WedgeOS 4.0.4 - UserManual

BESECURE USER MANUAL
2/18/2014
4.0.4
BESECURE-UM-v4.0.4
Wedge Networks
Suite 238, 3553 31st Street N.W.
Calgary, Alberta T2L 2K7, Canada
Tel. +1.403.276.5356. Fax. +1.403.276.5568
www.wedgenetworks.com
Copyright 2013 Wedge Networks. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Wedge Networks Inc.
BeSecure User Manual
Version BESECURE-UM-v4.0.4
February 18, 2014
Trademarks
BeSecure is a pending Trademark of Wedge Networks. Other product and company names used in this
document are used for identification purposes only, may be trademarks of other companies, and are the
property of their respective owners.
BeSecure and associated software are protected by, or for use under, one or more of the following:
U.S. Patent 7,630,379, and Provisional Patents 60/521,551 and 60/522,513
Regulatory Compliance
FCC Class A Part 15 CSA/CUS, VCCI, PSE, CE, RoHS
For technical support, please visit http://www.wedgenetworks.com/
Send information about errors or omissions in this document or any Wedge Networks technical
documentation to
techdoc@wedgene tworks.com
4.0.4
TABLE OF CONTENTS
TABLE OF CONTENTS ....................................................................................................................III
LIST OF FIGURES AN D T ABLES .......................................................................................................VII
1
INTRODUCTION.................................................................................................................... 10
1.1
PLATFORMS ..................................................................................................................... 10
1.2
KEY F EATURES .................................................................................................................. 10
1.3
M AIN CONCEPTS ............................................................................................................... 11
1.3.1
Services ................................................................................................................. 11
1.3.2
Policies .................................................................................................................. 11
1.3.3
Exclusions .............................................................................................................. 11
1.3.4
Deep Content Inspe ction (DCI) .................................................................................. 12
1.4
NETW ORK M ODES ............................................................................................................. 12
1.4.1
Bridge Mode .......................................................................................................... 12
1.4.2
Router Mode .......................................................................................................... 12
1.5
COMME NTS AND TECH NICA L S UPP ORT ...................................................................................... 14
1.6
ABOUT T HIS USE R M ANUAL .................................................................................................. 14
QUICK ST ART ....................................................................................................................... 15

2.1
DEFAULT S ETTIN GS ............................................................................................................. 15
2.2
S YSTEM CONFIG URATI ON ...................................................................................................... 15
2.3
ASSIGNING A DEVICE ADDRESS ............................................................................................... 17
2.4
CON NECTI NG THE DEVICE IN BRIDGE M ODE ................................................................................ 17
2.5
CHANGI NG THE DEFAU LT ADMI NISTRAT OR PASSW ORD .................................................................... 18
2.6
ANTI-V IRUS AND ANTI-S PAM F OR THE E NTIRE NETW ORK ................................................................. 18
2.7
V ALIDATING THE I NSTALLATION ............................................................................................... 22
2.7.1
Web Applications (HTTP) .......................................................................................... 22
2.7.2
Send Email (SMTP) .................................................................................................. 22
2.7.3
Retrie ve Em ail (PO P3) .............................................................................................. 23
2.8
S YSTEM S TART UP / S HUTD OWN / RESTART ................................................................................ 23
MANAGEMENT CONSO LE ...................................................................................................... 24

3.1
S YSTEM .......................................................................................................................... 25
3.1.1
Status .................................................................................................................... 25
3.1.2
Administrators ....................................................................................................... 28
3.1.3
Network ................................................................................................................ 29
3.1.4
Settings ................................................................................................................. 38
3.1.5
Protocol Setup ........................................................................................................ 42
3.1.6
Logging Setup ........................................................................................................ 53
3.1.7
Notification............................................................................................................ 54
3.1.8
High A vailability (HA) M ode ..................................................................................... 56
3.1.9
SNMP.................................................................................................................... 61
3.1.10
Manage Licenses .................................................................................................... 65
Wedge Networks | Table of Contents
iii
4.0.4
3.1.11
Backup/Res tore ...................................................................................................... 67
3.1.12
Event Reporting ...................................................................................................... 68
3.1.13
SubSonic................................................................................................................ 69
3.1.14
Multiple Instance M anagement (MIM) Portal ............................................................. 70
3.1.15
System Update ....................................................................................................... 73
3.1.16
Shut Down ............................................................................................................. 74
3.2
PROT ECTI ON .................................................................................................................... 76
3.2.1
Anti-V irus Policies ................................................................................................... 76
3.2.2
Anti-Spam Policies .................................................................................................. 80
3.2.3
AV Setup (Kas persk y or Bitdefe nde r) .......................................................................... 82
3.2.4
Anti-Spam Se tup ..................................................................................................... 85
3.2.5
File Size Lim its ........................................................................................................ 91
3.2.6
Global Exclus ions .................................................................................................... 92
3.2.7
Templates .............................................................................................................. 93
3.3
CONT ENT C ONT ROL ............................................................................................................ 97
3.3.1
URL Policies ............................................................................................................ 97
3.3.2
DLP Policies ...........................................................................................................102
3.3.3
Pattern Matching Syntax for Ke ywords and URLs .......................................................106
3.3.4
WebFilter..............................................................................................................107
3.4
NEXT-GEN F I REWALL .........................................................................................................112
3.4.1
Traffic Blocking ......................................................................................................112
3.4.2
Application Control ................................................................................................113
3.4.3
Server Security.......................................................................................................114
3.5
REP ORTS ........................................................................................................................115
3.5.1
Logs .....................................................................................................................115
3.5.2
Statis tics ...............................................................................................................116
3.5.3
Serviced Clients ......................................................................................................116
3.5.4
Policy De tails .........................................................................................................118
3.5.5
Administrators ......................................................................................................119
3.5.6
System, Service, SubSonic, and Ne twork Graphs .........................................................120
3.5.7
Event List and E vent Summ ary .................................................................................124
3.6
DIAGNOSTI CS ..................................................................................................................127
3.6.1
Configuration Check ...............................................................................................127
3.6.2
Health M onitor......................................................................................................128
3.6.3
Problem Re port .....................................................................................................130
3.6.4
Traffic Capture ......................................................................................................131
3.6.5
Submitting a Problem Re port or Traffic Capture for Analys is ........................................132
3.6.6
Ping, Ns lookup, Trace route .....................................................................................134
4
ADVAN CED TOPI CS ..............................................................................................................135

4.1
COMMA ND LINE I NTE RFACE (CLI) ...........................................................................................135
4.1.1
Accessing the CLI ...................................................................................................135
4.1.2
Comm ands and Usage ............................................................................................136
4.1.3
Reset of A dminis trator Pass word .............................................................................138
4.2
ADVANCED S CANNE R C ONFIG URATI ON USING TH E CLI ...................................................................139
iv
Table of Contents | Wedge Networks
4.0.4
4.3
ADVANCED NET WORK CONFIGU RATION WITH THE CLI ...................................................................142
4.3.1
network icm p ........................................................................................................142
4.4
ADVANCED C ONFIG URATI ON M ANAGEME NT WITH CLI ..................................................................143
4.5
S ELECTIVE S UBS ONI C C ONTENT RECOG NITION ............................................................................144
4.6
F IBER DATA P ORTS ............................................................................................................145
4.7
S PAM F EEDBACK NETW ORK ..................................................................................................146
4.8
WEBF ILTE R URL CATEG ORIZATI ON F EEDBA CK .............................................................................147
4.9
I NTERNET CON TENT ADAPTATI ON P ROT OCOL (I CAP) ....................................................................148
4.9.1
HTTP Policies and IP Addresses ................................................................................148
4.9.2
Traffic Blocking with ICA P .......................................................................................149
4.9.3
Configuring the ICAP Client to W ork with the BeSecure ICA P Serve r ..............................149
4.10 WEB CA CHE C OMMU NICATI ONS P ROT OCOL (WCCP) ....................................................................149
4.10.1
Service Groups .......................................................................................................153
4.10.2
Configuring the Route r or Switch ..............................................................................153
4.10.3
WCCP CLI Commands .............................................................................................153
4.11 HEALTH M ONITOR ............................................................................................................155
4.12 PROBLEM RE PORT AND TRAFFIC CAPTU RE USI NG THE CLI ...............................................................159
4.13 RAID ...........................................................................................................................161
4.13.1
RAID CLI Commands ...............................................................................................161
5
APPEN DIX A: SNM P WECAN-MIB MODULE .............................................................................164
APPEN DIX B: SYSTEM LO G ENTRIES .......................................................................................165

6.1
LOGGI NG F ORMAT ............................................................................................................165
APPEN DIX C: OPEN PORTS ....................................................................................................168
APPEN DIX D: SMTP REPLY CODES ..........................................................................................169
APPEN DIX E: ACTIVE DIRECTOR Y INTEGR ATION ......................................................................170

9.1
THE LOG ON AND LOG OFF S CRI PTS ..........................................................................................170
9.1.1
Obtain the Scripts ..................................................................................................170
9.1.2
Modify the Scripts ..................................................................................................171
9.1.3
Test the Scripts ......................................................................................................171
9.2
I NSTALLING T HE S CRI PTS USING GROUP POLICY O BJECT (GPO) .........................................................171
9.3
ENABLE T LS ....................................................................................................................181
9.4
ADD AN ACTIVE DI RECT ORY USER FOR THE DEVI CE .......................................................................186
9.5
CONFI GURE THE DEVICE ......................................................................................................189
10
APPEN DIX F: LDAP SERVER INTE GRATION ...........................................................................190
10.1 THE LOG ON AND LOG OFF SCRI PTS ...........................................................................................190

10.1.1
Obtain the Scripts ..................................................................................................190
10.1.2
Modify the Scripts ..................................................................................................190
10.1.3
Test the Scripts ......................................................................................................191
10.2 I NSTALL THE S CRIPTS ..........................................................................................................192
10.3 CONFI GURE THE DEVICE ......................................................................................................192
11
APPEN DIX G: SUPPORT ED FILE FORMATS FOR DLP TEXT EXTRACTION ...................................194
Wedge Networks | Table of Contents
4.0.4
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
11.11
ARCHIVE ........................................................................................................................194
DATABASE ......................................................................................................................194
EMAIL AND M ESSAGING ......................................................................................................195
M ULTIMEDIA ...................................................................................................................195
O THER ..........................................................................................................................196
PRESENTATI ON .................................................................................................................196
RASTER I MAGE .................................................................................................................197
S PREADSHEET ..................................................................................................................197
TEXT AND M ARK UP ...........................................................................................................198
V ECTOR I MAGE .............................................................................................................199
WORD PROCESSIN G AND GE NERA L O FFICE .............................................................................199
INDEX .......................................................................................................................................202
vi
Table of Contents | Wedge Networks
4.0.4
LIST OF FIGURES AND TABLES

F IGURE 1: BES ECU RE IN BRID GE M ODE ................................................................................................... 12
F IGURE 2: BES ECU RE IN ROUTER M ODE ................................................................................................... 13
F IGURE 3: WE B M ANAGEMENT CONSOLE LOGIN S CREEN ............................................................................... 15
F IGURE 4: WE B M ANAGEMENT CONSOLE M AIN S CRE EN ............................................................................... 16
F IGURE 5: NETW ORK S ETUP S CREEN QUI CK START .................................................................................... 17
F IGURE 6: P ORT STATUS DISP LAY ........................................................................................................... 18
F IGURE 7: ADMI NISTRAT ORS S CREEN ...................................................................................................... 18
F IGURE 8: ANTI -V IRUS POLICIES S CREEN .................................................................................................. 19
F IGURE 9: ANTI -V IRUS POLICIES S CREEN (ADDI TION SUCCESSFUL) ..................................................................... 20
F IGURE 10: ANTI-S PAM P OLI CIES S CRE EN ................................................................................................ 21
F IGURE 11: ANTI-S PAM P OLI CIES S CRE EN (ADDITI ON SU CCESSFUL ) ................................................................... 21
F IGURE 12: S YSTEM S HUTDOW N S CRE EN ................................................................................................. 23
F IGURE 13: M ANAGEMENT C ONS OLE LOGI N SCRE EN .................................................................................... 25
F IGURE 14: S YSTEM S TATUS S CREEN ...................................................................................................... 26
F IGURE 15: CURS OR T RIGGE RED S TATUS M ESSAGE ..................................................................................... 27
F IGURE 16: ADMINISTRAT OR S ETU P S CRE EN ............................................................................................. 28
F IGURE 17: NETW ORK S ETUP S CREEN ..................................................................................................... 30
F IGURE 18: M ULTIP LE VLA NS ............................................................................................................. 34
F IGURE 19: M ORE NETW ORK S ETTINGS ................................................................................................... 35
F IGURE 20: LINK BONDIN G IN ROUT ER M OD E ........................................................................................... 37
F IGURE 21: S ETTINGS S CREE N .............................................................................................................. 39
F IGURE 22: PROTOCOL S ETUP, PORTS TAB ............................................................................................... 42
F IGURE 23: PROTOCOL S ETUP, SSL/TLS TAB ............................................................................................ 44
F IGURE 24: HTTPS D OMAIN W HITELIST .................................................................................................. 45
F IGURE 25: WHITELIST UP LOAD COM PLETE .............................................................................................. 46
F IGURE 26: CERTIFI CATE REV OCATI ON C ONFIG URATI ON ................................................................................ 47
F IGURE 27: S IGNING (CA) CERTIFI CATE GE NERATI ON F IELDS ........................................................................... 48
F IGURE 28: I DENTITY (S TATIC) CERTIFI CATE GEN ERATI ON F IELDS ...................................................................... 49
F IGURE 29: CERTIFI CATE GE NERATED ...................................................................................................... 50
F IGURE 30: CERTIFI CATE S AVED ............................................................................................................ 50
F IGURE 31: PROTOCOL S ETUP, HTT P TAB ................................................................................................ 51
F IGURE 32: PROTOCOL S ETUP, FTP TAB .................................................................................................. 52
F IGURE 33: LOG GING S ETU P S CREE N ...................................................................................................... 53
F IGURE 34: NOT IFICATION S CRE EN ........................................................................................................ 55
F IGURE 35: BRI DGE M ODE HA NE TWORK ................................................................................................ 57
F IGURE 36: BRI DGE M ODE HA S CRE EN ................................................................................................... 58
F IGURE 37: ROUTER M ODE HA S CREEN .................................................................................................. 60
F IGURE 38: GO T O S TAND BY M ODE B UTTON ........................................................................................... 60
F IGURE 39: SNMP GE NERA L C ONFIG URATI ON .......................................................................................... 62
F IGURE 40: SNMP C OMMU NITIES S CREEN ............................................................................................... 63
F IGURE 41: SNMP TRA P S INKS S CREEN .................................................................................................. 64
F IGURE 42: M ANAGE LICE NSES S CREE N ................................................................................................... 65
F IGURE 43: BACK UP/ RESTORE C ONFIG URATI ON ......................................................................................... 68
Wedge Networks | List of Figures and Tables
vii
4.0.4
F IGURE 44: EVENT REP ORT ING ............................................................................................................. 69

F IGURE 45: ENABLING S U BS ON IC .......................................................................................................... 69
F IGURE 46: S UBS ONIC S TATISTICS ......................................................................................................... 70
F IGURE 47: MIM (M ULTIPLE I NSTAN CE M ANAGEME NT) P ORTAL ..................................................................... 71
F IGURE 48: ADD NE W MIM I NSTANCE ................................................................................................... 71
F IGURE 49: ENABLING THE MIM PORTAL ................................................................................................. 72
F IGURE 50: MIM PORTAL S E LECTI ON LIST ................................................................................................ 72
F IGURE 51: MIM I NSTANCE WITH DESCRIPTI ON AND LIN K ............................................................................. 72
F IGURE 52: S YSTEM UPDATE S CREEN ...................................................................................................... 74
F IGURE 53: V ERSION NU MBE R ............................................................................................................. 74
F IGURE 54: S YSTEM S HUTDOW N S CRE EN ................................................................................................. 75
F IGURE 55: ANTI-V IRUS POLICIES .......................................................................................................... 77
F IGURE 56: ANTI-V IRUS POLICIES (ADDITION SUCCESSFUL) ............................................................................. 78
F IGURE 57: URL WHITE LIST FOR ANTI-V I RUS P OLI CIES ................................................................................. 79
F IGURE 58: ANTI-S PAM G LOBAL S ETTI NG O N M ESSAGE ............................................................................... 80
F IGURE 59: ANTI-S PAM P OLI CIES .......................................................................................................... 81
F IGURE 60: ANTI-S PAM P OLI CIES (ADDITI ON SUCCESSFUL) ............................................................................. 82
F IGURE 61: ANTI-V IRUS S ETUP S CREENS , KASPERS KY ON LEFT, BITDEFEN DER ON R IGHT ........................................... 84
F IGURE 62: ANTI-S PAM S ETUP CONFIGU RATION ........................................................................................ 85
F IGURE 63: ANTI-S PAM S ETUP ADVAN CED S ETTIN GS ................................................................................... 87
F IGURE 64: ANTI-S PAM S ETUP WHITELIST EDITING ..................................................................................... 88
F IGURE 65: ANTI-S PAM S ETUP HEADERS ................................................................................................. 90
F IGURE 66: F ILE S IZE LIMITS C ONFIG URATI ON S CREEN .................................................................................. 92
F IGURE 67: GLOBA L EXCLUSI ONS .......................................................................................................... 93
F IGURE 68: TEMPLATE EDIT ING F OR RE PLA CED E-MAIL ................................................................................. 94
F IGURE 69: TEMPLATE FOR HTT P RES PONSE REP LACEME NT ........................................................................... 95
F IGURE 70: S HARED TEMP LATE M ESSAGES ............................................................................................... 96
F IGURE 71: URL P OLI CIES .................................................................................................................. 98
F IGURE 72: S AFE S EARCH ................................................................................................................... 99
F IGURE 73: URL P OLI CIES EXPAN DED PANE LS ..........................................................................................100
F IGURE 74: URL P OLI CIES ACTI ON DE CISION ............................................................................................100
F IGURE 75: URL U PLOAD POPUP DIALOG ...............................................................................................101
F IGURE 76: UP LOADED URL LIST F ILE ....................................................................................................101
F IGURE 77: DLP POLICIES ..................................................................................................................102
F IGURE 78: KEYW ORD CATEGORIES PANE L ..............................................................................................103
F IGURE 79: TEXT EXT RACTION M OD ULE S TATUS ........................................................................................103
F IGURE 80: URL WHITE LIST FOR KEYW ORD POLICIES ..................................................................................106
F IGURE 81: WEBF ILT ER P OLI CIES .........................................................................................................108
F IGURE 82: ANTI-PH ISHING PANEL .......................................................................................................109
F IGURE 83: M CAFEE S MARTF ILTE R PANE L ..............................................................................................110
F IGURE 84: CHECKING URL CATE GORY M ATCHES ......................................................................................110
F IGURE 85: URL WHITE LIST FOR WEBF I LTER ............................................................................................111
F IGURE 86: TIME-BASED T RAFFIC B LOCKIN G S ETUP S CREEN ...........................................................................112
F IGURE 87: APPLI CATION C ONT ROL ......................................................................................................114
F IGURE 88: S ERVER S ECU RITY .............................................................................................................114
viii
List of Figures and Tables | Wedge Networks
4.0.4
F IGURE 89: LOGS S CREEN ..................................................................................................................115

