methods. When a command is used to change a WCCP method type, the mode shown using the net
wccp show command will display custom, as opposed to router or switch, indicating a method
override has taken place.
TABLE 4-2: WCCP EXAMPLE MODE AND METHOD CONFIGURATIONS FOR NETWORK DEVICES
Device
Mode
Methods
Forwarding
Return
Assignment
router
GRE
GRE
hash
Cisco 3550
switch
L2/MAC
GRE
hash
Cisco 3750
switch
L2/MAC
L2/MAC
mask
Cisco 4506
switch
L2/MAC
L2/MAC
mask
Cisco 6509
switch
L2/MAC
GRE
mask
Configure the router or switch that will be used to forward the request to BeS ecure via WCCP
(vendor specific).
2.
3.
4.
5.
Enable WCCP.
network wccp enable
6.
Connect ONE of the INGRESS or EGRESS ports to the network. Only one connection is required.
151
4.0.4
1.
Configure the router or switch that will be used to forward the request to BeSecure via WCCP
(vendor specific). This device should be configured with different address settings than the first
router or switch.
2.
3.
2.
Add support for SMTP (port 25), POP3 (port 110), IMAP (port 143):
net wccp redirect port add 25,110,143
3.
Configure the WCCP-capable router or switch with the appropriate service group numbers. In
this case, add service groups 60 (for outgoing traffic) and 160 (for return traffic).
BeSecure assigns 7 ports to each service group. Service groups start at group number 60 for the
client side (which redirects when the destination port matches the port in the list configured in
Step 2), and 160 for the server side (which redirects when the source port matches). See Section
4.10.1 for more details.
Policies MUST exist for a WCCP-configured port; otherwise BeSecure will not accept the
WCCP connection request.
152
4.0.4
153
4.0.4
enable
disable
debug enable
debug disable
md5 disable
Set the IP address to use for the remote end point of the
GRE tunnel. This should be the Router ID, which the
WCCP device should generate. Perform 'show ip wccp'
on the device to find this address. The server number
indicates which WCCP server this address corresponds
to. The default server number is 1.
version set { 1 | 2 }
154
4.0.4
redirect port
clear
add <number>,..<number>
remove <number>,..<number>
155
4.0.4
HA mode: the device will enter a failover condition and send notifications that it is offline, so that one of
the HA Stand-By devices can go into Active mode and handle traffic. Scanning will continue to occur, as
long as there is a stand by device to take over.
Non-HA mode: the device will enter a software bypass mode, with all traffic allowed through the device
without any scans occurring.
WCCP enabled: WCCP is disabled, causing the WCCP router or switch to cease forwarding traffic for
scanning. No scanning will occur until the failure condition is rectified and WCCP is re-enabled.
Alteon load balancing: If in an Alteon load balancing situation and the network icmp block CLI
configuration option is set to auto (see the network CLI command), ICMP (ping) will be blocked on both
INGRESS and EGRESS.
Offline Recovery
Should a critical failure cause the device to go offline, these steps should be immediately taken to rectify
the situation:
1.
Identify the failing component by examining the System > Status page or Diagnostics > Health
Monitor screen.
2.
On the Diagnostics > Health Monitor page, re-enable the test by selecting the checkbox and
clicking Apply Changes.
3.
If the test passes, click Go Online. The device will return to normal operation. If the test
continues to fail, go onto Step 3.
4.
5.
If that fails, System > Shutdown > Reboot should be attempted. Success will be indicated by a
green status indicator on the System > Status page for all components, as well as for all the
system health checks on the Diagnostics > Health Monitor page.
156
4.0.4
The Health Monitor sends out notifications listing the component first, such as Anti-Spam or
Anti-Virus,
the result of a
For CPU Usage, Memory Usage, Disk Usage, and Protocol Scanner Usage notifications, an example failure
message is
FAILED, Memory Usage has been greater than 90% for 12m49s.
This indicates that the specified test has failed for the specified number of minutes and seconds. In these
cases, the threshold varies per platform, and is selected based on platform CPU, memory and disk size.
The failure must exist for a minimum of 5 minutes before any notification is sent, and a notification will
only be sent every 2 hours, unless the failure mode has been resolved.
If the memory, disk and proxy thread pool usage thresholds are frequently exceeded, it may indicate that
the scanning load on the appliance is too high. Product support personnel can assist with this
determination.
At that point, a success notification message will be sent, in the following format:
PASSED, Memory Usage is within normal operating range.
Each of the notifications will identify which of the components listed above that it relates to. Other
messages will be formatted as follows:
[2010-05-13 17:17:57-0600]
BeSecure (3.1.8-394); IP Address: 192.168.100.67
157
4.0.4
Line 1 shows the time of the event, line 2 shows the BeSecure version number and IP address, and line 4
indicates the component name (in the above case, the protocol scanners), which event occurred
(recovery) and the result of the event (successful).
system offline
system online
158
4.0.4
3.
4.
At this time, the actions that cause the problematic behaviour should be taken. For example,
accessing of a web page with a client, triggering the scanning of HTTP traffic.
When complete, press the Enter key at the BeSecure CLI. A message such as the following will be
displayed:
Traffic capture created.
5.
'/files/20081105162214.Capture.tar.gz'
6.
159
4.0.4
3.
4.
2.
Run setup.exe.
3.
4.
5.
Select a different installation directory, or leave the default and click Next >.
6.
Select a different local package directory, or leave the default and click Next >.
7.
Select your Internet Connection. If you dont know which type of connection you have, just click
Next >.
8.
9.
Select Packages for installation. For our purposes, just ensure that the Bin? box is selected for
the All > Net > openssh package. Click Next >.
Typically, the closer the site to your location, the faster the download
Start the Cygwin Bash Shell using the shortcut placed on the desktop or in the Start menu.
2.
3.
4.
5.
6.
7.
8.
160
4.0.4
Under the section stating Disable legacy (protocol version 1) support, make sure that the line
reads Protocol 2 and is not commented out with #.
9.
You may now use your Windows XP client as the SSH server mentioned in the previous section,
Generating the Files. Replace <username>@<sshserver> with <Your Windows User>@<IP
address of your Windows machine>.
When prompted for the password when using the scp
command, use your Windows account password.
4.13 RAID
Certain models are equipped with dual hard disk/solid state drive slots, which are configured in a RAID
(Redundant Array of Inexpensive Disks). RAID enhances data safety and reliability through redundancy.
If a drive fails, the system will remain operational because the same data exists on the mirror drive. In
this situation, the failed drive should immediately be replaced by a new drive with the same technical
specifications. If the device operates in single drive mode, and that drive fails, the system will fail to
operate. Please contact Wedge Product Support for assistance in this situation.
The status of the RAID devices is displayed on the System > Status page (Section 3.1.1), as shown in Figure
112. Also, notification emails (Section 3.1.7) can be configured to be sent upon state changes of the RAID.
RAID Status
161
4.0.4
raid show
If RAID is configured and operational on the system, the following will be displayed:
HDD-1 online
HDD-2 online
NOTE: If either device has failed, the status will display offline instead of online.
If a drive is rebuilding, the status will display:
updating XX%
Here, XX represents the update completion percentage.
2.
RAID Recover
If a hard disk drive fails during normal operation of the system, there will be no degradation in service or
performance. The mirror drive will continue working as a single drive. To recover the RAID, obtain a
new hard disk drive according to the specifications given to you by Wedge Product Support.
To recover the RAID:
1.
2.
3.
4.
5.
6.
7.
8.
Identify which hard disk drive has failed. This can be found on the System > Status page (Section
3.1.1) or indicated by an email notification (Section 3.1.7).
Shut down the system. See Section 2.8 or 4.1.2.
Remove the failed drive.
If the failed drive is installed in HDD-1, move the functioning drive from HDD-2 into HDD-1. If the
failed drive is installed in HDD-2, leave the functioning drive in HDD-1.
Insert the new drive into HDD-2.
Power on the system.
Log in to the CLI. See Section 4.1.1.
Enter the following command at the prompt:
raid recover
If RAID is configured and operational on the system, the following will be displayed:
RAID Recovery started on HDD-2. This may take some time.
To check the status of the recovery, hover over the HDD-2 status icon on the System > Status
page to display the rebuilding progress of the drive.
Also, you can use the RAID CLI status
command to display the updating status.
9.
162
4.0.4
NOTE: A functioning drive should always be inserted in HDD-1 as the system can only boot from HDD-1.
HDD-2 acts as a secondary drive used only for mirroring the data on HDD-1.