F IGURE 90: S TATISTICS S CREEN ............................................................................................................116
F IGURE 91: S ERVICED C LIEN TS QUERY S CREEN ..........................................................................................117
F IGURE 92: S ERVICED C LIEN TS RESU LTS S CREE N ........................................................................................118
F IGURE 93: POLICY D ETAILS QUE RY S CREE N .............................................................................................119
F IGURE 94: POLICY D ETAILS RES ULTS S CREEN ...........................................................................................119
F IGURE 95: ADMINISTRAT ORS REP ORT S CREEN .........................................................................................120
F IGURE 96: GRAP HS S CREE N ..............................................................................................................121
F IGURE 97: GRAP H WITH Y-AX IS RANGE I N CREASED ....................................................................................121
F IGURE 98: EVENT LIST F IELDS ............................................................................................................124
F IGURE 99: EVENT LIST F ILTE R ............................................................................................................125
F IGURE 100: EVENT LIST ...................................................................................................................125
F IGURE 101: EVENT S UMMARY ...........................................................................................................126
F IGURE 102: EVENT S UMMARY RESU LTS (TOP DETAIL I NF ORMATI ON) ..............................................................127
F IGURE 103: C ONFIGU RATION CHE CK ....................................................................................................128
F IGURE 104: HEALT H M ONIT OR ..........................................................................................................129
F IGURE 105: S YSTEM O FFLINE ............................................................................................................130
F IGURE 106: PROBLEM REPORT ...........................................................................................................131
F IGURE 107: TRAFFIC CA PTU RE ...........................................................................................................132
F IGURE 108: S UBMITT ING A P ROBLEM REP ORT .........................................................................................132
F IGURE 109: PIN G TOOL ...................................................................................................................134
F IGURE 110: S ELECTIVE S U BS ON IC IN A CTION ..........................................................................................144
F IGURE 111: F IBER S U PP ORT CHECKBOX .................................................................................................145
F IGURE 112: RAID S TATUS ON S TATUS PAGE ...........................................................................................161
F IGURE 113: WECA N-MIB M ODU LE TREE .............................................................................................164
TABLE 3-1: TRANSPA RENCY BEHAVIOUR .................................................................................................. 32
TABLE 4-1: WCCP M OD ES DEFAULT S ETTI NGS .........................................................................................150
TABLE 4-2: WCCP EXAM PLE M ODE AND M ETHOD CONFIGU RATIONS FOR NETW ORK DEVICES ..................................151
TABLE 4-3: WCCP CLI COMMANDS .....................................................................................................154
Wedge Networks | List of Figures and Tables
ix
4.0.4
1 INTRODUCTION
BeSecure is a content inspection and filtering network appliance that offers a complete solution for
protecting network endpoints from spyware, Trojan horses, worms, and viruses. Situated on the edge of
the core network, it also provides a spam detection engine and keyword/URL based content filtering
engine that enables administrators to customize and control the quality and quantity of data originating
at and destined for the endpoints on their network.
BeSecure uses Deep Content Inspection (DCI) to scan reassembled application layer (OSI layer 7) data
objects, rather than just concerning itself with patterns associated with individual or multiple packets. In
this way, the actual content and intent of the data can be determined and action taken on it.
1.1 Platforms
This product comes in various form factors. These platform types consist of desktop devices targeting
small to medium sized businesses with a modest number of users, to very large and powerful 2U
appliances for telecom providers servicing thousands of customers. It is also available as a virtual
appliance, for those companies wishing to save on hardware costs and power usage.
Information on each of these platforms is available at www.wedgenetworks.com.
1.2 Key Features

Some of the features of the core inspection and filtering services:
Scanning and inspection of the most commonly used protocols, including SMTP, POP3, IMAP, HTTP,
and FTP (and straight TCP optionally using TCP Stream), using policies based on IP address and
directory service (such as Active Directory) user and group name
Scanning of SSL/TLS traffic over SMTP and HTTP ports
Field-proven anti-virus engine that provides:
Rapid response to new viruses with automatic signature updates (up to 1 hour frequency)
The most extensive virus database, including viruses for mobile devices
Support for most common file types and media formats
Field-proven anti-spam mechanism that provides:

o
Intelligent detection with very high accuracy
Signature database updated by a global, collaborative spam network
Control of network access: no web surfing, no email, no online games, etc., for time of day and day of
week or day of month.
Web page blocking by URL and keyword, for time of day and day of week or day of month.
Works with both wired and wireless (WLAN and cellular) networks.
An XML based interface for supporting differentiated IP data services. This interface has been used to
build value added data services that can be self managed by the subscribers.
10
Introduction | Wedge Networks
Easy to use browser-based management console.
Comprehensive command line interface (CLI)
Robust, high performance.
4.0.4
1.3 Main Concepts

1 .3.1 Se r vices
These are the scanning operations that BeSecure can perform on data traffic, such as web and e-mail antivirus, URL blocking, etc. There are two types of BeSecure services:
Protection services include Anti-Virus and Anti-Spam.
Content Control services include URL Policies, Keyword Policies, WebFilter (Anti-Phishing and SmartFilter
categories), and Traffic Blocking.
Each service is able to scan a specific set of supported protocols.
selection via the policy creation interface for each service.
These protocols are available for
1 .3.2 Policies
A policy is an application of a service to traffic destined for or originating from an entity or group of
network entities. These entities are normally identified by source (and optionally, destination) IP
addresses. These IP addresses are can be either individual IP addresses, or network addresses. Any
network address specified in a policy must be in CIDR (Classless Inter-Domain Routing) format.
To assist in calculating the network mask in CIDR format, use a subnet calculator such as
http://www.subnet-ca lcula tor.com /cidr.php.
If a deployment includes a directory server such as Microsoft Active Directory (AD) Server, a policy source
can include a user or group name. Appendix E: Active Directory Integration and Appendix F: LDAP
Server Integration contain necessary information on the integration of BeSecure into a network using
directory servers, with the configuration process using the management console. See the policy
configuration documentation for details on entering policies for the various services using a username or
group.
Each policy includes specification of protocols that will be scanned by the service. The OSI Layer 7
protocols (SMTP, POP3, IMAP, HTTP, and FTP) are scanned using deep content inspection (DCI). TCP
(when the license includes the TCP Stream module), as OSI Layer 4, is scanned using a multi-packet
stream-based method.
1 .3.3 Exclusions
An exclusion, or exclusion policy, is a type of policy that indicates that a particular service should never be
applied to the specified IP address or IP address pair. This overrides any regular policies that may be
specified. The format of an exclusion IP address is the same as that of a regular policy. See the previous
section.
Wedge Networks | Introduction
11
4.0.4
1 .3.4 De e p Content Inspection (DCI)

DCI, the evolution of deep packet inspection (DPI), reassembles the data found in multiple traffic packets
and is able to view the data as complete application layer (OSI layer 7) objects. Requested websites can
be classified by category, the response content can be scanned for viruses or keywords and blocked or
logged; email messages can be scanned for spam or viruses and blocked or flagged in the subject header.
Each policy allows a selection of which protocols to scan using the specific service type. Most of the
supported protocols (SMTP, POP3, IMAP, HTTP, and FTP) are application layer protocols, and DCI is used
in the scanning of these. Stream-based scanning is available for any currently unsupported application
layer TCP-based protocol.
The stream-based scanning of TCP (TCP Stream) inspects the headers and data protocol structures of
packet data streams, and looks for known patterns. This is not as thorough as the DCI for an application
layer protocol, but still provides more than a limited DPI approach.
When licensed, each of these protocols, when supported by the service, is available for selection on the
various service policy editing pages.
1.4 Network Modes

BeSecure supports two network operational modes: Bridge mode and Router mode.
Internet
BeSecure
Gateway
Switch
Computer
FIGURE 1: BESECURE IN BRIDGE MODE
1 .4.1 Br idge Mode

In bridge mode, BeSecure is connected in line with the data traffic, as shown in Figure 1. BeSecure
forwards all packets except those needing to be scanned. The forwarded traffic will keep the original MAC
address. Tools such as traceroute cannot detect the existence of the BeSecure appliance. For scanned
data traffic, BeSecure looks like a transparent proxy to the client (source). Several additional levels of
transparency, including IP address and MAC address transparency for source and destination, are
available and configurable via the System > Network page of the management console. See Section 3.1.3
for more details. Bridge mode is easy to set up and can be used to protect an entire network.
1 .4.2 Rout er Mode

If you need to provide selected BeSecure services without putting it in-line with the data traffic, or you
require the INGRESS (protected network) and the EGRESS (external network) interfaces on different
networks, then you can configure BeSecure to use router mode with either one or two interfaces enabled.
12
4.0.4
The client machines that require protection should be configured to have their gateway address to be that
of the BeSecure appliance. In this mode, the pass-through traffic keeps the original IP address. However,
traceroute will show the existence of the BeSecure host. For scanned data traffic, BeSecure behaves
like a transparent proxy to the client (source). Several additional levels of transparency, including IP
address and MAC address transparency for source and destination, are available and configurable via the
System > Network page of the management console. See Section 3.1.3 for more details. Figure 2 shows
the topology of router mode.
Switch
Gateway
Computer
Internet
2
BeSecure
FIGURE 2: BESECURE IN ROUTER MODE
By default, BeSecure supports one interface in router mode (1 in the diagram). A second interface (2) can
be enabled using the System > Network page of the web management console or the command line
interface, if the deployment warrants it.
Wedge Networks | Introduction
13
4.0.4
1.5 Comments and Technical Support

If you have any comments or technical issues with any Wedge Networks products or services please send
an email to support@wedgenetworks.com.
When requesting technical support, please provide the
following information:
Name
Phone number
Product model
Company
Product name
Description of issue
Email
Product version
1.6 About This User Manual

Monospace font marks command line text, or text to be typed as is. Bold is used for emphasis, e.g.
labels of on-screen components.
Sections such as this will mention issues or features that an administrator should be
aware of.
Sections such as this MUST be strictly adhered to, or serious problems may result.
Information or examples of usage.
14
4.0.4
2 QUICK START
This section describes how to rapidly deploy BeSecure to protect an entire network using bridge mode.
2.1 Default Settings

The default settings of a new BeSecure appliance are as follows:
Bridge mode
Bridge IP address: 192.168.0.88
Administrator account: Name=admin, Password=admin
No policies in place for services
2.2 System Configuration

The system is configured via the integrated web management console. The console was designed for
modern web browsers, such as Microsoft Internet Explorer 8+, Mozilla Firefox 3.5+, Safari 4+ and
Chrome 11+.
JavaScript must be enabled. Microsoft Internet Explorer 8+, Mozilla Firefox 3.5+, Safari
4+ and Chrome 11+ are supported.
FIGURE 3: WEB MANAGEMENT CONSOLE LOGIN SCREEN
Wedge Networks | Quick Start
15
4.0.4
To access the management console:

1.
Ensure the BeSecure appliance is powered on.
2.
Connect a machine with an IP address on the 192.168.0.0/24 network to the INGRESS port
of BeSecure, either with a cross-over cable (for direct connection) or a regular Ethernet cable
through a switch. Avoid the address 192.168.0.88 since this is the default initial IP address
of the BeSecure appliance.
3.
Using the web browser on the client machine, navigate to https://192.168.0.88 to

display the login screen shown in Figure 3.
4.
To login, for the Name field, type admin and for the Password field, type admin. This is the
default, and the password can be changed. Additional administrators with different access
privileges can also be added.
It is strongly recommended that for security reasons you change the systems default
password.
Once logged in, the BeSecure main screen will be displayed, as shown in Figure 4. The Port status display
indicates that the INGRESS port is configured, and is connected, and that the EGRESS port is configured,
but is disconnected. The Status screen also shows various graphs and icons displaying the current system
status.
FIGURE 4: WEB MANAGEMENT CONSOLE MAIN SCREEN
16
Quick Start | Wedge Networks
4.0.4
2.3 Assigning a Device Address

The default device IP address is 192.168.0.88. Use the following steps to assign the proper device IP
address:
1.
Access the management console as in Section 2.1.
2.
Select Network from the System menu as shown in Figure 5.
3.
In the Device Configuration panel, fill in the following fields appropriately:

o
IP Address and Subnet Mask the bridge (INGRESS/EGRESS) IP address, an address

that is on the network that contains the clients to be protected
4.
Default Gateway the protected networks gateway to the outside world
Primary DNS the domain name server
Secondary DNS optional second domain name server
Click the Save button.
FIGURE 5: NETWORK SETUP SCREEN QUICK START
2.4 Connecting the Device in Bridge Mode

The easiest way to set up BeSecure is to deploy it in bridge mode (the default), with the control port
disabled, and the management console accessible using the INGRESS/EGRESS (bridge) IP address and
interface. With this deployment architecture, the INGRESS port is connected to the protected network
and the EGRESS port is connected to the firewall/gateway. The Platform Guide for each device platform
shows the front connectors for that particular platform.
All that remains is to connect the EGRESS port to the firewall/gateway. Once this is done, the Port status
display (on either the Status screen or the Network screen) will reflect the change by displaying a green
icon. Hold the cursor over the icon to show a Connected status.
17
4.0.4
FIGURE 6: PORT STATUS DISPLAY
2.5 Changing the Default Administrator Password

For security reasons, you should change the default administrator password as soon as possible, as
follows:
1.
Access the management console as in Section 2.1, using the IP address configured in Section 2.3.
2.
Select Administrators from the System menu to display the screen shown in Figure 7.
FIGURE 7: ADMINISTRATORS SCREEN
3.
Press the
(edit) button for the "admin" user in the table. The information for that user
appears in the upper part of the screen.
4.
Edit the Password and Confirm Password fields.
5.
Click the Update button.
2.6 Anti-Virus and Anti-Spam for the Entire Network

In most cases, you will want to protect your whole network against virus and malware attacks. This can be
accomplished by simply setting up policies that provides anti-virus and anti-spam protection for all
possible IP addresses. We will do this in this section.
18
4.0.4
Add an anti-virus policy for the entire network:

1.
Access the management console as in Section 2.1, using the new IP address configured in Section
2.3.
2.
Select Anti-Virus Policies from the Protection menu, to display the screen shown in Figure 8.
3.
Select the Entire Data Network checkbox to the right of the Source IP Address field. The Source
field will be populated with 0.0.0.0/0.
4.
Click the Add button.
FIGURE 8: ANTI-VIRUS POLICIES SCREEN
The screen will indicate the successful registration of the policy as shown in Figure 9. The new policy will
show up in the list of existing policies at the bottom of the screen.
The policy can take up to 30 seconds to take effect on scanned traffic after the Add
button is clicked.
19
4.0.4
FIGURE 9: ANTI-VIRUS POLICIES SCREEN (ADDITION SUCCESSFUL)
Add an anti-spam policy for the entire network:

1.
Select Anti-Spam Policies from the Protection menu, to display the screen shown in Figure 10.
2.
Select the Entire Data Network checkbox to the right of the Source IP Address field.
3.
The screen will indicate the successful registration of the policy as shown in Figure 11. The new policy will
show up in the list of existing policies at the bottom of the screen.
The policy will take up to 30 seconds to take effect on scanned traffic after the Add
button is clicked.
20
4.0.4
FIGURE 10: ANTI-SPAM POLICIES SCREEN
FIGURE 11: ANTI-SPAM POLICIES SCREEN (ADDITION SUCCESSFUL)
21
4.0.4
2.7 Validating the Installation

After the quick setup steps, your network is now protected against virus and mal-ware attacks for the
following application layer protocols: SMTP, POP3, IMAP, HTTP, and FTP.
The following describes how you can verify that the protection policies are enabled for each protocol.
2 .7.1 We b Applications (HTTP)

To validate that your network is protected against malicious web pages and downloadable files:
1.
Open a web browser on a protected client. This can be any computer or device connected to the
same network as the INGRESS port on BeSecure.
2.
Visit http://www.eicar.org/downloa d/eicar.com.txt.
This will attempt to download a harmless, standard test virus text file. You will get a message in your
browser informing you that BeSecure has detected and blocked a virus (the EICAR-Test-File).
2 .7.2
Se nd Email (SMTP)
To validate that your network can prevent any protected clients from sending out virus infected emails
using the SMTP protocol:
1.
Open up an email client such as Microsoft Outlook or Mozilla Thunderbird on a client that is
protected by BeSecure. This can be any computer or device connected to the same network as
the INGRESS port on BeSecure.
2.
Compose an email with a body containing the content of the test virus file from
http://www.eicar.org/download/e ica r.co m.txt.
In order to accomplish this, you may need to temporarily disable your existing BeSecure
policies for the testing client (or add an exclusion policy on the Anti-Virus Policies page)
and any native anti-virus software on your testing client.
3.
Send the email.
You will get a server error message that contains the statement:
Message contains the following virus: EICAR-Test-File
22
2 .7.3
4.0.4
Re t r ieve Email (POP3)
To validate that your network is protected against receiving malicious emails via the POP3 protocol:
1.
From an unprotected client (or disable AV policies and AV software as described in the previous
section for your testing client), compose an email with the test virus signature retrieved in
Section 2.7.2 in the body of the message.
2.
Send the email to any account.
3.
From a protected client, retrieve the email.
You will receive an email telling you that the original email body contained the EICAR-Test-File virus,
and it was deleted.
2.8 System Start Up / Shutdown / Restart