163
4.0.4
The current version of the detailed MIB structure can be obtained on the General tab of the System >
SNMP page of the management console, by clicking the MIB Definitions link. To use the WECAN-MIB
with SNMP management software, this WECAN-MIB.txt file will need to be imported into the softwares
collection of SNMP MIB definition files.
164
4.0.4
timestamp: the date and time of the event, according to the system clock
hostname: the host name assigned to BeSecure on the System > Settings console page
The possible events and their associated data fields are as follows:
1.
APPSCAN Event generated by an application scanning operation. Data fields for this event are:
Field Name
Description
Possible Values
protocol
user ID
source IP address
destination IP address
destination info
source info
2.
Applicable to
Policies
All
All
All
All
HTTP, Mail
Mail
APPACTION Action taken by a BeSecure scanning event. Data fields for this event are:
165
4.0.4
Field Name
Description
Possible Values
protocol
user ID
Empty if there is no
matching user ID for the
IP address
source IP address
destination IP address
action
DETECTED, BLOCKED
content type
VIRUS, SPAM,
KEYWORD, URL,
WEBFILTER, OVERSIZE
Any MIME type
destination info
source info
subject
detail
3.
4.
5.
All
All
reason
Applicable to
Policies
All
All
All
All
HTTP
All
HTTP, Mail
Virus name,
keyword/URL matched,
spam score, WebFilter
category etc.
Mail
All
APPEVENT - Event generated by a BeSecure application's normal operation, such as system and
process status
APPERROR Error caused by a BeSecure application level exception
APPCHANGE Configuration changes done through the web console or the CLI
Field Name
Description
Possible Values
log level
Message
Applicable to
Policies
All
All
166
4.0.4
167
4.0.4
(not enabled in
router mode)
CONTROL
21
21
22
22
23
23
25
25
80
80
110
110
143
143
443
443
2121
2121
FTP scanner*
8180
8180
HTTP scanner*
443
9012
9013
9025
9025
SMTP scanner*
9110
9110
POP scanner*
9143
9143
IMAP scanner*
168
Purpose
4.0.4
Code
Description
211
214
Help message [Information on how to use the receiver or the meaning of a particular nonstandard command; this reply is useful only to the human user]
220
221
250
251
421
<domain> Service not available, closing transmission channel [This may be a reply to any
command if the service knows it must shut down]
450
Requested mail action not taken: mailbox unavailable [E.g., mailbox busy]
451
452
500
Syntax error, command unrecognized [This may include errors such as command line too
long]
501
502
503
504
550
Requested action not taken: mailbox unavailable [E.g., mailbox not found, no access]
551
552
553
Requested action not taken: mailbox name not allowed [E.g., mailbox syntax incorrect]
554
Transaction failed
169
4.0.4
Obtain, modify, and test the logon and logoff scripts for your organization.
Install the logon and logoff scripts to your Domain Controller.
Enable TLS.
Add an Administrator user for this device to the Active Directory server.
Configure this device with the following items:
a. The name or IP of the Active Directory (AD) server
b. An AD account that has permission to query the AD server
c. The organizational unit (OU), that contains all the users
d. The items within the schema that contain the user name and IP address
9 .1.1
The scripts logon.vbs and logoff.vbs are available from your device reseller or from Customer Support
(see contact information at the end of this document), who can provide you with the scripts via email or
direct you to a web address to download them from.
170
9 .1.2
4.0.4
The logon.vbs and logoff.vbs scripts need to be modified in the following ways:
1.
2.
The name of the Domain Controller (DC) must be changed from dc=bstest,dc=com to your DC
value.
The organizational unit (OU) must be changed from OU=Calgary to your OU value.
To edit the scripts, do the following for each of logon.vbs and logoff.vbs:
1.
2.
Change the
3.
dc
9 .1.3
DC value.
Te st the Scripts
The logon and logoff scripts should be tested them before installing them, as follows:
1.
Copy logon.vbs and logoff.vbs to a workstation with a domain user logged in using domain
credentials.
2.
Using Windows Explorer, navigate to the folder containing logon.vbs on the workstation, and
double-click to run the script.
3.
Check the Active Directory entry for that user. The url field should be filled in with the IP address
of the workstation.
4.
5.
Verify that the IP address is removed from the Active Directory entry.
2.
On the Domain Controller, open Windows Explorer and navigate to the folder containing the
scripts.
3.
171
4.0.4
4.
Logon and logoff scripts run with the credentials of the user. It is recommended that the Domain
Users group be given permission to any resources used by either of these scripts.
5.
You do NOT assign the GPO to a user or users, but to an Organizational Unit (OU), to an Active
Directory Site, or to the entire Active Directory Domain. So, you must now decide if you want the
script to apply to ALL THE DOMAIN USERS, or just to a specific set of users located within one or
more OU (Organization Unit) in Active Directory Users and Computers. If you choose to apply on
all the users in the domain, you must create a Group Policy Object (or GPO) and link it to the
ENTIRE domain. If you choose to apply the script ONLY to a SPECIFIC SET of users, you must place
all the users in one OU (Organization Unit) in Active Directory Users and Computers, and link the
GPO to that OU.
6.
172
In order to assign the GPO and edit it, we'll use a tool called the Group Policy Management
console, or GPMC for short. See if the Administrative Tools folder has a tool called Group Policy
Management Console. If it does, skip top Step 8.
7.
4.0.4
If the GPMC is not installed, you will need to install it. It is not installed by default in Windows
Server 2003 or 2008.
a.
b.
Windows Server 2008: GPMC is already a part of the operating system installation. you
simply need to add it. If the Windows Server 2008 server is also a Domain Controller,
GPMC will be automatically installed as part of the DCPROMO procedure.
For more details, see the System requirements and installation steps section at
http://technet.micros oft. com/ en-us/library/cc731892(v=ws.10).aspx
8.
Open Group Policy Management from the Administrative Tools folder. Alternatively, Start >
Run to open the Run window, then type
gpmc.msc
173
4.0.4
9.
If, as described in the above paragraph, you decided to apply the script to ALL THE
DOMAIN USERS, expand the domain tree and locate the domain name. Right-click the
domain name and select Create a GPO in this domain, and Link it here.
b.
If, as described in the above paragraph, you decided to apply the script to ONLY a
SPECIFIC SET of users, expand the domain tree, locate the OU where the users from are
located. Right-click the OU and select Create a GPO in this domain, and Link it here.
Note: Of course it might be possible that a GPO already exists and it is linked to the object level
you need. In that case you, don't need to create a new GPO, you can use the existing one.
10. In the New GPO window, give the new GPO a descriptive name, such as "Logon Script GPO". Click
OK.
174
4.0.4
11. If you don't see it already, refresh the GPMC view and find the new GPO you've just created
under either the domain name, or the OU, depending on your previous choice.
12. When you click on the new GPO you might be prompted with a message window. Click OK.
13. Right-click the new GPO and select Edit.
14. In the Group Policy Management Editor window, expand User Configuration > Windows Settings
in the left column, and select Scripts.
175
4.0.4
17. The Logon window will open. The path will be a folder similar to the following:
\\bstest.com\SysVol\bstest.com\Policies\{070ACF10-4233-4B8C-9CC4925A010197DA}\User\Scripts\Logon
Right-click and Paste the logon script you copied in the previous part of this instruction.
176
4.0.4
177
4.0.4
20. In the Add a Script window, click Browse and you will see the script that you just added. DO NOT
manually browse for the file, as it should be clearly visible after clicking the Add button. If it's not
there, check that you have properly completed the previous steps.
178
4.0.4
179
4.0.4
24. Click OK to apply the changes and close the Logon Properties window.
25. Close the Group Policy Management Editor window.
26. Click the Refresh button in the Group Policy Management window.
180
a.
b.
4.0.4
30. Type:
gpupdate /force
2.
In the left column, right-click on Roles and select Add Roles. This will start the Add Roles
Wizard.
3.
Read the Before You Begin screen, and ensure that you meet all the prerequisites. Click Next.
4.
On the Select Server Roles screen, select Active Directory Certificate Services and click Next.
5.
Read the Introduction to Active Directory Certificate Services, especially Things to Note (stating
that changing the computer name, joining a domain, etc. should be done BEFORE this certificate
process) and click Next.
6.
At Select Role Services, select both Certification Authority and Certification Authority Web
Enrollment. Click Next.
181
4.0.4
7.
8.
9.
At Set Up Private Key, select Create a new private key, and click Next.
10. At Configure Cryptography for CA, select RSA#Microsoft Software Key Storage Provider with a
key character length of 2048. Select sha1 as the hash algorithm. Click Next.
11. At Configure CA Name, enter a Common Name for this CA, and the appropriate Distinguished
name suffix for your domain. Click Next.