The BeSecure system is available within seconds at system power up.
To shut down the system, the Shut Down link under the System menu must be used. This content of this
screen is shown in Figure 12.
FIGURE 12: SYSTEM SHUTDOWN SCREEN
On Shutdown, the system will power itself down. On Restart, the system will restart, and the
management console will return to the Login screen when it is available. Restart Services will perform a
soft restart of the scanning engines only.
23
4.0.4
3 MANAGEMENT CONSOLE
The BeSecure appliance is configured using an integrated web browser-based management console. With
this management console, you can:
Check the status of the appliance
Configure system parameters
Monitor scanners and modules
Manage client policies
This section is an overview of the different console functions available to configure BeSecure. A more indepth discussion of the advanced setup of BeSecure will be covered in Section 4: Advanced Topics.
The console is supported on Microsoft Internet Explorer 8+, Mozilla Firefox 3.5+, Safari 4+ and Chrome
11+.
JavaScript must be enabled for the management console to function. Microsoft Internet
Explorer 8+, Mozilla Firefox 3.5+, Safari 4+ and Chrome 11+ are supported.
The management console can always be accessed using a web browser by any machine on the same
network, using the bridge IP address (in bridge mode) or the INGRESS IP address (in router mode). If the
control port (AUX) is enabled, access to the console is restricted to clients on the same network as the
configured control port (see Section 3.1.3). With default settings, the bridge IP address is:
https://192.168.0.88
This allows access to the management console via the INGRESS and EGRESS ports, the two bridged
network interfaces. Of course, if the system has already been configured for use with a new IP address
(as the procedure in Section 2.3 instructs) replace the IP address above with the configured one.
To access the management console (default settings assumed, replace IP addresses with the configured
ones if necessary):
1.
Ensure the device is powered on.
2.
Connect a machine with an IP address on the configured INGRESS/EGRESS (bridge) network to

the INGRESS/EGRESS port, either with a cross-over cable (for direct connection) or a regular
Ethernet cable through a switch.
3.
Using the web browser on the client machine, navigate to https://192.168.0.88 to

display the login screen shown in Figure 3.
By default, log in using admin for the Name field and admin for the Password field. The
password for this default account can be changed. Additional administrators with different
access privileges can also be added.
24
Management Console | Wedge Networks
4.0.4
FIGURE 13: MANAGEMENT CONSOLE LOGIN SCREEN
The top of the management console always displays several items:
Platform: the platform type
Language Selector: the selected ISO 639-1 language code for console display
Contact Info: a hyperlink to Wedge Networks contact information
User Manual: a hyperlink to this document in PDF format
About: Displays information about the running system, including firmware revision
Current Time and Time Zone: the current time and offset from UTC (Coordinated Universal Time)
3.1 System
3 .1.1 St at us
After login, the first screen displayed is the Status screen. It can always be found by selecting Status
under the System menu. It is shown in Figure 14. It includes the following elements.
Wedge Networks | Management Console
25
4.0.4
Port Status
The port status at the top of the Status screen displays the current status of the various ports on the front
panel. These will vary according to the specific platform, but the status images mean the same in all
cases.
Along the top is the front panel label for a particular port. The second row displays one of the following
status images.
FIGURE 14: SYSTEM STATUS SCREEN
Connected: Configured and a cable is connected.
26
4.0.4
Disconnected: Configured, but no cable is connected.
Warning: Configured and a cable is connected but there is a potential problem such as:
o
Reduced throughput (10 Mb/s when the interface should be 100 Mb/s or greater)
Half duplex instead of full duplex
A cable is connected but the port is unused
Hold the cursor over the icon in the web browser to get more information (see Figure 15).
Unused: The interface is unused.
FIGURE 15: CURSOR TRIGGERED STATUS MESSAGE
Beneath the Port images is the Function row. This row displays the current function of the port listed
above it. This may be, but is not necessarily, the same as the front panel label, which sits above the port
status images. This is because the INGRESS and EGRESS ports can change (due to LAN bypass feature and
HA mode, as well as enabling the FIBER ports) on the NDP-1005D/G, 1020, 1038, and 2040 platforms.
Watch this row as well when making changes to network settings and enabling/disabling high availability
modes.
Below the Function row is the Updates Via row. A green checkmark indicates which of the ports can be
used for system firmware updates, as well as virus, spam, and WebFilter signature updates. See Section
3.1.3 for more details on the behaviour of this indicator.
Protocol Scanners
The protocol scanners are the engines used to scan each individual protocol. These include the mail
protocols SMTP (Simple Mail Transfer Protocol), POP3 (Post Office Protocol v3), and IMAP (Internet Mail
Access Protocol), the web protocol HTTP (Hypertext Transfer Protocol), the file protocol FTP (File Transfer
Protocol), and ICAP (Internet Content Adaptation Protocol). Icons display the status of each of these.
ONLINE: Component is operating normally.
OFFLINE: Component is not running.
27
4.0.4
WARNING: Possible issue. More information may be available by holding the cursor over
the icon as in Figure 15.
DISABLED: The component is disabled, due to current configuration.
Module Status
In Figure 14, we see the licensable modules that are installed on the device and providing services for the
protocol scanners. These typically include the Anti-Virus and Anti-Spam scanning engines. Other modules,
such as WebFilter (Anti-Phishing and SmartFilter) and DLP Text Extraction are also available, depending on
the installed license. The status of each of these modules is indicated by the same icons as the protocol
scanners, as previously discussed.
3 .1.2 Adm inistrators

Select Administrators under the System menu. The screen shown in Figure 16 allows the creation,
modification, and removal of administrator accounts. These accounts, provided that the access rights are
set to readwrite, can also be used to access the command line interface (see Section 4.1).
To create an administrator account:
1.
Enter the User ID. No spaces are allowed.
2.
Type in a Password.
FIGURE 16: ADMINISTRATOR SETUP SCREEN
3.
Assign the proper Access Rights to this administrator. The Access Rights field can contain one of
two values:
readwrite: Full access to view and change settings, including CLI access.
readonly: View the current settings and status of BeSecure, with no ability to change settings.
28
4.
4.0.4

No spaces are allowed in the user name of an administrator account.
It is not possible to delete the admin administrator. Therefore, it is highly recommended

that the password for this account be changed upon deployment.
To modify an existing administrator account:
1.
Click the
(edit) link next to the listing of the administrator account you wish to modify in the
table on the lower part of the screen. The information for that user appears in the upper part of
the screen.
2.
Edit the appropriate fields.
3.
To remove an administrator account:

1.
Click the
(delete) link next to the listing of the administrator account you wish to delete.
3 .1.3 N e twork
Select Network under the System menu to configure the network settings.
displayed here (as shown in Figure 17), as on the System > Status page.
The interface port status is
Device Configuration
This section includes IP address settings for BeSecure, as well as the desired network Mode. It needs to
be determined whether BeSecure will be configured in bridge mode or router mode (See Section 1.4 for
network architecture diagrams).
Port Status
At the top of the screen is the Port Status panel. It behaves the same as the one on the Status screen, as
discussed in Section 3.1.1.
The Updates Via checkmark indicator is displayed under interfaces that, considering the current network
configuration, are able to be used to receive system firmware updates and signature updates for the antispam, anti-virus, and WebFilter scanning modules. The indicator takes into account the IP Address and
Subnet Mask of both the Device Configuration and the Control Network (if enabled), as well as whether
auto-route is enabled. For updates to work, at least one interface with the green checkmark indicator
must have network access to the update servers. This usually means Internet access, as the update
servers normally used are hosted by Wedge Networks and its anti-spam, anti-virus, and WebFilter
partners.
29
4.0.4
FIGURE 17: NETWORK SETUP SCREEN
Bridge Mode
This mode is used for the inline protection of traffic on the same subnet, as has been already shown in
Figure 1.
By default, BeSecure is configured to operate in this mode. INGRESS and EGRESS are the bridge interfaces
through which all scanned traffic passes. In this mode, the management console is accessed via the
bridge interfaces. If you want to ensure that BeSecure can only be controlled by a machine from a trusted
subnet, you can configure the AUX or AUX1 (depending on platform) as the control port (discussed
below). To configure bridge mode:
1.
Under Device Configuration, select bridge as the Mode. See Figure 17.
2.
Enter values for the IP Address, Subnet Mask, and Default Gateway.
30
3.
4.0.4
Under DNS Settings, enter values for Primary DNS, and optionally, the Secondary DNS and DNS
Suffix.
4.
5.
Connect the INGRESS port to the protected network and the EGRESS port to the unprotected
network, in line with the data traffic.
Router Mode
This mode allows handling of traffic for multiple subnets in an out-of-line configuration, or as a router
between two different networks.
If you need to provide selective services without putting the device in line with the data traffic, then
router mode with a single enabled interface should be used. In this mode, only the I NGRESS port needs to
be configured, and EGRESS is disabled. INGRESS is used for both the data traffic and management console
access.
To enable the EGRESS port for a different network, enable it using the Enable router mode egress port
and assign the interface an IP address and network mask.
If you want to ensure that the device can only be configured by a client from a trusted subnet, you can
configure AUX or AUX1 (depending on platform) as the control port (discussed below).
To configure router mode:
1.
Under Device Configuration, select router as the Mode. See Figure 17.
2.
Enter values for the IP Address, Subnet Mask, and Default Gateway.
3.
If required, enable the egress port by selecting Enable router mode egress port and supplying
values for the IP Address and Subnet Mask fields. This address needs to be different from the
ingress address and the control interface address (if enabled).
4.
Under DNS Settings, enter values for Primary DNS, and optionally, the Secondary DNS and DNS
Suffix.
5.
6.
Connect the INGRESS port as you would a regular machine on the protected network.
7.
Add any required routing rules to any clients that wish to use BeS ecure to scan their traffic,
setting BeSecure as the gateway.
Only BeSecure uses the original network gateway as its gateway. This configuration can
be done either by manually configuring each client machine, or indirectly through the
DHCP server.
31
4.0.4
IP Address Transparency
By default, the device operates in a non-transparent proxy mode, and it will use its own IP address,
configured using the Network page, when making requests and receiving responses on behalf of any
protected clients to any server on an external network. See Table 3-1 for more details.
IP Address
MAC/VLAN
Source (Client) Sees
Destination (Server) Sees
MAC
IP
MAC
IP
OFF
OFF
BeSecure
Destination
BeSecure
BeSecure
ON
OFF
BeSecure
Destination
BeSecure
Source
ON
ON
Destination
Destination
Source
Source
TABLE 3-1: TRANSPARENCY BEHAVIOUR
BeSecure is also able to operate in transparent mode.

when connecting to the server.
This will cause it to use the client's IP address
To enable transparent mode:

1.
Under Device Configuration, select the Enable IP address transparency checkbox.
2.
Transparency is useful to allow installation into a network without reworking firewall policies or
interfering with downstream policies and accounting. Ordinarily, if protecting an office LAN, firewall rules
will be needed to allow BeSecure traffic to leave the LAN. By enabling IP address transparency, rules do
not need to be added to the firewall to allow BeSecure traffic to leave on the scanned ports. However,
rules may still need to be added to allow device access to virus and spam signature updates, as well as
system updates.
Downstream policies and accounting are not possible when BeSecure is deployed without enabling IP
address transparency because all client connections would be logged with BeSecure's IP address. By
enabling transparency, the client IP addresses are preserved and downstream policies and accounting can
be performed.
Another situation where transparency is useful is when BeSecure is protecting a web server or mail
server. Without transparency enabled, the Internet server will see all connections as originating from
BeSecure. The web server logs will only contain BeSecure's IP address, and mail server IP based relaying
policies are not possible. By enabling IP address transparency, BeSecure can be deployed in front of
internet facing servers without affecting the server's logging and IP address based policies.
Despite the obvious advantages to transparent mode, it is not possible to say whether this feature is
appropriate to a specific situation, and so by default it is disabled.
32
4.0.4
MAC/VLAN Transparency
MAC/VLAN transparency allows this device to be transparent at the MAC / Data Link Layer (OSI Layer 2).
When this option is disabled, as it is by default, this device will use its own MAC address when
communicating with clients and servers on the network, and no VLAN information will be preserved
between the client and server. See Table 3-1 for more details.
MAC/VLAN transparency is not available in router mode.
To enable MAC/VLAN transparency:

1.
Under Device Configuration, select the Enable MAC/VLAN Transparency checkbox.
2.
Enabling the MAC/VLAN transparency option allows this device to use the client MAC address and VLAN
tags when connecting to the server. Conversely, this device will use the server MAC address and VLAN
tags when connecting back to the client.
MAC/VLAN transparency allows administrators to deploy into an environment where switch or gateway
MAC address filtering policies are used for access control. Without this option, the scanning operations
will modify the MAC addresses presented to switches or gateways, and the MAC address based policies
cannot be enforced.
MAC/VLAN transparency also allows participation in VLAN (IEEE 802.1Q) networks. 802.1Q tags will be
preserved when requests are made to the server on behalf of the client, and to the client on behalf of the
server.
Currently, "Q in Q" or nested VLANS are not supported.
To allowing scanning of VLAN traffic that may be outside of the IP range the system has been configured
for, see the next section, Auto-Route.
Auto-Route
In the event that scanned traffic is destined for an IP address that resides in a network address range that
is unknown to this device, as would be the case when multiple VLANs reside behind a switch attached to
the INGRESS port, special routing rules would ordinarily be required to ensure that the response traffic is
directed to its appropriate IP address endpoint. See Figure 18.
In this case, auto-route, otherwise known as stealth routing, can be used. This enables complete Layer 2
route transparency, allowing the scan and proper routing of traffic that is destined for a network not
directly known to this device.
33
4.0.4
With auto-route enabled, it is possible to use the Control Network as the Updates Via
path by setting the Default Gateway to a value in the Control Network.
Auto-Route is not available in router mode.
To enable auto-route:
1.
Under Device Configuration, select the Enable Auto-Route checkbox.
2.
In this case, it is important to remember that any configured static routes will NOT be
effective, as the destination routing information (determined for the traffic prior to it
encountering BeSecure) will be used.
Switch
VLAN1
BeSecure
Internet
VLAN2
Gateway
VLAN3
Computer
FIGURE 18: MULTIPLE VLANS
Explicit Proxy
It is possible to configure this device to act as an explicit proxy for HTTP clients, such as web browsers. It
must be running in router mode and each browser must be configured with this devices IP address as its
HTTP proxy. To enable this mode:
1.
Configure this device on the network in router mode.
2.
Under Device Configuration, select the Enable explicit proxy mode check box.
3.
Control Network
By default, INGRESS and EGRESS provide authenticated clients access to the device management
functions in bridge mode, and INGRESS in router mode.
34
4.0.4
FIGURE 19: MORE NETWORK SETTINGS
Optionally, AUX or AUX1 (depending on platform) can be configured as the control port. Access to the
management console is then restricted to clients connected to the network that the control port interface
is on. Ideally, to take full advantage of the security that this configuration provides, this network should
not be visible to clients residing on the INGRESS or EGRESS networks. This can be done in two ways:
1.
Complete isolation of the AUX network. No traffic to anywhere but amongst management
machines would be allowed. This is the most secure option. For maximum security, the control
subnet should be a trusted network, not accessible from the internet. Any clients on the control
network will not have access to external networks.
2.
Specifying an IP address for the AUX/AUX1 interface on a different network, but connect it to
the regular LAN. A less secure option, this would allow any machine with an IP address on the
control network access to the management console as well as external networks, but prevent
any other clients with IP addresses on different networks from accessing the management
functionality.
Enabling the control port disables any ability to configure the device via the INGRESS or EGRESS ports.
The use of ICMP and SSH, also previously usable via INGRESS or EGRESS, are now only available via the
configured control subnet.
To configure AUX/AUX1 as the control port:
1.
Expand the Control Network panel and select Enable Control Network. The fields below it will
be enabled.
2.
Specify an IP Address and Subnet Mask for the control network.
3.
35
4.0.4
The control port IP address MUST be on a different network/subnet than the BeSecure
bridge/router IP address.
Static Route for Control Ports

When the control port is active, notification and logging traffic, such as e-mail notification and syslog
information can only be sent out using the control port. If a mail or syslog server resides in a different
subnet from the control port (accessible via the control port), the BeSecure default gateway (on the data
ports INGRESS and/or EGRESS) will be used to send the notification/logg ing traffic. This is a problem
because there is no guarantee that the default gateway has any knowledge of the network on which the
notification/logging target sits.
In this situation, a specific gateway must be configured using a static route to allow a connection to the
specific network address or individual IP address via the control interface. To do this, the command-line
interface (CLI) must be used. For details, see Section 4.1.2.
HTTP Proxy Settings

If HTTP external access is via an HTTP proxy, this is where this configuration is done. These proxy settings
will allow the following updates to work through the proxy:
Anti-Virus signature updates

Anti-Spam signature updates
BeSecure system updates
To configure the HTTP proxy settings:

1.
Expand the HTTP Proxy Settings panel.
2.
Specify the IP Address and Port for the HTTP proxy.
3.
Specify the User and Password if required. These fields are optional.
4.
Port Speed Settings

The settings shown in Figure 19 allow fixing the BeSecure network port speeds to avoid auto-negotiation
of network port speeds and potential failures that may be seen as a result.
For example, if problems occur in auto-negotiation of port speed settings between BeSecure and a switch,
the BeSecure port speed may operate at a different speed than the switch port that it is connected to.
This would result in performance degradation. Setting the port speeds here eliminates this potential
problem.
To configure the port speed settings:
1.
36
Expand the Port Speed Settings panel.