182
4.0.4
14. At Confirm Installation Selections, review the information. You should see a page similar to the
following screenshot. If everything is satisfactory, click Next.
183
4.0.4
15. At this point, installation will occur. When complete, you should see the following screen
indicating success.
184
4.0.4
18. Click on Issued Certificates. You should the details of your newly issued certificate.
185
4.0.4
From the Start menu on the AD Server, select Administrative Tools > Active Directory Users and
Computers.
2.
Create a new user by right-clicking on Users in the left pane, selecting New > User.
3.
Select a User logon name. For simplicity, you can make the First name the same. Click Next.
186
4.
4.0.4
Enter a Password and Confirm password. Unselect User must change password at next logon.
Select User cannot change password, and Password never expires. Click Next.
5.
6.
The new user should now be in the list. Right-click on the new user, and select Properties.
7.
187
4.0.4
8.
Type administrators into the Enter the object names to select field, and click Check Names.
Administrators should be found, and underlined.
9.
188
Click OK.
4.0.4
Login to the management interface using a web browser and navigate to the System > AD/LDAP
page.
2.
3.
4.
5.
6.
If correct, click Save for these settings to become active on the scanning device.
189
4.0.4
Obtain, modify and test the logon and logoff scripts for your organization.
2.
Install the logon and logoff scripts on each workstation in your network.
3.
b.
2.
3.
To edit the scripts, do the following for each of logon.sh and logoff.sh:
190
1.
2.
4.0.4
LDAP_SERVER_ADDRESS=
Put the name or IP address of your LDAP server after the '='. Do not put any spaces between the
'=' and the name or IP.
3.
Copy logon.sh and logoff.sh to a workstation with a user logged in using LDAP
credentials. Copy them to the directory /usr/local/bin and make sure they are executable.
You may need to create the directory /usr/local/bin with the command
mkdir -p /usr/local/bin
To give the scripts execute permissions, use the command
chmod 755 /usr/local/bin/logo*.sh
Open a Terminal window on the workstation, or use ssh to access the workstation.
Find the user id, or "short name" of the logged in user (you can use the who or whoami
commands).
2.
/usr/local/bin/logon.sh <userid>
191
4.0.4
3.
If there is any output from the script, an error has occurred. You may need to alter the script for
your environment and network. If the script produces no output, it has run successfully.
4.
Run the logoff script in the same fashion. If the script produces no output, it has run successfully.
2.
The logon and logoff scripts will run whenever a user logs on or off the workstation.
The scripts can be installed in any directory on the workstation. Another common location is under the
/opt directory. Be sure that the LoginHook and LogoutHook are set to the location where the
scripts are.
Login to the management interface using a web browser and navigate to the System > AD/LDAP
page.
2.
3.
Select the appropriate server type from the Server Type list.
4.
192
4.0.4
Login User or DN: A valid DN (distinguished name) that specifies the location of a user with
permission to query the LDAP server.
Login Password: The password for the login user.
Search DN for Users/Groups: The base search DN of your Open Directory. For example:
dc=bstest,dc=com
If a server type with a known configuration is used, the User Object Class, Name Attribute, and
Group Object Class fields will be auto-populated with the appropriate values. If these do not
match the existing LDAP schema, the Custom LDAP Server setting needs to be used. In this case,
the above three fields require values to be entered.
5.
6.
If correct, click Save for these settings to become active on the scanning device.