2.
For each interface, specify the desired port speed, or use auto to allow auto-negotiation.
3.
4.0.4
Fiber Support (only on select platforms)

If the platform includes optical fiber ports, these can be configured here. See Section 4.3 for more details.
Link Bonding for Redundancy

In router mode, link redundancy for INGRESS and EGRESS can be achieved using link bonding. This is not
available in bridge mode. See Figure 20.
FIGURE 20: LINK BONDING IN ROUTER MODE
In this example, we see two ports bonded as INGRESS (shown by the FUNCTION row) and two ports
bonded as EGRESS. There is no control port in this example. The active ingress and egress port are
indicated by the blue highlight.
On both the Bond to INGRESS and Bond to EGRESS rows, all selected interfaces will share the ingress or
egress address configured on the page below. The active interface in a bond will be highlighted in blue.
Should the active interface in a bond fail, one of the others will become active. When the original
interface is repaired or has recovered, it will once again become the active interface.
Because of the inherent complexities in interface management when bonding is enabled, if an interface
for either the ingress or egress bond is selected, an interface MUST be selected for the other bond.
If all checkboxes are deselected for all the ingress and egress bonds, bonding will be disabled, and the
ingress and egress will be assigned their original default interfaces.
Single interface router mode is the default setting once router mode is selected, and link bonding is
immediately available for the single (ingress) interface. The availability of bonding for the egress network
depends on whether the router mode egress port has been enabled (see the Router Mode section
above). If the egress port is not enabled using the checkbox, the link bond checkboxes associated with
egress will be disabled and not configurable.
37
4.0.4
To enable link bonding in single interface router mode:

1.
Navigate to the System > Network page.
2.
Next to Mode, select router.
3.
4.
When the page returns, select the interfaces that you wish to Bond to INGRESS.
5.
Click Save.
6.
Adjust your interface cables as appropriate.
To enable link bonding in dual interface router mode (i.e. with the egress port enabled):
1.
Navigate to the System > Network page.
2.
Next to Mode, select router.
3.
Click the Enable router mode egress port checkbox.
4.
Assign appropriate values to the IP Address and Subnet Mask of the egress port.
5.
6.
When the page returns, select the interfaces that you wish to Bond to INGRESS.
7.
Select the interfaces that you wish to Bond to EGRESS.
8.
Click Save.
Adjust your interface cables as appropriate.
3 .1.4 Se t tings
The Settings section allows several system-wide tasks to be performed. See Figure 21.
Host
To change the Host Name:
1.
Select Settings under the System menu.
2.
Enter the new host name into the Host Name field.
3.
Click the Save Host Name button.
ICAP Configuration
BeSecure can operate as an ICAP server providing scanning services for encapsulated HTTP traffic. For
more information, see Section 4.9.
To enable support for the Internet Content Adaption Protocol (ICAP):
1.
Select the Enable ICAP Proxy checkbox.
2.
Click Save ICAP Configuration.
38
4.0.4
FIGURE 21: SETTINGS SCREEN
System Time
To set the system date and time:
1.
Ensure that Use Network Time Protocol (NTP) Server is unchecked.
2.
Enter the date into the first field of System Date and Time (dd/MM/yyyy format). Optionally, the
icon can be used to select the date in a calendar popup window.
3.
Enter the time of day into the second field of System Date and Time (24-hour hh:mm:ss format).
Optionally, the Now link will synchronize the field contents with the current time of the system
clock on the client machine being used to access the management console.
4.
Select the Time Zone in the drop down box.
5.
Click the Save System Time button.
Optionally, the Network Time Protocol (NTP) can be used to track and adjust the date and time. To
enable NTP clock management:
39
4.0.4
1.
Select the Use Network Time Protocol (NTP) Server checkbox.
2.
Enter the NTP server location (as URL or IP address) into the field or leave the default value
(pool.ntp.org).
The pool.ntp.org load balances requests using time servers all over the world. You will
get more consistent results if you use a regional time server pool. The continental server
pools are:
europe.pool.ntp.org
north-america.pool.ntp.org
oceania.pool.ntp.org
asia.pool.ntp.org
There are also many country-based time server pools. These use the following naming
convention: xx.pool.ntp.org where xx is the 2-character country code. See
http://www.pool.ntp.org for details.
3.
Select the Time Zone in the drop down box.
4.
Click the Save and Sync button. This will set the current time and save the settings.
At any time, the Save and Sync button can be used to validate the operation of the NTP server. Should an
error message be displayed upon clicking, a new NTP server needs to be specified to keep the time
correctly synchronized. See the
information above.
Directory Agent
Source and destination endpoints can be defined as usernames or user groups names (instead of IP
addresses) for most Protection and Content Control policies, if a Microsoft Active Directory (AD) server or
LDAP Directory server (such as OpenLDAP or Apple Open Directory) is available. The network clients must
be configured as in Section 9 (Appendix E) and Section 10 (Appendix F), and a configured Wedge Directory
Agent (the component used to communicate with the AD/LDAP server) needs to be installed on a network
visible to BeSecure.
This section outlines the options used to configure the access to the configured user and group name / IP
address mappings that exist on the directory server.
To configure use of a directory server for username/user group name policy support:
1.
Select Enable Directory Agent.
2.
Specify the Agent URL. A host name (known by a configured DNS server) or an IP address is
necessary to locate the directory agent.
3.
Click Test Settings (No Save) to validate the connection to the server and determine if the
configured Agent URL is visible and contains the required user and group information.
4.
40
When the settings are confirmed, click Save to enable the directory agent integration.
4.0.4
You may now enter the user or group name in any policy page that supports it. The policies will match
only if the source IP address and user or group name match the client making the request.
Reset Policy
This clears all of the following policies and rules from the system:
Protection policies for all subscribers
Application Control rules
Content Control policies for all subscribers
Server Security rules
Next-Gen Firewall policies for all subscribers
To reset all system policies and rules, under Reset Policy, click the Submit button.
Reset Statistics
This button resets the scanning statistics displayed on the Reports > Statistics page (see Section 3.5.2),
the contents of the graphs related to scanning on the System > Status page (Viruses Blocked), as well as
the content of the scanning and service graphs on System > Service Graphs and SubSonic Graphs pages.
If Also clear system statistics is selected, the contents of the system graphs (CPU Usage, M emory Usage,
and Flash Usage) on the System > Status page, as well as the contents of all the graphs on the Reports >
System Graphs and Network Graphs page are cleared as well.
To reset the statistics, under Reset Statistics, click the Submit button.
If problems are ever encounter with the system or scanning graph display on any page,
Reset Statistics can be used to reset all the graph databases and fix any issues. Of
course, past data will be lost, but future data gathering functionality will be restored.
41
4.0.4
3 .1.5 Pr otocol Setup

This page allows configuration of the port numbers that are monitoring for specific protocol types , as well
as configuring SSL/TLS scanning for protocols that support it.
Ports
Any incoming port can only be monitored for one type of protocol.
following ports for each of the following protocols:
By default, BeSecure scans the
SMTP
POP3
IMAP
HTTP
FTP
TCP Stream**
25
110
143
80
21*
23
* Dynamically selected FTP data ports also scanned

** TCP Stream does not use DCI
Note that TCP Stream scanning does not use DCI (deep content inspection). TCP is a generic (OSI layer 4)
protocol, so only a generic stream scanning for known malicious patterns is possible. The default telnet
port 23 is assigned to be scanned by TCP Stream by default.
The ports and ranges assigned to a protocol can be changed, and additional ports can be selected. To
change these port settings, select Protocol Setup from the System menu. The screen in Figure 22 will be
displayed.
FIGURE 22: PROTOCOL SETUP, PORTS TAB
42
4.0.4
To add an additional scanned port number or range for a protocol:

1.
Click on the drop down Protocol menu and select a protocol.
2.
Enter the port number or range into the Port / Port Range field, e.g. 34 or 34-37.
3.
To modify an existing scanned port number or range for a protocol:

1.
Click the
button next to the existing protocol port number to edit.
2.
Enter the new port value in the Port / Port Range field.
3.
To delete an existing scanned port number or range for a protocol:

1.
Click the
button of the entry in the list to delete it.
It is not possible to delete all the ports for a specific protocol. The last remaining
configured port for any protocol in the list cannot be deleted.
SSL/TLS
BeSecure can scan SSL/TLS encrypted traffic.
To do so, it must act as the server to the requesting client and as the client to the destination server, in
effect creating two separate, secure connections. The encrypted traffic must be decrypted and scanned
prior to re-encryption for the second leg of its journey to its final destination.
The request from the client is intercepted, and BeSecure makes the request to the destination server on
behalf of the client. Upon receipt of the server certificate, BeSecure determines whether the server is
trusted based upon its own internal CA (certification authority) trust certificate store.
If the server can be trusted, BeSecure completes the connection to the remote server, and presents its
own signed certificate to the client, creating a second secure connection between the client and
BeSecure.
Upon first exposure to this certificate provided by BeSecure, a warning will typically appear in the client
(such as a web browser), indicating that the certificate is self-signed (not signed by a CA that is trusted by
default by the client). To prevent this message from appearing again, the CA information from the
BeSecure certificate must be imported into the clients CA certificate store. The way to do this varies by
browser.
BeSecure can be configured to provide two types of certificates to the client for SSL/TLS scanning: static
and dynamic.
A static certificate is one signed certificate that will be presented to all clients that are attempting to make
secure connections to remote servers. A dynamic certificate will be created on the fly, with certain
information from the original server certificate copied into the new certificate, to ensure that the client
43
4.0.4
accepts it. This emulated information includes all server DN (distinguished name) information, as well as
alternate subjects (names of other servers that this certificate may be used by). This information is
required in certain situations to be the same, to prevent client software from complaining that the server
that is responding to it (in this case, BeSecure) does not present the same name as the server that the
client made the request to.
Either type of certificate method can be select for use while scanning a specific protocol. For static
certificates, a certificate suitable for presentation to any client and an associated private key must be
generated or uploaded for use. For dynamic certificates, a CA certificate and private key that will be used
to sign the newly generated dynamic certificates for each destination server must be uploaded.
To configure SSL/TLS scanning:
1.
Select Protocol Setup from the System menu.
2.
Select the SSL/TLS tab. The screen in Figure 23 will be shown.
FIGURE 23: PROTOCOL SETUP, SSL/TLS TAB
3.
Select the Enable SSL/TLS checkbox for any protocol to enable the SSL/TLS scanning on that
protocols configured ports. Be sure to add any ports to be scanned to the Ports tab (other than
the default port already included there).
SSL/TLS traffic is automatically detected on any of the configured protocol ports. For
SSL/TLS scanning to occur, the port MUST be specified on the Ports tab. For example, to
scan HTTP and HTTPS traffic on port 443 (the default HTTP SSL port), port 443 must be
added as an HTTP port on the Ports tab.
44
4.
4.0.4
Select the Use Dynamic Certificates for any protocol to use dynamic (emulated server)
certificates when scanning SSL/TLS data over that protocol. For each selected protocol, the
Signing (CA) Certificate (configured below) will be used. For unselected protocols, the Identity
Certificate (configured below) will be used.
5.
Select Use Dynamic Untrusted Certificates for any protocol to generate an untrusted self-signed
certificate to provide to the client when the destination server it has requested supplies
BeSecure with a certificate that is not trusted (i.e. self-signed, not signed by any known CA). In
this way, the client can elect to accept the untrusted content using its client (i.e. browser)
warning dialog in the same way as it would when BeSecure is not present. If this option is not
selected, on encountering an untrusted certificate a blocking page will be displayed with an SSL
error message, and the connection will be terminated.
6.
Select Enable public download of CA certificate at: to enable public download of the uploaded
CA (signing certificate) by anyone on an accessible network. This certificate file can be imported
into the client system or browser certificate store, to enable the acceptance of the generated
dynamic certificates without a warning message being displayed. The download is accessible at
the URL listed to the right of this label, and also by clicking the link directly, once the Save button
has been pressed.
7.
Click the Save button to save the settings.
The HTTPS Domain Whitelist allows configuration of specific domains NOT to be intercepted and scanned
by BeSecure. This may include extra sensitive sites that provide access to banking or health information,
sites that an administrator may want to avoid the BeSecure decryption of content from. The whitelist of
domain patterns will be compared to the Subject Common Name of the server certificate, as well as any
Alternative Names that may be listed. These are easily viewed in the certificate information provided by
the browser on connection to the remote server.
FIGURE 24: HTTPS DOMAIN WHITELIST
A file formatted with one domain pattern per line is used to specify the whitelist. The domains must be of
the form
prefix.mydomain.suffix
Example domains are www.mybank.com or mail.mymail.org. A wildcard can be used in place of the
prefix in order to handle multiple hostnames. For example, to include both mail.mymail.org and
www.mymail.org, specify
*.mymail.org
45
4.0.4
as an entry in the whitelist file.

It should be noted that if mybank.com is specified, a domain exact match is searched for. This will NOT
match www.mybank.com.
Comments are allowed in the uploaded file. These lines must begin with #. Blank lines are also allowed.
The file contents will be displayed in a text area on successful upload.
To upload a HTTPS domain whitelist:
1.
Prepare a file with one domain name pattern per line, as specified above.
2.
Navigate to System > Protocol Setup.
3.
Select the SSL/TLS tab.
4.
Expand the HTTPS Domain Whitelist panel, as shown in Figure 24.
5.
Click Upload Domain Whitelist File. The Upload Domain Whitelist File dialog window will be
displayed.
6.
Click the Select button, and choose the prepared list file. The file will automatically upload. If
there is a format issue, the error message will specify which entry in the file is not valid.
Otherwise, the message shown in Figure 25 will be displayed.
7.
Click Done. The page will refresh and the panel will contain the file contents in a text area, as
well as the upload time and date.
FIGURE 25: WHITELIST UPLOAD COMPLETE
Certificate Revocation is an important consideration when dealing with SSL/TLS certificates and security.
Should a destination website or mail server present a certificate that is no longer valid (according to the
original CA), the connection can no longer be deemed secure, as the certificate and associa te key may
have been compromised in some way. In these situations, the connection should be terminated.
BeSecure supports two methods of checking certificate revocation: certificate revocation lists (CRL), and
46
4.0.4
the Online Certificate Status Protocol (OCSP). Either or both of these can be used. Both are triggered by
information contained within a certificate.
If a CRL location is provided in a certificate, a list is downloaded and the certificate status is verified.
If OCSP responder information is provided in a certificate, a single request using this protocol is sent to
the responder (typically managed by the CA itself), and the response will indicate whether the certificate
is valid.
OCSP will be checked first, as less work is necessary. A single small request is used to determine the
status of one certificate. CRL downloads an entire list of certificate information and looks up the
necessary information in the list for the one certificate.
If OCSP is able to make a determination, then CRL checking is skipped. So it is up to the system
administrator to determine the tradeoff between added security and greater data processing overhead.
BeSecure also includes support for specifying an OCSP responder directly. Third parties may provide OCSP
services, or an organization can deploy its own OCSP responder server. In this case, BeSecure needs to be
configured to search only this custom responder. This is also done in this section.
To enable certificate revocation checking:
1.
2.
Expand the Certificate Revocation panel. This is shown in Figure 26.
FIGURE 26: CERTIFICATE REVOCATION CONFIGURATION
3.
Select Enable CRL, if desired.
4.
Select Enable OCSP, if desired.
5.
If there is a custom OCSP Responder available, fill in the fields:

a.
Location (URL): the location of the responder

47
4.0.4
6.
b.
Certificate Subject Name: the subject name field from the certificate information
c.
Certificate Issuer Name: the issuer name field from the certificate information
d.
Certificate Serial Number: the certificate serial number
For the static or dynamic certificate methods to work, certificate and key information must be generated
or pasted into the appropriate fields, and upload into the system key store.
For dynamic certificates, a CA certificate and private key must be provided. For the static certificate
mode, a non-CA certificate and private key must be provided. The certificate must be X.509 and base64
encoded. This can be generated using the Generate button in the appropriate panel. If providing an
existing certificate, paste it into the appropriate field with the -----BEGIN CERTIFICATE----- and -----END
CERTIFICATE----- lines included.
The associated private key must be non-encrypted RSA, PKCS#8 and base64 encoded. This will also be
generated at the same time as the certificate if the Generate button is pressed, because the private key
needs to correspond to the public key included in the certificate. If providing an existing key, paste it into
the appropriate field with the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines
included.
To generate a certificate and key:
1.
2.
Expand the Signing (CA) Certificate (Dynamic Server Certificates) or Identity Certificate (Static
Server Certificate). This is shown in Figure 27 or Figure 28.
FIGURE 27: SIGNING (CA) CERTIFICATE GENERATION FIELDS
48
4.0.4
FIGURE 28: IDENTITY (STATIC) CERTIFICATE GENERATION FIELDS
3.
Enter information into any or all of Common Name, Organization, Locality, and Province/State.
This information will be provided to the end user in the form of a CA certificate through client
software such as a web browser, when attempting to access secure URLs. The fields are
optional, but recommended.
4.
Select a two-character Country Code.
5.
Specify a Validity Period. Using a CA or server certificate beyond this period will result in an SSL
warning message in a users browser. Management (i.e. certificate re-generation) will be
periodically required, depending on the validity period selected.
6.
Click Generate. This will populate the certificate fields, as shown in Figure 29.
7.
Click Save to upload and install the certificate and key information.
49
4.0.4
FIGURE 29: CERTIFICATE GENERATED
To upload an existing certificate and key:

1.
Paste the X.509 certificate (base64 encoded) into the Certificate field.
FIGURE 30: CERTIFICATE SAVED
50
2.
4.0.4
Paste the associated non-encrypted RSA PKCS#8 (base64 encoded) private key into the Private
Key field.
3.
If it is desirable to view the plain text version of the Private Key from display in the UI after
upload, uncheck Do not allow future access to private key. Otherwise, after saving, the key
value will be replaced with *****NOT AVAILABLE FOR VIEWING*****, in the interest of
increased security. Warning: the key will not be accessible for copy and paste in the future
should this be selected. If the key is desired later, the certificate and key will need to be
regenerated.
Click Save to upload and install the certificate and key information.
Once saved, the Certificate Status
should show Active, indicating that the certificate has been added to the key store and is ready for use.
SSL/TLS scanning is now enabled for the configured protocols on their configured ports.
HTTP
FIGURE 31: PROTOCOL SETUP, HTTP TAB
This section contains HTTP configuration that may apply to various HTTP policy types, depending on
licensed modules.
GreenStreaming applies to all AV policies. It permits the scan and forwarding of traffic prior to receipt of
the complete payload. Every GreenStreaming Threshold number of seconds, a malware scan occurs on
the data retrieved so far, even if it is only a portion of the requested data. Scanned data can then be sent
on to the requesting client sooner. This has several advantages. First, with large files, this prevents the
large latency that would be introduced as BeSecure downloads the entire file and scans it prior to
forwarding it on to the requesting client. Second, should a malware signature be present at the beginning
51
4.0.4
of a requested file, the download can be terminated immediately, without complete retrieval being
necessary.
To enable GreenStreaming for HTTP anti-virus scanning:
2.
3.
Select the HTTP tab.
4.
Select the Enable GreenStreaming checkbox.
5.
Specify the GreenStreaming Threshold. This is the length of time before the next scan and
forward action occurs. A value that is too high will cause the client to wait a longer period for the
next portion of its requested data. A value that is too low will consume more CPU cycles due to
frequent scanning. Proper selection of a value will depend on the network speed. The slower
the network, the smaller the threshold value should be.
A lower value for GreenStreaming Threshold will result in smoother delivery of large
content on low-bandwidth networks, but will increase BeSecure resource usage which
could impact overall performance.
YouTube for Schools is associated with the licensable Safe Search module. By setting up an account at
http://www.youtube.com/schools, configuring it, and creating a URL policy that enforces it, any scanned
traffic with YouTube as a destination will be restricted to the settings in the account for the specified
school ID. The setting of the school ID here is required for the use of the associated Compliance
Enforcement policy setting on the Content Control > URL Policies page. If this is not configured, selected
the option for a particular URL policy will have no effect. See Section 3.3.1 for more details.
FTP
FIGURE 32: PROTOCOL SETUP, FTP TAB
The FTP tab contains configuration for GreenStreaming for FTP. This works in exactly the same manner as
GreenStreaming for HTTP. See HTTP above for the details.
52
4.0.4
3 .1.6 L ogging Setup