193
4.0.4
11.1 Archive
Document Format
Event List ID
7-Zip
7-ZipArchive
.7Z
ACE
ACE
.ACE
DiskImage
.DMG
ARJ
ARJ
.ARJ
BZIP2
bzip2
.BZ2, TBZ2
ISO
.ISO
Java Archive
Zip
.JAR
LZH
LZH
.LZH
Microsoft Cabinet
MSCabinet
.CAB
MSBinder
.OBD
RPM
.RPM
RAR
.RAR
Self-extracting .exe
SelfExtracting
.EXE
SelfExtracting
.SEA, .EXE
StuffIt X
StuffItXArchive
.SITX
StuffIt
StuffItArchive
.SIT
GNU Zip
GZIP
UNIX cpio
cpioArchive
.CPIO
UNIX Tar
TAR
.TAR
Zip
Zip
PKZip, WinZip
Document Format
Event List ID
Version
Extension
dBase file
dBASE
3,4
.DBF
dBASE
3,4
.DB, .DB3
MSAccess
01/01/10
.MDB
ParadoxDB
Version
0.1, 1.0
Extension
.GZ
.ZIP
11.2 Database
194
.DB
Appendix G: Supported File Formats for DLP Text Extraction | Wedge Networks
4.0.4
Event List ID
Version
Extension
EmailMessage
MHT
.MHT
EmailMessage
Multipart Alternative
EmailMessage
Multipart Digest
EmailMessage
Multipart Mixed
EmailMessage
EmailMessage
Multipart Signed
EmailMessage
TNEF
Eudora Classic
Microsoft Outlook
MSOutlook
MSOutlook
(1-7), OSE
.MBX
97-2007
.MSG
.EML
.OFT
Microsoft Outlook
MSPST/OST
Sendmail "mbox"
SendmailMBOX
Thunderbird
SendmailMBOX
97-2007
.PST
.MBOX
.MBOX
11.4 Multimedia
Document Format
Event List ID
Adobe Flash
Flash
.SWF
AVI
.AVI
DVDVideoObject
.VOB
MPEG Video2
MPEGVideo
.MPG
MP3
ID3v1, ID3v2
.MP3
MP3
ID3v1, ID3v2
.MP3
Version
Extension
Wedge Networks | Appendix G: Supported File Formats for DLP Text Extraction
195
4.0.4
MPEG-4 Video2
MP4
.MP4
OGGFLAC
.FLAC
OGGVorbis
.OGG
Real Media
RealMedia
.RM
WAVE
.WAV, .AIFF
MSWindowsMedia
.WMA
MSWindowsMedia
WMV 7, 9
.WMV
Document Format
Event List ID
Version
Extension
Log File
LogFile
Microsoft Project
MSProject
98-2003
.MPP
Microsoft Project
MSProject
2007
.MPP, .MPX
OAII
01/02/11
vCard
vCard
2.1
.VCF
Uniplex
Uniplex
11.5 Other
.LOG
11.6 Presentation
Document Format
Event List ID
Version
Extension
OpenDocFormat
1.x, 3.x
.SXI, .ODP
LibreOffice Presentation
OpenDocFormat
Beta 3
.ODS
MSPowerPoint
3.0-2007, 2010
.PPT, .PPTX
MSPowerPoint
.PPT, .PPTX
OpenDocFormat
.ODP
StarOffice Impress
OpenDocFormat
8, 9
.SXI, .SDI,
196
Appendix G: Supported File Formats for DLP Text Extraction | Wedge Networks
4.0.4
.SDP
Event List ID
JPEGImage
Version
Extension
.JPEG, .JPG,
(JPEG)
.JPE, .JIF
Progressive JPEG
JPEGImage
.JPEG, .JPG
MSDocImaging
.MDI
PCX1
PCXImage
.PCX
TIFImage
Revision 3.0-5.0
.TIF, .TIFF
Document Format
Event List ID
Version
Extension
Text
Framework Spreadsheet
FW3
III
.FW3
OpenDocFormat
1.x, 3.x
.SXS, .SX,
11.8 Spreadsheet
.CSV
.ODS
LibreOffice Spreadsheet
OpenDocFormat
Lotus 1-2-3
Beta 3
.ODS
Through Millennium
.WK, .WKS,
9.6
.WK3, .WK4
MSExcel
2.0 - 2010
.XLS, .XLSX
MSExcel
.XLSB
MSExcel
.XLS, .XLSX
8.0-14.0
Microsoft Works SS for DOS
MSWorks
.WPS
OpenOffice Calc
OpenDocFormat
1.1-2.0
.ODS
StarOffice Calc
OpenDocFormat
8, 9
.SXC, .SXS,
.ODS
Wedge Networks | Appendix G: Supported File Formats for DLP Text Extraction
197
4.0.4
Event List ID
Version
Extension
ASCII Text
Text
7-bit, 8-bit
.TXT
ANSI Text
Text
7-bit, 8-bit
.TXT
HTML
.HTM,
.HTML
HTML
.HTM,
.HTML
HTML
.HTM,
.HTML
IBM DCA
.RFT, .TXT,
RFT, Text
.DCA
Microsoft HTML Help
MSHelp
.CHM
1.33MAML
Microsoft OneNote
MSOneNote
2007, 2010
.ONE
RichTextFormat
.RTF
SGML Text
SGML
Source
SourceCode
Transcript
Transcript
Unicode UTF8
TextUTF
TextUTF
TextUTF
XML
XML(document)
Document File
.XML
XML
XML
Record View
.XML
198
.SGML
Appendix G: Supported File Formats for DLP Text Extraction | Wedge Networks
11.10
4.0.4
Vector Image
Document Format
Event List ID
Adobe Illustrator
Illustrator
Adobe InDesign
InDesign
Adobe Photoshop
PhotoshopImage
Version
Extension
.AI
1.x-7.x
.INDD
.PSD
1-3)
AutoCAD Drawing
AutoCAD
.DWG
2009, 2010
AutoCAD Drawing Exchange Format
AutoCADDXF
.DXF
IntergraphCAD
.DGN
MSOpenXML
.XPS, .OXPS
Microsoft Visio
MSVisio
.VSD
11.11
Document Format
Event List ID
Version
Extension
Adobe PDF
1.0 1.7
(Extension 3, 5)
(Acrobat 1 - 9)
Ami Pro for Windows
AmiPro
.AMI, .SAM
Apple iWork
iWork
.PAGES,
.NUMBERS, .KEY
Framework WP
FW3
.FW3
Hangul (>v3)
Hangul
.HWP
IBM DCA/FFT
DCA
.RFT, .FFT
IBM DisplayWrite
DisplayWrite4
.RFT, .DCA,
.DW4, .DOC
IBM DisplayWrite 5
DisplayWrite5
.RFT, .DCA,
.DW5, .DOC
Wedge Networks | Appendix G: Supported File Formats for DLP Text Extraction
199
4.0.4
OpenDocFormat
1.x, 3.x
JustSystems Ichitaro
.ODT
.JTD, .JBW, .JTT
LibreOffice Document
OpenDocFormat
Beta 3
.ODT
Lotus Manuscript
Manuscript
1.0, 2.x
.MANU, .MNU,
.MAN
Mass 11
Mass11
.M11
Microsoft Publisher
MSPublisher
MSWordDOS
4.0 - 6.0
.DOC
MSWordWIN
1.0 - 2010
.DOC, .DOCX
MSWordWIN
.DOC, .DOCX
MultiMate
MultiMate
Through 4.0
.DOX
MultiMate Advantage
MultiMate
OpenOffice Writer
OpenDocFormat
1.1 - 3.0
.ODT
ProWrite
1, 2
.PW, .PW1,
.PUB
.DOX
.PW2
Professional Write Plus for Windows
ProWrite
.PW
Q&A Write
QA3
3, 4 (Classic), 5
.QA, .QA3
8, 9
.SXW, .SDW
StarOffice Writer
Wang WP
WangWP
.IWP
Wang WP Plus
WangWPPlus
.IWP
Windows Write
MSWrite
.WRI
WordPerfect42
4.2
.WPD
WordPerfect
.WPD
WordPerfect
WordStar2000
200
5.1-12.0, X3, X4
Appendix G: Supported File Formats for DLP Text Extraction | Wedge Networks
.WPD
.WS2, .DOC
4.0.4
WordStar
3.x-7
.WS, .WSx
WordStar5
.WSD
XYwrite
XYWrite
I-III+, 4.0,
.XY
Windows
Wedge Networks | Appendix G: Supported File Formats for DLP Text Extraction
201
4.0.4
INDEX
802.1Q. See VLAN support
Active Directory configuration, 11, 170
Active Directory integration
AD user for device, 186
device configuration, 189
Active Directory integration, 170, See Directory
Agent
enable TLS, 181
logon and logoff scripts, 170
Active Directory integration, 194
AD/LDAP
Active Directory configuration, 170
and scanning policies, 76, 97
administrators
access rights, 119
list all, 119
Administrators, 28, 119
Alteon
load-balancing and ICMP, 143
Anti-Phishing. See Cloudmark Anti-Phishing
anti-spam
advanced settings, 86
blocking spam, 85, 86
blocking spam by policy, 80
custom header, 91
headers, 89
message headers, 89
Message Subject Marker, 89
signatures update, 85
SMTP reply for blocked spam, 86, 141
status, 28
subject line marker, 89
whitelist, 88
Anti-Spam Policies, 20, 80
adding, 80
editing and deleting, 81
exclusions, 81
Anti-Spam Setup, 85
anti-virus
block or detect by policy, 77
GreenStreaming. See anti-virus setup
202
4.0.4
203
4.0.4
link bonding, 37
localization. See language
logging
default file location, 165
download logs, 54
format, 165
log level, 53
setup, 54
summary, 115
Logging Setup, 53
Logs, 115
Manage Licenses, 65
management information base module, 61
McAfee SmartFilter, 109
memory usage, 122
Memory usage
threshold notification format, 157
MIB. See management information base module
MIM Portal
configuration, 70
module status, 28
multi-language. See language
multiple instance management. See MIM Portal
nested VLANs. See VLAN support
Network, 29
Updates Via, 29
Network Graphs, 120
network redundancy. See link bonding