System log and incident information (e.g. virus detection) will be stored locally in all cases. It can also be
sent to a remote logging server like, for example, the Wedge Reporter product.
The Application Log
Level (DEBUG is the most verbose) can be specified to control the amount of information output in these
logs. The locally stored logs can be downloaded using the Download Log Messages section. See Figure
33.
FIGURE 33: LOGGING SETUP SCREEN
Syslog Configuration
To configure the storage location(s) for the event and system logs:
1.
Select Logging Setup from the System menu.
2.
Enter the IP address or domain name of the server in the Syslog Host field. Optionally, a custom
port can be specified. Otherwise, the default syslog port is assumed. The information will be
stored locally if the field is left blank.
3.
Click the Add hyperlink, or press the Enter key.
4.
Repeat steps 2 and 3 for any additional servers that are required.
5.
Click the Save Syslog Host button.
Application Log Level

The system-wide log level that applies to all BeSecure built-in applications can be assigned a
severity/verbosity level. The log levels available are (least severe/most verbose to most severe/least
verbose): DEBUG, DETAIL, INFO, WARN, ERROR, and FATAL. Selection of a particular level displays all
53
4.0.4
messages for that level, as well as more severe messages. For example, if WARN is selected, all WARN,
ERROR, and FATAL messages will be logged. If FATAL is selected, only FATAL messages a re logged.
To set the system-wide log level:
1.
Select the desired Application Log Level.
2.
Click the Save Log Level button.
Download Log Messages

To download BeSecure log files:
1.
Select the desired file (BeSecure or System) under Download Log Messages.
2.
Click Download.
Logging Setup and the Control Port

Configuring the control port (See Section 3.1.3) enhances security by limiting the number of clients who
are able to access the BeSecure configuration mechanism. However, this has some effect on the use of
the logging and notification mechanisms, and requires some attention from the network administrator.
When the control port is enabled, the syslog logging mechanism will send its traffic out via the control
port only. Any Syslog Host that receives the logging data must be in the subnet scope of the configured
control port interface, otherwise the traffic will be lost.
The SMTP Host used for incident notification does not need to be in the subnet scope of the control port,
because notification (e-mail) traffic is not blocked at the INGRESS and EGRESS like the syslog traffic is. If
the SMTP host is visible to the control port, the notifications will be sent there. If the SMTP host resides
on a subnet visible to the INGRESS or EGRESS, the notification traffic will be sent there instead.
3 .1.7 N ot ification
E-mail notifications can be sent to any e-mail via any SMTP e-mail server visible to BeSecure. Notifications
on the following selectable Incidents are available:
Virus detected
URL blocked/detected
Oversize file blocked
Keyword blocked/detected
WebFilter
blocked/detected
Spam detected
Notifications are available for certain System Events as well. When selected, these events also send
SNMP notifications to configured trap sinks, assuming that the BeSecure SNMP agent is configured (see
Section 3.1.9). These system events are:
Failed Service Updates If the Anti-Virus, Anti-Spam, or WebFilter signatures download fails
License Expiration If the system license is near expiry or expired. A warning notification is sent 14 days prior to
the expiration date, every day within 7 days of license expiry, and every day after expiry has occurred.
Health Monitor System health monitor events. This includes the Protocol Scanners, the AV, AS, and WebFilter
engines, and CPU/memory/disk/proxy usage warnings. See Section 4.11 for more details on the Health Monitor.
54
4.0.4
RAID Status Change If the device model has a RAID configured, an e-mail will be sent if a RAID drive fails.
Bypassed Traffic If the device goes into bypass mode (due to exceeding safe CPU or connection count limits).
Home Server Status If communication with the home server fails (provides periodic updates to the device,
such as remote support server and update server locations).
To enable e-mail notification of the system events and logs:

1.
Select Notifications from the System menu. The screen shown in Figure 34 will be displayed.
2.
Under the Enable E-mail Notification heading, select the checkbox next to the incidents to
trigger e-mail notifications. This includes Virus, Keyword, URL, Oversize, and Spam detection and
blocking incidents.
FIGURE 34: NOTIFICATION SCREEN
3.
Under the Enable E-mail Notification heading, select the checkbox next to the System Events to
trigger e-mail notifications. Failed Service Updates represents the failure of any service that
downloads periodic updates. This includes Anti-Virus, Anti-Spam, and WebFilter.
4.
Edit the values for the SMTP Host and SMTP Port. This is the SMTP server that BeSecure will use
to send its e-mail notification messages.
5.
Edit the values for From Address, To Address and E-mail Subject. The From address will be
the return address placed in the e-mail From field. The To address will be the address to which
the message is sent.
55
4.0.4
6.
Edit the values for Subject, Body Title Line, and Incident Line. These control the notification
message format.
7.

Be sure to save the new settings before the Send Test E-mail Message button is clicked,
as shown in 4, by using the Save button. Otherwise, the new settings will be lost.
8.
Optional: Test the new settings using the Send Test E-mail Message button.
3 .1.8 High Availability (HA) Mode

BeSecure can be deployed in high availability (HA) mode for failover and redundancy purposes in both
router mode and bridge mode.
Bridge Mode HA
BeSecure bridge mode HA uses the Rapid Spanning Tree Protocol (RSTP).
typically as shown in Figure 35.
The network architecture is
With RSTP, a cluster of BeSecure systems can be deployed in a redundant parallel bridging scenario with
one BeSecure system handling traffic management (in Active mode), with the others waiting to take over
in case of a failure in the active machine (in Stand By mode). The priority of the standby machines can be
specified separately, determining the order in which machines tak e over traffic responsibility.
Failover (system failure where handoff to another BeSecure appliance is necessary) is defined as when
either the INGRESS or EGRESS network interface on the active appliance goes down, or ceases handling
traffic. Failover from the current active machine to a standby system typically takes less than 2 seconds.
Note that the status displayed on the HA Mode screen is only updated every 5 seconds via HTTP request,
so it doesnt reflect the actual instantaneously HA status.
By default, BeSecure is configured with HA off in bridge mode. In this mode RSTP data
packets are forwarded over the bridge. If two BeSecure appliances are connected in
parallel to the network in the default configuration a network loop will be created. To
avoid a network loop when configuring two or more BeSecure's in HA mode connect one
BeSecure at a time. Before connecting a second BeSecure to the network, ensure that
the first BeSecure has HA enabled.
56
4.0.4
FIGURE 35: BRIDGE MODE HA NETWORK
All platforms except the older NDP-1005 platform bridge the INGRESS and EGRESS ports when in
powered-off state (known as hardware or LAN bypass), so that in case of power failure traffic is not
blocked by BeSecure. However, in the case of HA, a network bypass would be introduced if one BeSecure
in the configuration bridged INGRESS/EGRESS, which would defeat the purpose of having a backup
BeSecure available. To account for this, the AUX2 port on the BeSecure must be used for EGRESS
functionality when HA is enabled. When enabling HA, the cable must be physically switched from EGRESS
to AUX2.
Bridge Mode HA Set Up

To configure bridge mode HA:
1.
Insert one of the BeSecure appliances into the network as shown in Figure 35 and configure the
network settings under System > Network.
2.
Select HA Mode from the System menu. The screen in
3.
Figure 36 will be displayed.
4.
Select the Enable High Availability Mode check box.
5.
Select a value for the Bridge Priority. The priority value can be between 0 and 8, with 0 being
the highest priority. This determines which appliance in a HA group will be active, and in which
order the other appliances will take over on a failover occurrence.
6.
Click the Update button to activate the changes.
7.
Connect the next BeSecure into the network as shown in Figure 35, and repeat the above steps
for that appliance. Set the Bridge Priority appropriately in relation to the other BeSecure
appliance already in the HA configuration.
8.
All platforms except NDP-1005: Move the cable from the EGRESS port to the AUX2 port. The Port
Status display will show the updated interface status.
57
4.0.4
FIGURE 36: BRIDGE MODE HA SCREEN
Router Mode HA
In this mode, a cluster of BeSecure devices can be deploy ed in a redundant router scenario with one
device handling traffic management (Active mode), with the others waiting to take over in case of a
failure in the active machine (Stand By mode). The current release only supports a cluster with two
nodes. One is a master host which is the active node. The other host remains in standby. These two nodes
communicate with each other using heartbeats. The heartbeat signals are carried via a crossover Ethernet
cable or a switch that connects the control ports of the two devices.
Since the two nodes refer to each other with host names, it is mandatory that they each
have unique host names.
System failure (failover) is defined as when the heartbeat stops and the device cannot ping a g roup of
network entities, referred to as the Ping Group, in the network . Failover from the current active device to
a standby device typically takes around 2 to 5 seconds.
Router mode HA is a heartbeat-based solution similar to the Virtual Router Redundancy Protocol (VRRP).
It works by assigning a Virtual IP Address to the active device, and if that device becomes unavailable, the
Virtual IP Address is assigned to another device, ensuring continuous service. In a cluster with 2 devices,
3 IP addresses are required: one for each device, and a Virtual IP Address, which is the service address
that clients of the device will use.
58
4.0.4
High Availability is only provided on the Virtual IP Address. All equipment sending traffic
to the device should send it to the Virtual IP Address of the HA cluster.
Router Mode HA Set Up

To configure HA mode, perform the following for each machine in the HA configuration:
1.
Ensure the Control Port has been configured on the Network Settings page.
2.
Select HA Mode from the System menu. The screen in Figure 37 will be displayed.
3.
Select the Enable High Availability Mode check box.
4.
Specify the Virtual IP Address. This address should not correspond to any address in use on the
INGRESS network, and should be the same on both BeSecure devices operating in HA mode. This
must be in CIDR format (xx.xx.xx.xx/xx) specifying both the virtual IP address and the netmask of
the virtual network. This is the address that should be used to access the BeSecure services.
5.
If the EGRESS port is enabled and servicing a second network, specify the second Virtual IP
Address and netmask. This address should be different than the INGRESS address and should not
correspond to any address in use in the EGRESS network.
6.
Add in a set of network entities, usually including a router, into the Ping Group. This group is
used by BeSecure to decide if a failover should happen. The Ping Group should be on the same
subnet as the INGRESS IP address (not on the Control Port network).
7.
If the router mode EGRESS port is enabled, specify the second Ping Group. Network entities in
this ping group should be on the same subnet as the EGRESS network.
8.
Specify the host name of the peer device in the Peer Host field. It should be the Host Name as
specified by the Host Name field under System > Settings on the peer appliance.
9.
Select the Use peer as master to indicate that this device will allow its peer to be the master
host. Only one of the two devices operating in HA mode should have this box checked.
10. Specify a Shared Secret (i.e. a password) for the nodes to communicate with each other.
Click the Update button to activate the changes.
When HA is in operation for router mode, the HA Status can be controlled using the buttons appearing
next to the HA Status at the top of the HA Mode page.
59
4.0.4
FIGURE 37: ROUTER MODE HA SCREEN
When in Stand By mode, Go to Active Mode will force the current device into Active mode, and its peer
into Stand By mode. See Figure 37. When in Active mode, Go to Stand By Mode will force the current
device into Stand By mode, and its peer into Active mode. See Figure 38.
FIGURE 38: GO TO STAND BY MODE BUTTON
Configuration Sync
BeSecure can be configured to automatically synchronize changed settings, ensuring that no difference in
service is visible and no additional configuration changes are required should failover occur.
Configuration sync, when enabled, automatically occurs on most configuration changes, when another
sync-enabled device is added to a control network with existing sync-enabled devices, or when the device
returns to normal operation after a failover has occurred.
60
4.0.4
Virtually all settings accessible via the management console are automatically synchronized, with the
exception of the Configuration Sync configuration parameters, visible in
Figure 36 and Figure 37. Sync can be enabled only if certain requirements are met:
1.
The control (AUX/AUX1) port must be configured. See Section 3.1.3. The devices must have
their control port interfaces connected to the same control network.
2.
NTP must be enabled. See Section 3.1.3.
If any of these requirements are not satisfied, a message will appear above the Sync settings, and the
checkbox and text fields will be disabled. If the requirements are satisfied, to enable sync:
1.
Under HA Mode in the System menu, select the Enable Configuration Sync checkbox.
2.
Enter an appropriate Broadcast Port, or use the default. This port is used for broadcast of
synchronization change events.
3.
Enter an appropriate Sync Port, or use the default values. This port will be used to communicate
the updated configuration data to synchronize.
4.
Connect the control port interfaces on each device in HA mode to the same control network.
5.
The devices synchronizing with one another must be of the same firmware revision, otherwise
synchronization will fail. They must all use the same sync settings, as shown on the screen in
Figure 36 and Figure 37. These settings are NOT synchronized, and must be entered and changed
separately on each machine.
HA Sync settings (the bottom half of System > HA Mode) are NOT synchronized when
Configuration Sync is enabled. These settings must be entered separately on each
machine, and they must be the same for Configuration Sync to work as expected.
3 .1.9 SN MP
The current release supports the Simple Network Management Protocol (SNMP) v2, a protocol allowing
mass management and configuration of network appliances using various network management s erver
(NMS) software packages. The SNMP agent provides data from the following management information
base modules (MIBs):
iso.org.dod.internet.ma nagement.m ib-2

o Standard SNMPv2 object identifiers (OIDs)
o Network Interfaces, IP data, system information, etc.
iso.org.dod.internet.priva te.enterprises.weca n (See Appendix A: SNMP WECAN-MIB Module)
o Wedge Networks enterprise specific OIDs and traps
o MIB Definition downloadable from General tab of System > SNMP
61
4.0.4
General Configuration
The General tab includes configuration that pertains to the SNMP agent identity, and also allows the
administrator to enable or disable the SNMP agent, as necessary. See Figure 39.
To configure the SNMP agent:
1.
Select SNMP from the System menu. Select the General tab if it is not currently selected. The
screen in Figure 39 will be displayed.
2.
Check the Enable SNMP Agent check box to enable the agent that responds to remote queries,
and sends traps upon certain system events. Unless this is selected, no SNMP support is
available.
FIGURE 39: SNMP GENERAL CONFIGURATION
3.
Fill in the values for the Name, Location, and Contact fields. These are strictly for administration
purposes.
4.
Under Enable SNMP Trap, select all events upon which an SNMP notification (or trap) will be
sent out.
62
5.
4.0.4
SNMP Communities
Communities are the SNMP method of managing and classifying client requests for SNMP information.
1.
Select SNMP from the System menu and select the Communities tab. The screen in Figure 40 will
be displayed.
To add a new community:

1.
Enter the community Name.
2.
Enter the IP Address (check the Entire Data Network if the community is the whole network)
from which client requests using this community are allowed.
3.
To delete an existing community:

Click the
next to the community to delete it from the community list.
FIGURE 40: SNMP COMMUNITIES SCREEN
Trap Sinks
Trap sinks are server applications, such as a network management server (NMS), waiting on remote
machines to receive notifications from the BeSecure SNMP agent (SNMP traps).
Select SNMP from the System menu and select the Trap Sinks tab. The screen in Figure 41 will be
displayed.
63
4.0.4
FIGURE 41: SNMP TRAP SINKS SCREEN
To add a new trap sink:

1.
Fill in the values for the Host and Port fields. Host must be the IP address of the listening NMS.
The default port for SNMP traps is 162, but can be changed if desired.
2.
Select an existing community name from the Community dropdown list.
3.
To delete an existing trap sink:

1.
Click the
next to the trap sink to delete it from the trap sink list.
SNMP and the Control Port

The use of the control port has no effect on the behaviour of SNMP queries or traps. As with the SMTP
Host in System > Logging Setup, no SNMP traffic is explicitly blocked by BeSecure via the INGRESS,
EGRESS, or AUX/AUX1 control port.
The BeSecure system will determine which interface, based on routing rules, to use to send traps to
configured trap sinks. Likewise, SNMP GET or WALK commands can be sent by clients to any of the
configured interfaces.
64
4.0.4
3 .1.10 Manage Licenses

BeSecure use is governed by a component-based licensing scheme.
follows:
The licensable components are as
BeSecure System
DLP Text Extraction
Anti-Virus Kaspersky
Safe Search
Anti-Virus Bitdefender
WebFilter Anti-Phishing
Anti-Virus Streamdefender
WebFilter SmartFilter
Anti-Spam
DLP Keyword
Each individual protocol scanner, SMTP, POP3,

IMAP, HTTP, FTP, and TCP Stream
The operation of BeSecure and

the
appearance
of
the
management
console
are
tightly coupled with the status
of
the
currently
installed
license.
For example, certain
pages and statistics associated
with components such as
WebFilter will not be displayed
in the management console if
the
WebFilter license has
expired, and previously entered
policies requiring the operation
of a WebFilter will not be
enforced. For this reason, it is
very important to monitor the
status of the license. Should
any
unexpected
behaviour
occur, examine the license page
first.
THE CURRENT LICENSE INFORMATION
FOR EACH COMPONENT IS DISPLAYED
UNDER SYSTEM > MANAGE LICENSES (
Figure 42).
FIGURE 42: MANAGE LICENSES SCREEN
The License Status table includes the maximum number of users allowed (Max. Users) to use each
licensed component, the number of licensed Days Remaining for each component, the Expiry Date, and
65
4.0.4
an Effective Date, if an installed license will enable a component at some future time (see Effective Date
below).
The BeSecure System (the System entry in the table) represents the license state of the entire BeSecure
appliance. Each component below it is a sub-component of System. When the System license expires, all
other components expire.
Icons in the left column graphically indicate the status of each component:
License is valid
License has expired
License will expire within 14 days
A future license exists (see Effective Date
below), component currently disabled
By default, BeSecure is installed with a limited-usage trial license valid for 45 days, beginning on activation
of the appliance. Wedge Networks or a qualified reseller can provide a long term production license
appropriate for specific needs.
On a newly installed BeSecure appliance, there is a pre-installed trial license valid for 45
days, with no WebFilter license included. This 45 day period begins on power up of the
BeSecure appliance.
To install a provided production license, follow these steps:

SELECT MANAGE LICENSES FROM THE SYSTEM MENU, TO DISPLAY THE SCREEN SHOWN IN
1.
Figure 42.
2.
Under Install License, click the Browse button to browse to the license file or enter the file
location into the License File field.
3.
Click the Upload button.
Effective Date
A new license, such as a renewal license, may be installed prior to the end of the previous licensing
period. Such a license may contain newly licensed components, previously not enabled, that will be
enabled on a future date. The Effective Date column will display the date when these components
features will be available. See the Anti-Spam service in
Figure
42 .
At other times, if a component will expire on a specific date but a license has been installed that will reenable it on a future date beyond the expiry date (i.e. a gap exists in the components license), the Expiry
66
4.0.4
Date column will show the date of expiry, and the Effective Date column will show the date upon which
the component with be available again.
If the Effective Date is empty for a licensed component (the usual state), this means that the component
is currently licensed until the indicated Expiry Date, and not available beyond that date with the current
licenses available on BeSecure.
3 .1.11 Backup/Restore
BeSecure provides a means to save all user configured settings and policies on the system to a remote
computer for later restoration. It is useful for transferring settings to another BeSecure appliance of the
same version, and is also a recommended precaution before any System Update is attempted (see Section
3.1.12). This console page also includes the ability to reset BeSecure to its default settings.
Select Backup/Restore under the System menu, to display the screen in Figure 43.
Backup/Restore is only possible across the same BeSecure version build level. The
version format is major.minor.patch-build. For example, in 3.1.4-123, 123 is the build
number. A backup file created in 3.1.4-222 or 3.1.6-123 will NOT work with 3.1.6-336.
However, a backup file should still be created when updating to a later version, in case a
downgrade is necessary.
On a Restore, the bridge/router IP address will be set to the IP address stored in the file
used to restore the settings. If this IP address is not known, access to the console could
be lost, and connection via serial port or direct access to the appliance with a keyboard
and monitor may be required to determine the IP address needed to connect to the
console.
Remember that the new IP address from the backup is required to access the console
once a restore or reset is completed.
Backup
To back up the system configuration:
1.
Under Backup, click on the Download button.
2.
Save the file as prompted to the client machine. Please save this file in an area you can access
for system recovery purposes.
Restore
To restore your system to a saved configuration:
1.
Under Restore, enter the configuration filename saved as in the above section into the Get
Configuration File field, or click on the Browse button. This will allow you to browse the
directories that are accessible from the machine on which your browser is running. Select the
appropriate file.
2.
Click the Upload button.