Network Time Protocol, 39
configuration sync, 61
Next-Gen Firewall, 112
notifications
CPU/memory/disk/proxy usage warnings, 54
e-mail, 54
failed service updates, 54
Health Monitor, 54
license expiration, 54
RAID status change, 55
SNMP, 63
Nslookup, 134
NTP. See Network Time Protocol
OCSP. See SSL/TLS
See
Health
pattern matching
keyword and URL, 106
Ping, 134
ping tool, 134
platform type, 25
policies, 11
exclusions, 11
IP address format, 11
list all by IP address, 118
list all by service, 116
reseting, 41
Type column, 76, 97
username or group name based, 76, 97
Policy Details, 118
Port Setup, 42
port status, 26, 29
Function, 27
Updates Via, 27
port usage policies, 168, 169
prevent SMTP server blacklisting, 141
problem report
generate from CLI, 159
generate using management console, 130
submitting to product support, 132
processes graph, 122
Protection menu, 76
protocol
changing scanned ports, 43
protocol scanners
status display, 27
protocols
anti-virus policies, 77, 78, 92
scanned ports, 42
Q-in-Q. See VLAN support
RAID, 161
notification on status change, 55
recovery, 162
4.0.4
205
4.0.4
SSL/TLS, 43
certificate generation, 48
certificate revocation, 46
Certificate Status, 51
CRL (certificate revocation list), 46
dynamic certificates, 43
enabling, 44
existing certificate upload, 50
HTTPS domain whitelist, 45
OCSP, 46
overview. See SSL/TLS
scanning. See SSL/TLS
static certificate, 43
Use Dynamic Certificates, 45
static route
control port, 36
statistics
by protocol, 116
reseting, 41
Statistics, 116
Status, 25
Updates Via, 29
stealth routing. See auto-route
SubSonic, 69
enabling, 69
example, 70
graphs, 123
selective using file size and MIME, 144
statistics, 70
sync
configuration. See Configuration Sync
HA. See Configuration Sync
syslog. See logging
system date and time, 39
system events
types of, 54
System Graphs, 120
system log entries. See logging
System menu, 25
system temperature, 122
System Update, 73
tarpitting. See SMTP tarpitting
TCP Stream, 11, 12, 42
technical support, 14
206
template
mail variables, 94
templates
e-mail message, 93
HTTP message, 95, 96
Templates, 93
Text Extraction, 103
time. See system date and time
display, 25
TLS. See SSL/TLS
Traceroute, 134
traffic blocking, 112
adding, 112
deleting, 113
modifying, 113
Traffic Blocking, 112
traffic bypassing on high CPU, 130
traffic capture, 159
submitting to product support, 132
using CLI, 159
using management console, 131
transparency
auto-route, 33
IP address, 32
MAC/VLAN, 33
transparent mode, 32
trap sink, 63
traps (SNMP), 63
troubleshooting
problem report, 159
traffic capture, 159
Updates Via. See port status
URL blocking. See URL Policies
modifying, 101
syntax, 106
URL deleting, 102
URL Policies, 97
Action, 99
Action decision flow, 100
adding, 98
Allowed URLs, 100
Block access, 98
Denied URLs, 100
Detect only, 98
HTTPS, 97
URL list file upload, 101
user or group name, 98
URL whitelist
Anti-Virus Policies, 79
DLP Policies, 105
WebFilter, 110
user manual
through console, 25
version number, 73
viruses. See anti-virus
graph, blocked, 122
VLAN support, 33
multiple VLANs, 33
WCCP, 149
add ports, 152
benefits, 150
CLI commands, 153
configure, 151
method overriding, 151
protocol support, 150
router/switch configuration, 153
service groups, 153
4.0.4
207
See
Wedge Networks
www.wedgenetworks.com
+1.403.276.5356
+1.403.276.5568
support@wedgene tworks.com