67
4.0.4
FIGURE 43: BACKUP/RESTORE CONFIGURATION
Reset to Default Settings

This allows a reset of the system to factory default settings.
On Reset to Default Settings, the bridge/router IP address of BeSecure will be reset to
192.168.0.88. The control port will be disabled. The admin user account password will
be reset to the default value admin.
To reset the system to factory default settings:

1.
Under Reset to Default Settings, click the Reset button.
3 .1.12 Eve nt Reporting

This is where the configuration is done for Event Reporting, the data collected for use by the Reports >
Event List and Event Summary pages. See Section 3.5.7.
Enabling the event reporting can result in as much as a 5% reduction in BeSecure
performance, and for this reason it is disabled by default.
68
4.0.4
FIGURE 44: EVENT REPORTING
Two operations are possible here, enabling/disabling the data collection, and clearing the collected data
from the database.
The database size is determined by the specific BeSecure platform. All newer platforms with 4GB of flash
storage will be limited to 500MB of event data in the database. Once this limit is reached, the oldest
events will be replaced with new events. The NDP-1038, equipped with a hard drive, is allowed to retain
50GB of event data. Platforms with only 2GB of flash storage are limited to only 40MB of stored events
before the oldest events are overwritten.
3 .1.13 SubSonic
In many situations, the same data traffic is transferred many times over the same network path, between
various source and destination endpoints. Fully scanning repeat traffic that we know is identical is a
waste of system resources. With SubSonic Content Recognition enabled, this redundant scanning is
eliminated, with no reduction in security, and BeSecure performance and throughput is enhanced as a
result by freeing up CPU cycles for other scanning tasks.
To enable SubSonic:
1.
Select SubSonic from the System menu to access the screen displayed in Figure 45.
2.
Select the Enable SubSonic check box.
3.
Select the protocols that SubSonic should be enabled for.
4.
FIGURE 45: ENABLING SUBSONIC
69
4.0.4
The Reports > Statistics page (see Figure 90) contains various statistics for SubSonic activity, shown in
detail in Figure 46:
SubSonic Cache Hit/Miss: A cache miss indicates a scan occurred on data that has not been seen before.
A cache hit indicates that a previous scan result was used for data that has already been seen and
scanned (perhaps a response for a request from a different client or a previous request by the current
client), and the result of this previous scan on the same data was deemed still valid, and re-used.
SubSonic Scan Savings: This shows the number of bytes of data that didnt require a re-scan, due to the
SubSonic mechanism. This number illustrates more clearly the BeSecure scanning effort savings and
increase in performance. It can be compared to the Scanned Traffic values, the number of actual scanned
bytes.
FIGURE 46: SUBSONIC STATISTICS
Figure 46 shows a simple example of SubSonic in action. A 4.5 KB file was downloaded three times. We
see the Scanned Traffic for HTTP (the fourth stat column) shows a total of 13.5KB scanned (4.5KB x 3).
The SubSonic Cache Hit/Miss is at 2 / 1 (two cache hits, one cache miss). The cache miss occurs when the
content is new, and a full scan of that content occurred. Two cache hits indicate that the second and third
downloads of the same file did not required a full scan, only a cursory SubSonic scan. BeSecure
recognized the content, and the previous scan results for that same file were taken into account.
The SubSonic Scan Savings value displays the amount of data that only underwent a
SubSonic scan, out of the total traffic scanned by BeSecure (the Scanned Traffic value).
Fully Scanned Traffic Amount = Scanned Traffic - SubSonic Scan Savings
A graphical display of the SubSonic statistics is available by navigating to Reports > SubSonic Graphs. See
Section 3.5.6 for details.
3 .1.14 Mult iple Instance Management (MIM) Portal

Any individual BeSecure appliance (or instance) can be configured to allow its management console to act
as a portal to the management console of any number of other instances. This allows an administrator to
only remember (or bookmark) one IP address or hostname to access all deployed instances of BeSecure in
their network.
Each instance is added to the list of available instances through the primary instance management
console, along with each instances IP address (or hostname, if it is known by the network DNS) and a
brief description.
70
4.0.4
FIGURE 47: MIM (MULTIPLE INSTANCE MANAGEMENT) PORTAL
When the MIM portal is enabled on the primary instance, access to the management interface will display
a list of hyperlinks to all configured instances.
Access to each of the instances will require separate login. The description entered for the instance
during configuration on the primary instance will be displayed in the upper part of the screen, along with
a SELECT link allowing return to the instance selection list. Logout, System > Shut Down (Restart Services
and Restart), and System Update actions will also trigger a return to the instance selection list.
To configure the MIM portal:
1.
Select MIM Portal from the System menu.
2.
Click the
icon. The Add New Instance dialog will appear.
FIGURE 48: ADD NEW MIM INSTANCE
3.
Enter the IP Address/Hostna me. This value will be used to construct the hyperlink in the
instance select list. There is no validation that this address or host exists before it is added, so be
sure that it is accessible.
71
4.0.4
4.
Enter a Description of the instance. This value will be used at the top of the page of the instance
management console, when it is accessed via the instance selection list. Its purpose is to help
determine which instance is currently being configured.
5.
Click Save. The instance will be displayed in the list.
6.
Add any additional instances required in the same manner.
7.
To enable the portal, click Enable multi-insta nce portal.
FIGURE 49: ENABLING THE MIM PORTAL
8.
Click Yes to enable.
To access the list of instances, click the logo in the upper left or the SELECT hyperlink next to Portal
Instance (the description of this primary instance).
FIGURE 50: MIM PORTAL SELECTION LIST
From this list, any instance can be selected, logged into, and configured. Any instance will always show
the configured description along with a SELECT link to return to the instance select list (as long as the
instance was accessed via the portal).
FIGURE 51: MIM INSTANCE WITH DESCRIPTION AND LINK
The behaviour allowing the return to the selection list from any instance, as well as
display of the instance description requires that all instances are at a firmware version
that supports the MIM Portal.
72
4.0.4
To disable the MIM Portal:

1.
Log out of any accessed instances to clear the session on those instances.
2.
Access the System > MIM Portal screen of the Primary Instance.
3.
Uncheck the Enable multi-instance portal check box.
4.
Click Yes to disable.
Once this is done, all instances will need to be accessed by their individual addresses or hostnames.
3 .1.15 Syst em Update

The firmware of the BeSecure appliance can be easily updated using the management console and the
Wedge Networks update server. See Figure 52.
IT IS STRONGLY RECOMMENDED THAT YOU BACKUP YOUR SYSTEM CONFIGURATION
BEFORE ANY UPDATE, should a rollback to the previous version be required for any
reason. For further information, please refer to Section 3.1.11.
To update BeSecure, you need to do the following:
1.
Select System Update from the System menu.
2.
Provide the User ID and Password for the Wedge Networks update server provided to you by
Wedge Networks or a qualified reseller. Note that this is NOT the BeSecure administrator
password.
3.
Select a version from the Available upgrades list, or specify the desired BeSecure Version. The
format is major.minor.patch-build.
For example, 4.0.0-200 or 3.1.6-228.
By default, only versions of the same major.minor.patch number are shown. Select the Include
higher major.minor.patch releases checkbox if you wish to see new versions beyond these. For
example, if you are running 3.1.6, only newer 3.1.6 builds will be shown. If a 3.1.8 v ersion
existed, it would be hidden until the checkbox is selected.
To update to the latest build of your current major.minor.patch, leave the BeSecure Version field
blank (for example, if you are at 3.1.6-200, it will select the latest 3.1.6-XXX build).
4.
If your customer service representative has instructed you to specify a different update server,
select the radio button by the blank field and enter in the location of the custom update server.
Otherwise, leave Default selected.
5.
Click the Run Update button and follow the instructions.
6.
When the system has restarted, verify that the version number on the About page (using the
hyperlink in the upper right of the console window) is correct. See Figure 53.
73
4.0.4
FIGURE 52: SYSTEM UPDATE SCREEN
FIGURE 53: VERSION NUMBER
3 .1.16 Shut Down

The System > Shut Down menu item provides several options that can be used to control the current
status of BeSecure. These options include:
Restart Services A soft restart or re-initialization of the scanning services. This can be used if there are
any perceived irregularities in scanning operation or appearance of the module status icons on the
System > Status page.
Reboot A hard restart of the system, that will power down and then power up the system.
Shut Down Power down completely and remain off.
To restart the services, reboot, or shut down:
1.
Select Shut Down from the System menu, to display the screen shown in Figure 54.
2.
From the drop down menu, select Restart Services, Reboot, or Shut Down.
3.
Click Go!.
74
4.0.4
FIGURE 54: SYSTEM SHUTDOWN SCREEN
75
4.0.4
3.2 Protection
BeSecure provides the machines on your network with comprehensive protection from viruses, mal-ware,
and spam.
This section outlines the creation and maintenance of protection policies and the
configuration of the engines responsible for the signature databases.
Policies are (typically) IP address-based rules that determine which services apply to the different
protected clients, as well as how these rules should be applied. These services can be applied to a whole
network, a certain address range or a specific client IP address, for both the source and the destination of
the scanned traffic. Any added policy will apply to any data traffic if the IP address requesting the data
matches the specified Source address and the IP address sending the response matches the specified
Destination IP address.
A matched policy indicates that the data scanning associated with the
appropriate service will occur for this address pair.
The Source endpoint can also be associated with a user or group name, if System > Settings > Directory
Agent (see Section 3.1.4) and a Wedge Directory Agent has been configured to communicate with an
AD/LDAP server configured as described in Appendix E. This enables more useful logging of client traffic
scanning activity and results, as well as more criteria for policy matching. IP address-based rules with
dynamically assigned addresses will spread the activity of one user over several addresses, with no
indication of a connection between them. Only the IP address will be logged with the scanning events
that occur. However, a user or group name policy will allow association of the activity of the various IP
addresses, as the user and group name will also be logged in these cases when available. This allows for
more extensive reporting.
On supporting policy configuration pages, the Group? Checkbox (when entering a new policy) and the Is
Group? column (in the list of existing policies) indicate whether the name associated with the policy
specifies a user or a group.
Exclusion Policies can be specified in the same manner as regular policies for both anti-virus and antispam, by selecting the Exclude this policy from the specified protocol scans checkbox. Exclusion policies
indicate that any data traffic matching the policys criteria is to be excluded from any of this type of
scanning. Exclusion policies override any regular policy matches that would indicate scanning is required.
Exclusion policies are displayed in the Exclusions tab at the bottom of the Anti-Virus and Anti-Spam
screens, and can be manipulated in the same manner as regular policies.
3 .2.1 Ant i-Virus Policies

From the Protection menu, select Anti-Virus Policies. The screen shown in Figure 55 will be displayed.
This is where policy endpoints are specified to be included in an anti-virus scan for specific protocols.
Both the Source and Destination IP addresses of the network traffic can be specified. Additionally, a user
or group name can be specified for the Source endpoint, if a Directory Agent is configured (see Section
3.1.4 and Appendix E). The Entire Data Network checkbox sets the value of its associated IP Address field
to 0.0.0.0/0, representing all possible IP addresses. If both IP Address fields are set using Entire Data
Network, the policy will apply to traffic with any source and destination (all traffic).
To add an anti-virus policy:
76
4.0.4
1.
Enter the specific IP address or address range into the Source field. An address range must be in
CIDR format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network
checkbox to use the value 0.0.0.0/0, representing all source IP addresses.
2.
If AD/LDAP is configured, enter the user or group name into the Name field. If the name
represents a group, select the Group? checkbox.
3.
Enter the Destination IP address or network address. A network address needs to be in CIDR
format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network checkbox
to use the value 0.0.0.0/0, representing all IP address destinations.
4.
If desired, de-select Block Viruses. If it remains selected, any detected virus for the
corresponding source and destination and selected protocols will be blocked; otherwise they will
only be logged as detected events.
5.
Choose the protocols to be scanned. All are selected by default.
6.
The new policy will show up in the list of existing policies. The screen should change to indicate the
successful registration of the policy as shown in Figure 56. In this figure, a policy for the entire network,
with an IP address for the source endpoint, has been added.
FIGURE 55: ANTI-VIRUS POLICIES
77
4.0.4
FIGURE 56: ANTI-VIRUS POLICIES (ADDITION SUCCESSFUL)
The policy may take up to 30 seconds to take effect on scanned traffic after the Add or
Update button is clicked.
To edit/delete an anti-virus policy:
1.
Select or deselect the desired protocols next to the policy in the list in the lower half of the page.
Deselect all protocols to remove the policy completely. The Select All column contains
checkboxes that can be used to select all/deselect all of the protocol checkboxes rapidly.
2.
To add an exclusion policy for anti-virus:

1.
Enter the specific IP address or address range into both of the Source and Destination fields.
2.
Enter a user or group Name if desired, and AD/LDAP is configured. Select Group? if the Name
represents a group name.
3.
Select the Exclude this policy from the specified protocol scans checkbox.
4.
Choose the e-mail protocols to be excluded from scanning. All are selected by default.
78
5.
4.0.4
Data requested by this source from this destination for the selected protocols will now not be scanned for
viruses, even if they are included in a regular anti-virus policy.
URL Whitelist Tab

The URL Whitelist provides a means to specify URLs that should never be scanned for viruses, even if the
source and destination IP addresses or user/group name match on an existing policy. See Figure 57.
To add a URL to the URL whitelist:
1.
Select Protection > Anti-Virus Policies.
2.
Select the URL Whitelist tab.
3.
Enter the URL to whitelist into the URL field.
4.
To modify an existing URL in the URL whitelist:

1.
The list of existing URLs is shown in the lower half of the screen. Clicking the
next to the
policy will bring up the details in the upper half of the screen for editing.
2.
Change any of the fields as defined above.
3.
Click the Update button to commit the changes.
FIGURE 57: URL WHITELIST FOR ANTI-VIRUS POLICIES
To delete an existing URL in the URL whitelist:
79
4.0.4
1.
A list of existing URLs is shown in the lower half of the screen. Click on the
next to the policy
to delete the URL from the whitelist.
3 .2.2 Ant i-Spam Policies

From the Protection menu, select the Anti-Spam Policies. The screen shown in Figure 59 will be
displayed. This is where policy endpoints are specified to be included in an anti-spam scan for specific email protocols. Both the Source and Destination IP addresses of the network traffic can be specified.
Additionally, a user or group name can be specified for the Source endpoint, if a Directory Agent is
configured (see Section 3.1.4 and Appendix E). The Entire Data Network checkbox sets the value of its
associated IP Address field to 0.0.0.0/0, representing all possible IP addresses. If both IP Address fields
are set using Entire Data Network, the policy will apply to traffic with any source and destination (all
traffic).
To add an anti-spam policy:
1.
Enter the specific IP address or address range into the Source field. An address range must be in
CIDR format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network
2.
If AD/LDAP is configured, enter the user or group name into the Name field. If the name
represents a group, select the Group? Checkbox.
3.
4.
If desired, select Block SMTP Spam Messages. If selected, the SMTP messages for the
corresponding source and destination will be blocked; otherwise they will be only marked as
spam and reported as detected. If the SMTP protocol checkbox is not selected, this setting not
relevant.
5.
Choose the e-mail protocols to be scanned. All are selected by default.

If the global setting for Block SMTP Spam Messages on the Anti-Spam Setup (See Section
3.2.4) page is selected, the individual policy block settings are ignored and all the SMTP
spam messages will be blocked. The per policy block settings are taken into consideration
when the global block setting is disabled. See Figure 58.
FIGURE 58: ANTI-SPAM GLOBAL SETTING ON MESSAGE
6.
The new policy will show up in the list of existing policies. The screen should change to indicate the
successful registration of the policy as shown in Figure 60. In this figure, a policy for the entire network,
with an IP address as the source endpoint, has been added.
80
4.0.4
Policy changes will take up to 30 seconds to take effect on scanned traffic after the Add
or Update button is clicked.
FIGURE 59: ANTI-SPAM POLICIES
To edit/delete an anti-spam policy:

1.
Select or deselect the desired protocols next to the policy in the list in the lower half of the page.
Deselect all protocols to remove the policy completely. The Select All column contains
checkboxes that can be used to select all/deselect all of the protocol checkboxes rapidly.
2.
To add an exclusion policy for anti-spam:

1.
Enter the specific IP address or address range into both of the Source and Destination fields.
2.
Enter a user or group Name if desired, and AD/LDAP is configured. Select Group? if the Name
represents a group name.
3.
Select the Exclude this policy from the specified protocol scans checkbox.
4.
Choose the e-mail protocols to be excluded from scanning. All are selected by default.
5.
Data requested by this source from this destination for the selected protocols will now not be scanned for
spam, even if they are included in a regular anti-spam policy.
81
4.0.4
FIGURE 60: ANTI-SPAM POLICIES (ADDITION SUCCESSFUL)
3 .2.3 AV Setup (Kaspersky or Bitdefender)

The anti-virus engine provides access to an extensive virus and malware signature database. This
database is updated with hourly signature releases, with additional urgent signature releases as needed.
BeSecure includes an automatic update function controlled by the Virus Update Interval field, to allow
updates from this database to occur as frequently as every hour.
Currently, two anti-virus engines are available to be licensed on this device, Kaspersky and Bitdefender.
To change the setup of the anti-virus engine, select Kaspersky AV Setup or Bitdefender AV Setup from
the Protection menu to display the screen in Figure 61. This figure displays the Kaspersky configuration
on the left, and the Bitdefender configuration on the right.
Virus Definitions Updates

The Last Update Time states the last time the database of virus signatures was updated.
To force an immediate update of the virus signature database, click the Update Virus Definitions button.
82
4.0.4
Manual Virus Definitions Upload

If no internet access is available for automatic virus signature updates, the signatures can be manually
uploaded to BeSecure. This is not recommended as a practical solution to signature updating, and should
only be done under special circumstances. To configure this, the automatic signature updates must be
disabled by selecting --never-- for the Virus Update Interval. See below.
Wedge Networks provides the latest complete virus database for manual updating. This file is packaged
as a ZIP archive and is downloadable from Wedge Networks Product Support. Please contact Wedge
Networks Product Support or the reseller you purchased BeSecure from for more details.
To manually update your virus signatures:
1.
Contact Wedge Networks Product Support and download the signatures file.
2.
Open the management console and go to Protection > Anti-Virus Setup. See Figure 61.
3.
If necessary, select neverfor the Virus Update Interval, and click the Save button. This
disables the automatic signature update mechanism.
4.
The upload order is important. For each of files downloaded in Step 1, in the same order as listed
in Step 1, Browse to the file location and Upload the file.
Configuration
To configure the anti-virus engine settings:
1.
Select the Virus Update Interval. This changes the virus signature database update frequency.
The first update of any day will occur at this number of hours after midnight, and at every
interval of this number of hours thereafter.
2.
Select the number of minutes after the hour to Start Updating at. The virus signature update will
occur at this number of minutes past each hour calculated using the Virus Update Interval value
entered in Step 1.
If Virus Update Interval is set to 3, and the Start Updating at minutes set to 28 (as in
Figure 61), each day the signatures will update at 03:28, 06:28, 09:28, etc. For a setting
of 8 hours and 45 minutes, the signatures will update at 08:45, 16:45, and 00:45.
3.
Select the Region for Signature Update (Kaspersky only). This allows the closest update server to
the region selected to be used for virus signature updates.
4.
Set the Max. Scanned File Size (Bitdefender only). This allows setting an upper limit to increase
performance.
5.
Set the Max. Archive Scan Depth (Bitdefender only). This allows limiting the depth of scanning in
recursive compressed archive files. The deeper specified, the more memory is needed for
scanning, and performance is impacted.
83
4.0.4
6.
Set the Max. Extracted File Size (Bitdefender only). This allows a maximum set on files extracted
from archives to scan. Larger files use more disk space and impact performance to a greater
degree.
7.
Set the Max. Archive File Size (Bitdefender only). Larger archive files than this will not be
extracted and scanned.
8.
Select the Enable Heuristics checkbox to allow the engine to use heuristics to detect possible
mutations and permutations of existing signatures in the virus database, in effect detecting more
types of viruses than there are exact signatures for in the database.
9.
FIGURE 61: ANTI-VIRUS SETUP SCREENS, KASPERSKY ON LEFT, BITDEFENDER ON RIGHT
84
4.0.4
3 .2.4 Ant i-Spam Setup

The anti-spam engine in BeSecure is powered by Cloudmark. Cloudmark uses a global anti-spam
signature feedback network to maintain its spam signature database.
To change the configuration of the anti-spam service, select Anti-Spam Setup from the Protection menu
to display the screen in Figure 62.
FIGURE 62: ANTI-SPAM SETUP CONFIGURATION
Configuration
The Last Update Time states the last time the database of spam signatures was updated.
To configure the anti-spam engine settings:
1.
Set the Required Score. This is the threshold at which the message is classified as spam
expressed as a percentage confidence level the lower the number the higher the sensitivity.
2.
Select Enable IP Address Reputation Scoring, if desired. This enables the use of an algorithm
that adjusts the spam score of a message based on its origin information. This can increase the
identification rate of spam messages, but can potentially increase the false positive rate as well.
This is enabled by default.
3.
If desired, select Block SMTP Spam Messages. If selected, any detected SMTP spam is blocked.
By default, the messages are marked with a customizable string placed in the subject line (see
85
4.0.4
next section, Headers) and allowed into the users inbox. If a global setting is not desired, there
is an option of enabling the blocking on a per policy basis on the Protection > Anti-Spam Policies
page (See Section 3.2.2).
POP3 and IMAP spam e-mail messages cannot be blocked. They can only be marked.
Rules based on the Message Subject Marker and the X-Spam headers (see next section,
Headers) placed in scanned messages must be used in an e-mail client to manage marked
spam messages, such as moving them to a special folder or deleting them.
4.
If desired, select Disable Anti-Spam when no policies exist. If selected, the anti-spam engine will
not run if no anti-spam policies exist. This prevents unnecessary bandwidth usage for regularly
scheduled spam signature updates.
5.
If desired, select Enable SMTP tarpitting. If selected, the scanning engine will actively delay
SMTP server greeting messages at the beginning of a transaction and server responses during a
transaction every five recipients. The delay in each of these cases defaults to 20 seconds. This
discourages large-scale spamming.
6.
Select Log Spam Analysis String to log additional information about why a message is classified
as spam. This analysis string can be used by Product Support to determine causes for false
positives, etc., and prevent them from happening again.
7.
Click on the Save button to save any new settings.
The Advanced Settings section can be expanded to display settings that may be used in certain specialized
network deployments to customize the anti-spam scanning behaviour. See Figure 63.
The SMTP Error Reply for Spam Messages allows customization of the reply code and message that is
sent to an SMTP MTA when a message from that source is classified as spam (and Block SMTP Spam
Messages is selected) by the anti-spam engine. This reply code is only used when the SMTP spam is
configured as being blocked. By default, the code is 554, the subcode is 5.6.0, and the message text is
Message contains spam. In some deployment environments, it may be desirable for the code to be
adjusted to induce different MTA behaviour or reduce its knowledge of BeSecures actions.
To further combat spam, several options exist to prevent suspicious SMTP behaviour, without actually
detecting the message as spam. This can prevent spam messages from getting sent before they are
added to the spam signature database. These include limiting the number of recipients and the number
of sessions per IP address.
Limit SMTP Recipients Per Message will block any message with a number of recipients that exceeds the
specified Maximium Recipients Per Message. This can help prevent mass spamming of large mailing lists.
Limit SMTP Sessions Per IP Address will prevent a single SMTP client from using many separate SMTP
sessions to avoid the restrictions placed on them by tarpitting (see above) or limitation of recipients per
message. The maximum number of simultaneous sessions is specified as Maximum Sessions Per IP
Address. Sending will be blocked for this client should this maximum be exceeded.
86
4.0.4
FIGURE 63: ANTI-SPAM SETUP ADVANCED SETTINGS
Both of the above limits have a customizable reply code and message, just as the regular blocking of
detected SMTP spam messages does.
See Appendix D: SMTP Reply Codes for a list of standard SMTP reply codes and their meanings. There are
three ranges of error codes allowed:
5xx Permanent Failure This is a range of codes indicating that an error has occurred with sending, and
the error is not likely to be resolved by resending the message in the current form. The sending MTA
should not retry to deliver the message. By default, BeSecure uses 554, indicating a permanent failure .
The sending MTA will not resend its message, as it has been informed that its message has been denied.
Any false positive spam e-mail can be judged as such if this type of feedback is sent back to the sender.
However, this behaviour can also inform a spammer that a security device is in place, and they can
attempt to adjust their own behaviour or strategy to compensate.
4xx Persistent Transient Failure This is a range of codes indicating that the message as sent is valid,
but some temporary event is preventing the successful sending of the message. In this case, the sending
MTA may try to automatically resend the message later. Using a 4xx series code is allowed, but is not
recommended, as it may cause the MTA to retry an undetermined number of times, increasing network
traffic for no good purpose.
2xx Success This range of codes indicates acceptance of the message for delivery. This will cause the
sending MTA to believe the spam message has been accepted for delivery. No failure feedback is given.
87
4.0.4
Blocked false positives will appear to be delivered. However, a spammer will be no wiser that his or her
spam message has been blocked and swallowed by BeSecure.
Whitelist Editing
The spam whitelist allows regular expression matching against the headers and body of e-mail messages.
If a match is found, a message that ordinarily would be marked as spam will not be classified as spam.
It is also possible, in on this page, to whitelist IP addresses that should not be score using the IP reputation
scoring algorithm (see above).
To add a spam whitelist entry:
1.
Select the Whitelist Editing tab under Protection > Anti-Spam Setup.
2.
Select a Whitelist Type, body, header, or IP reputation.
3.
If header was selected, select an E-mail Header for Matching.
FIGURE 64: ANTI-SPAM SETUP WHITELIST EDITING
4.
Specify the regular expression, or for IP reputation, a CIDR-formatted IP address, that should be
used for this whitelist match
5.
To modify an existing entry:

1.
The list of existing entries is shown in the lower half of the screen. Clicking the
entry will bring up the details in the upper half of the screen for editing.
2.
3.
88
next to the
4.0.4
To delete an existing entry:

1.
A list of existing entries is shown in the lower half of the screen. Clicking on the
next to the
entry will delete it.

To delete all the whitelist entries:
1.
Click the
at the top right of the list to get a confirmation prompt.
2.
Click OK to delete all entries from the list.
Headers
When a message is scanned for spam, BeSecure inserts several default headers that contain details of the
scan results. The character string that is pre-pended to the subject line of the message (if the message is
classified as spam) can be customized, as well as the contents of several of the default headers written to
the scanned message by BeSecure. See Figure 65.
These default headers are:
X-Spam-Status
X-Spam-Flag
X-Spam-Checker-IP
X-Spam-Level
X-Spam-Checker-Version
Each of the value fields for these headers includes variables specified using %% symbols (See Figure 65).
These are replaced at scan time by the actual results of the scanning of the message whose headers are
being rewritten. The available variables are:
SPAMSTATUS: A Yes or No value, indicating if the given message has been classified as spam.
SPAMINFO: More information, of the format Score=<calculated score>, <extra spam signature
info>
SPAMLEVEL: Anywhere between 0 and 10 of * symbols, each representing 10% confidence level
in the spam classification of this message. Messages that are not spam have 0 * symbols.
Messages with a score of 100 (that is 100% confidence level) have 10 * symbols.
SPAMFLAG: A YES or NO value, with the same meaning as the SPAMSTATUS variable.
PROGNAME: By default, this value is BeSecure.
VERSION: By default, this value is BESECURE_<major>_<minor>_<release>, where <major>,

<minor>, and <release> are the current major, minor, and release numbers.
CLIENTIP: The IP address of the client machine initiating the request (sender of SMTP, receiver of
POP or IMAP).
If no value is inserted into any of the fields, the associated header will not be added to
the e-mail message.
It is possible to customize the spam-classified message subject line and spam scanned message default
header contents (Message Subject Marker).
89
4.0.4
To do this:
1.
Select the Headers tab under Protection > Anti-Spam Setup.
2.
Specify the Message Subject Marker. This value is pre-pended to the original subject line of a
spam message before it is delivered to the client inbox.
3.
Edit the Status header, if desired. This is the value written for X-Spam-Status in the message
headers. By default this value states whether the messages is spam, and includes the score.
4.
Edit the Level header, if desired. This is the value written for X-Spam-Level in the message
headers.
5.
Edit the Flag header, if desired. This is the value written for X-Spam-Flag in the message
headers.
6.
Edit the Checker Version header, if desired. This is the value written for X-Spam-CheckerVersion in the message headers.
FIGURE 65: ANTI-SPAM SETUP HEADERS
7.
90
Edit the Checker Original IP header, if desired. This is the value written for X-Spam-Checker-IP in
the message headers.
8.
4.0.4
Click the Save button to the save the settings.
It is important to note, however, that should it be desirable to use Unicode characters, or multi-byte
characters from any other character set, the encoding and character set used by BeSecure for the
message subject marker must match the character set and encoding used by the e-mail clients that are
used to view the e-mails that will be marked as spam. Otherwise, the client will attempt to interpret the
subject line characters using a different encoding, and gibberish will result.
To set the anti-spam encoding and character set, the CLI (command-line interface) must be used (see
Section 4.1):
1.
Log in to the CLI.
2.
Set the MIME content transfer encoding using

antispam subject marker encoding set <encoding>
where <encoding> can be b (Base64) or q (quoted-printa ble ). For multi-byte character sets, b
is typically the correct choice.
3.
Set the character set:

antispam subject marker charset set <charset>
where <charset> is the character set name, i.e. UTF-8, ISO-2022-JP, etc.
A list of character sets can be found at http://www.iana.org/assignments/chara cte r-se ts.
One Custom Spam Header (name and value) can be specified, should the situation require it, for example,
if an e-mail server or client is preconfigured to use a mail header with a custom name and value.
To add the custom e-mail header to scanned messages:
1.
Select the Headers tab under Protection > Anti-Spam Setup.
2.
Under Custom Spam Header, enter the Name and Value of the custom header to be added to
any e-mail message scanned by BeSecure.
3.
De-select the Insert only when messages are classified as spam checkbox if the header should
be added to all messages scanned. Otherwise, only those actually marked as spam will contain
the header.
4.
Click the Save button to the save the settings.
3 .2.5 File Size Limits

BeSecure allows you to configure the maximum size of files scanned for each of the different protocols,
and whether the file is blocked completely if it exceeds this limit.
91
4.0.4
FIGURE 66: FILE SIZE LIMITS CONFIGURATION SCREEN
To configure the file size limits:

1.
Select File Size Limits under the Protection menu (Figure 66).
2.
Specify the maximum size of files (or in the case of e-mail, messages) scanned, in megabytes
(MB) for each of the scanned protocols SMTP, POP3, IMAP, FTP, and HTTP.
3.
Specify whether to set Block oversize files for each of the scanned protocols, using the provided
checkbox.
If selected, a message will be returned to any client requesting an oversize file, stating that the
threshold has been exceeded. The file download will not proceed. If not selected, the file or
message will be allowed to pass through without being scanned for viruses or spam.
4.
Click the Save button to save any new settings.
3 .2.6 Global Exclusions

If there are any source and destination endpoint pairs that should not be scanned, even if there is a policy
that indicates otherwise, the Global Exclusions page provides the means to exclude these particular
endpoint pairs by service. See Figure 67.
To add a global exclusion:
1.
Select Global Exclusions under the Protection menu.
2.
Enter the specific IP address or address range into the Source field. An IP address range needs to
be in CIDR format, i.e. x.x.x.x/xx. Alternatively, select the fields associated Entire Data Network
3.
4.
92
Choose the services to be excluded. All are selected by default.

5.
4.0.4
Click Add.
To edit/delete a global exclusion:

1.
Select or deselect the desired services next to the policy in the list in the lower half of the page.
Deselect all services to remove the policy completely. The Select All column contains checkboxes
that can be used to select all/deselect all of the protocol checkboxes rapidly.
2.
FIGURE 67: GLOBAL EXCLUSIONS
3 .2.7 Te m plates
Any protected client requesting content that is blocked by the device due to an existing policy is given
feedback that the content was blocked, and the reason why it was blocked. In several cases, the feedback
takes the form of error messages that the e-mail client or FTP client handles the display of. In other cases,
such as POP3 downloaded e-mail that is determined to contain a virus, the infected message will be
replaced. In the case of infected HTTP downloaded files, or web pages containing forbidden key words or
located at a forbidden URL, the error message is displayed in a replacement web page in the client
browser. In some policy types, a means of rejecting the block and proceeding anyway can be enabled on
the replacement page.
The Protection > Templates console page allows the customization of the replacement e-mail messages
and web page content shown when content is blocked.
93
4.0.4
Figure 68 shows the template for the replacement message given when a scanned e-mail is blocked due
to virus content.
The template contains several markers for variable values that are replaced when a specific message is
created, based on the message header information and virus information in that particular instance. Ea ch
of these values can be placed in the template message, between % symbols (as in the default message
shown in Figure 68):
USERNAME: the mail account username
PROGNAME: the BeSecure name and version information
HOSTNAME: the host name of the BeSecure appliance
DOMAINNAME: the domain name of the BeSecure appliance
VIRUSNAME: the name of the virus detected
MAILFROM: the infected e-mail From field
MAILSUBJECT: the original subject of the infected e-mail
CLIENTIP: the IP address of the protected client accessing the mail server
CLIENTPORT: the port number of the connection on the client side
SERVERIP: the mail server IP address
SERVERPORT: the port number of the connection on the mail server side
FIGURE 68: TEMPLATE EDITING FOR REPLACED E-MAIL
To edit the e-mail template:

1.
94
Select the E-mail Template tab.
2.
Edit the template as desired, using the variables listed above.
3.
4.0.4
To reset the e-mail template to its default:

1.
Select the E-mail Template tab.
2.
Click the Reset to Default Settings button.
The HTTP Template tab contains the templates for the replacement web pages served by BeSecure when
HTTP content is blocked due to an existing policy. This page is formatted with the first part of the HTML
page in the HTML Header field. The HTML Footer field allows customization of the HTML page after the
message content. The message content for each of the possible content blocking situations can be edited
using the fields in between. See Figure 69.
To edit the HTTP template:
1.
In the HTML Header field, edit the HTML content as necessary.
2.
Edit the Common Title, if desired. This is the message displayed at the top of the HTML page.
3.
Edit the HTML Footer, if desired.
4.
FIGURE 69: TEMPLATE FOR HTTP RESPONSE REPLACEMENT
95
4.0.4
To reset the HTTP template to its default:

1.
Select the HTTP Template tab.
2.
Click the Reset to Default Settings button.
The Shared Template Messages tab contains common messages used in both the e-mail and HTTP
template. See Figure 70.
To edit the shared template messages:
1.
Edit the Blocked Virus, if desired. This is the message displayed when the content is blocked due
to a detected virus. See Section 3.2.1.
2.
Edit the Blocked URL, if desired. This is the message displayed when the content is blocked due
to a URL blocking policy. See Section 3.3.1.
3.
If available, edit the Blocked WebFilter value, if desired. This is the message displayed when the
content is blocked due to a WebFilter blocking policy. See Section 3.3.4.
FIGURE 70: SHARED TEMPLATE MESSAGES
4.
Edit the Warning WebFilter, if desired. This is the message displayed when the content is
potentially malicious, is blocked by a WebFilter policy, and a warning message is displayed.
96
5.
4.0.4
Edit the Warning WebFilter Proceed Link, if desired. This is the message displayed as a link to
allow the rejection of a block page (i.e. proceed at own risk).
6.
Edit the Blocked Keyword, if desired. This is the message displayed when the content is blocked
due to a keyword blocking policy. See Section 3.3.2.
7.
Edit the Blocked Oversize, if desired. This is the message displayed when the content is blocked
due to a file whose size exceeds the allowed limit. See Section 3.2.5.
8.
Edit the Engine Error, if desired. This is the message displayed on an internal scanning engine
error.
9.
3.3 Content Control

This product provides the machines on the network with comprehensive content control services,
providing the ability to block specific websites by URL or content category, web content that contain
certain keywords or belong to specified keyword categories, or all access to Internet services for an IP
address for any particular time of the day. Patterns for both keywords and URLs can be specified using
standard POSIX-style wildcard syntax. See Section 3.3.3 for details.
As with Protection policies, Content Control policies are (typically) IP address-based rules that determine
which services apply to the different protected clients, as well as how these rules should be applied.
These services can be applied to a whole network, a certain address range or a specific client IP address,
for both the source and the destination of the scanned traffic. Any added policy will apply to any data
traffic if the IP address requesting the data matches the specified Source address and the IP address
sending the response matches the specified Destination IP address. A matched policy indicates that the
data scanning associated with the appropriate service will occur for this address pair.
For any of these policies (except Traffic Blocking), the Source endpoint can also be include a user or group
name, if System > Settings > Directory Agent (see Section 3.1.4) and a Wedge Directory Agent has been
configured to communicate with an AD/LDAP server configured as described in Appendix E. This enables
more useful logging of client traffic scanning activity, and more criteria for policy matching. IP addressbased rules with dynamically assigned addresses will spread the activity of one user over several
addresses, with no indication of a connection between them. Only the IP address will be logged with the
scanning events that occur. However, a user or group name policy will allow association of the activity of
the various IP addresses, as the username will also be logged in these cases. . This allows for more
extensive reporting.
On supporting policy configuration pages, the Group? Checkbox (when entering a new policy) and the Is
Group? column (in the list of existing policies) indicate whether the name associated with the policy
specifies a user or a group.
3 .3.1 URL Policies

These policies allow directly specifying sets of URLs that cannot be accessed, or restricting access to only a
specified set of URLs. These policies only have an effect on URLs that are accessed using the HTTP
protocol. HTTPS is an encrypted protocol, and is not scanned by BeSecure, so no traffic using an https://
URL will be affected by URL policies.
97
4.0.4
URL policies only apply to HTTP traffic.
To add a new URL policy:

1.
Select URL Policies from the Content Control menu. The screen in Figure 71 will be displayed.
2.
Specify the Source endpoint of the machine to which the rule shall apply. Check the box Entire
Data Network to apply the policy to the entire visible network, if desired.
3.
If AD/LDAP has been configured, a user or group Name can be used here. If the Name
represents a group name, select the Group? checkbox.
FIGURE 71: URL POLICIES
4.
Select the Action to take on policy match from the drop-down list:
a.
b.
98
Detect only access to the specified URLs will be detected and logged.
Block access access to the specified URLs will be detected, logged and BLOCKED.
This selection is displayed in the Action column in the policy list as

and
5.
4.0.4
(Detect only with logging),
(Block access).
If a specific time period or repeat type is desired, expand the Time Period panel and edit the
following:
a.
Select the Time Zone. This is the time zone that the following time period values are
relative to.
b.
Select the Repeat Type. This indicates how the rule will be applied. Allowed values are
EveryDay, DayOfWeek or DayOfMonth.
c.
Select the Start Day and End Day. This specifies the start and end days of the interval
during which the rule will be enforced. The interval can be specified using days of the
week, Monday to Sunday, or a day of the month between 1 and 31. NOTE: If the
EveryDay repeat type is selected, the Fields Start Day and End Day are disabled.
d.
Select the Start Time and End Time. This specifies the start and end time of the interval
during which the rule will be enforced. 24 hour format must be used for these fields.
If the time period is not specified, then the policy will apply all the time.
6.
Select any Safe Search types (these are only available if the Safe Search module is licensed), if
desired. See Figure 72. Examples are YouTube for Schools and Google SafeSearch. See Section
3.1.5 for any configuration related to these options. By selecting these, headers may be added,
or request URLs rewritten to enforce these safe search types. YouTube for Schools allows
filtering of requested YouTube videos. Enforcing strict Google, Bing, or Yahoo SafeSearch will
prevent inappropriate links and images from showing up in web page and image search results.
The filtering criteria for these are managed by the search engines.
FIGURE 72: SAFE SEARCH
7.
Expand the URLs panel. See Figure 73. Add URLs to the URL list by entering the values into the
text fields and clicking the Add links or pressing the Enter key. This is the criteria that will be
used to determine whether the selected action will take place. Any URL access attempt will be
checked against any URL specified here. Based on the Action to take on policy match drop-down
list, the list will be labeled differently.
99
4.0.4
Do Not Detect/Block: all URLs EXCEPT those in this list will match this policy, and will be
blocked or detected based on the action selected. These URLs will display in green in the policy
list at the bottom of the screen.
Detect/Block: URLs matching the patterns in this list will match this policy, and will be blocked
or detected based on the action selected. These URLs will display in red in the policy list at the
bottom of the screen.
The Do Not Detect/Block list is checked first and the entries in the Detect/Block list are
checked next. It is redundant to enter URLs into the Detect/Block list already excluded
by the Do Not Detect/Block list selections. See Figure 54 for details.
The Do Not Detect/Block list will impact all traffic that flows through BeSecure, including
traffic from other BeSecure appliances that are downstream. This includes spam and
virus signature update traffic. This should be taken into consideration during policy
construction, and care taken to avoid this side effect.
FIGURE 73: URL POLICIES EXPANDED PANELS
If both Do Not Detect/Block and Detect/Block entries are specified, the decision whether to take action
on a URL access attempt proceeds as shown in Figure 74.
URL access
attempt
Do Not Detect/Block
empty?
No
Yes
No
URL is detected/
blocked
URL is NOT
detected or blocked
FIGURE 74: URL POLICIES ACTION DECISION
100
Yes
No
Yes
Detect/Block
matches?
Do Not Detect/Block
matches?
Yes
Detect/Block
matches?
No
8.
4.0.4
Expand the URL List File panel. Here you can upload a .txt list of URLs in the format
http://www.mywebsite.com/moreurl/evenmoreurl
Each URL must be on its own line, and each line separated by a CR (carriage return). An invalid
file will trigger an error message, and the upload will fail.
Only one file can be uploaded and saved at any given time. If a new file is uploaded, it will
replace the current file, and all existing policies that referenced the original file will then
reference the new file instead. Figure 75 shows the dialog box used to upload the URL list file.
The Select button allows selection of the file, Upload uploads it. Cancel will close the dialog
without uploading. CANCEL next to the file name will remove the file from the window and allow
file reselection. The Done button will be enabled after the upload is successful. When clicked, it
will close the window and show the newly updated file name and policies on the URL Policies
page, along with the date that the file was last uploaded (see Figure 76).
To use the URL list file in the current policy, select the checkbox shown in Figure 76.
FIGURE 75: URL UPLOAD POPUP DIALOG
FIGURE 76: UPLOADED URL LIST FILE
9.
Click on the Add button to save the new policy.
To modify an existing URL policy:

1.
The list of existing policies is shown in the lower half of the screen. Clicking the
policy will bring up the policy details in the upper half of the screen for editing.
2.
next to the
101
4.0.4
3.

Policy changes will take up to 30 seconds to take effect on scanned traffic after the Add
To delete an existing URL policy:

1.
A list of existing policies is shown in the lower half of the screen. Clicking on the
policy will delete the policy.
next to the
3 .3.2 DL P Policies
DLP (Data Leakage Prevention) policies include the ability to specify various keywords and keyword
categories to search for in scanned data. Typically, the intention is to prevent outbound leakage of
sensitive data matching specified patterns. However, because the policy configuration allows the
selection of scan direction, these policies can also be used to prevent receipt or download of this type of
data. See Figure 77.
FIGURE 77: DLP POLICIES
102
4.0.4
BeSecure base license includes the ability to specify Individual Keywords using wildcard patterns specified
in Section 3.3.3. It also includes Keyword Categories, as shown in Figure 78. Keyword categories are
more advanced regular expressions that can be used to detect several types of data with advanced
alphanumeric patterns.
The available categories are those seen in Figure 78. Any additional information available regarding a
match on any of these categories will be reported in the BeSecure log, for example, the type of PCI card
matched.
FIGURE 78: KEYWORD CATEGORIES PANEL
The limitation of these features is that only the readily available plain text portion of downloaded data
can be scanned for these keywords and categories. Binary, formatted, and compressed file types cannot
be scanned with a base license.
If obtained with an extra license, Text Extraction is used to extract plain text from hundreds of proprietary
binary, formatted, and compressed file types (such as Microsoft Word and Excel, and ZIP and RAR
archives, see appendix in Section 11), which can then be scanned for the specified keywords and
categories. The presence and status of this module can be seen in the Text Extraction panel. See Figure
79. If the module license is installed and the text extraction is active, it will display an ENABLED status. If
not, it will be DISABLED. To enable it, a license must be obtained.
FIGURE 79: TEXT EXTRACTION MODULE STATUS
Policies Tab
To add a new DLP policy:
1.
Select DLP Policies from the Content Control menu. The screen illustrated in Figure 77 and
Figure 78 will be displayed.
103
4.0.4
1.
2.
3.
Specify the Destination IP address endpoint to which the rule shall apply. Check the box Entire
4.
Select the Scan Direction. Source -> Destination will scan only the request. Destination ->
Source will scan only the response. Both will scan in both directions.
5.
Choose the protocols to be scanned. All are selected by default.
6.
a.
b.
Detect only access to documents with matching keywords will be detected and
logged.
Block access access to documents with matching keywords will be detected, logged
and BLOCKED.

(and log), and
7.
representing Detect only
representing Block access
If a specific time period or repeat type is desired, expand the Time Period panel and edit the
following:
a.
Select the Time Zone. This is the time zone that the policy times are relative to.
b.
c.
week, Monday to Sunday, or a day of the month between 1 and 31.
d.
8.
9.
If category matching is desired, expand the Keyword Categories panel. See Figure 78. Select the
desired category checkboxes.
10. Expand the Individual Keywords panel. Add keywords to the keyword list by entering the value
into the text field and clicking the Add link or pressing the Enter key. This is the blocking criteria
that will be used. Any web page access will be checked for any keyword specified here.
11. Click on the Add button to save the new policy.
Hold the cursor over either IP address value in the Source or Destination column of the
existing policy list, and a tooltip will be displayed showing the keywords and names of the
selected categories that apply to this policy.
104
4.0.4
To modify an existing keyword policy:

1.
The list of existing policies is shown in the lower half of the screen. Clicking the
policy will bring up the policy details in the upper half of the screen for editing.
2.
3.
next to the
Policy changes may take up to 30 seconds to take effect on scanned traffic after the Add
To delete an existing keyword policy:

1.
next to the
URL Whitelist Tab

The URL Whitelist provides a means to specify URLs that should never be scanned for keyword patterns,
even if the URL contains a keyword matching a pattern in an existing policy. See Figure 80.
5.
Select Protection > DLP Policies.
6.
7.
8.

1.
next to the
2.
3.
105
4.0.4
FIGURE 80: URL WHITELIST FOR KEYWORD POLICIES

A list of existing URLs is shown in the lower half of the screen. Clicking on the
next to the policy will
delete the URL from the whitelist.
3 .3.3 Pat tern Matching Syntax for Keywords and URLs

BeSecure allows pattern matching using simple POSIX-style wildcard syntax. This includes the following
characters:
? - any single character. If you specified a keyword paint?, the words painty and paints would
match. The words paint, painted, or painterly would not match, because the ? in this case cannot
represent zero characters, or more than one character.
* - zero or more characters. If you specified "paint*", the words paint, paints, painted, and
painting would match. If you specify *word*, the words word, wordy, sword, crossword, and
crosswords would match.
+ - one or more characters. As with * above, if you specify paint+, the words paints, painted, and
painting would match. There would be no match on paint, however, because the + does not match
on zero characters.
Pattern matching will automatically use space and punctuation to delimit the words on a scanned page.
This presents some difficulty for languages such as Chinese and Japanese, where sentences typically do
not have spaces between symbols. For these situations, it is best practice to always add a wildcard before
and after a keyword phrase if we want it to be found in a larger string of characters.
For example, the characters
106
4.0.4
Can be found as a part of the following two phrases:
If is entered as a keyword, it is necessary to enter it as ** to ensure that it is caught when an

instance occurs in one of the above larger phrases. Literally, we are searching for any number of any
characters followed by , followed by any number of any characters.
3 .3.4 We bFilter
The WebFilter module uses a combination of technologies to provide blocking and detection of websites
(the action taken) that are either malicious or belong to specified categories. Based on the user license,
Cloudmarks Anti-Phishing and/or McAfees SmartFilter are used for scanning and detection.
These engines are used by a WebFilter policy that specifies IP address and time period based rules for
matching on HTTP URL requests, at which time the action selected in the policy is taken.
To add a new WebFilter policy:
1.
Select WebFilter from the Content Control menu. The screen shown in Figure 81 will be
displayed.
2.
3.
4.
Specify the Destination IP address to which the policy shall apply. Check the box Entire Data
Network to apply the policy to the entire network visible to the INGRESS interface, if desired.
5.
a.
b.
c.
Detect only access to URLs belonging to selected categories will be detected and
logged.
Block access access to URLs belonging to selected categories will be detected, logged
and BLOCKED.
Warn access access to URLs belonging to selected categories will be detected, logged,
and BLOCKED. This behaves similar to the block, however in this case, a choice to ignore
the warning and reject the block is offered as a link on the replacement page. In this
case, subsequent access to this page will be allowed for a period of time.

(and log),
representing Block access, and
representing Detect only
representing Warn access.
107
4.0.4
FIGURE 81: WEBFILTER POLICIES
6.
If a specific time period or repeat type is desired, click on and expand the Time Period panel and
edit the following:
a.
b.
c.
week, Monday to Sunday, or a day of the month between 1 and 31.
d.
7.
Click on and expand the Anti-Phishing panel, as shown in Figure 82. Selecting this checkbox
enables the Cloudmark Anti-Phishing engine to check the requested URL against a database of
malicious URLs, which is constantly updated along with the anti-spam signatures.
108
4.0.4
FIGURE 82: ANTI-PHISHING PANEL
8.
Click on and expand the SmartFilter panel, as shown in Figure 83. Here, available URL categories
are shown on the left and selected categories are shown on the right. Specify categories for this
policy by highlighting them and using the buttons in the center to move them from the left list
box to the right list box.
9.
Click the Add button to save the new policy. The new policy will appear in the list below.
The McAfee SmartFilter column in the existing policy list shows the number of categories
selected / total number of categories. Hold the cursor over this value, and a tooltip will be
displayed showing the names of the selected categories.
To modify an existing WebFilter policy:

1.
A list of existing policies is shown in the lower half of the screen. Clicking on
next to the policy
will bring up the policy details in the upper half of the screen for editing.
2.
3.
To delete an existing WebFilter policy:

1.
next to the

To find out which categories match a given URL:
1.
Enter the URL into the field next to the Show Me button. See Figure 84.
2.
Click the Show Me button. The matching categories will be moved to the top of each list and
highlighted.
109
4.0.4
FIGURE 83: MCAFEE SMARTFILTER PANEL
FIGURE 84: CHECKING URL CATEGORY MATCHES
URL Whitelist Tab

As with Keyword Policies, the URL Whitelist for WebFilter provides a means to specify URLs that should
never be scanned for WebFilter category matches. See Figure 85.
1.
Select Protection > WebFilter.
2.
3.
4.
110
1.
4.0.4
next to the
2.
3.

1.
A list of existing URLs is shown in the lower half of the screen. Clicking on the
policy will delete the URL from the whitelist.
next to the
FIGURE 85: URL WHITELIST FOR WEBFILTER
111
4.0.4
3.4 Next-Gen Firewall

All traffic flowing through this device can be subject to blocking based on a given source IP address or
identified behaviour. This type of traffic inspection is classified as next generation firewall (NGFW), as
unlike conventional, stateful firewalls, it is application-aware. It uses an IDS/IPS type of pattern matching
based on a comprehensive set of rule categories that examines the traffic for specific traffic
characteristics indicating interesting or undesirable behaviour.
3 .4.1 Tr affic Blocking

Traffic to and from individual IP addresses or network addresses can be blocked for specified periods of
time.
Traffic Blocking policies are not supported when the ICAP protocol is used, due to the
nature of the ICAP protocol traffic encapsulation. See Enable ICAP Proxy, in Section
3.1.4.
To add a new traffic blocking policy:
1.
Select Traffic Blocking from the Next-Gen Firewall menu. The screen shown in Figure 86 will be
displayed.
2.
Specify the IP Address of the machine to which the rule shall apply. Check the box Entire Data
Network to apply the policy to the entire visible network.
FIGURE 86: TIME-BASED TRAFFIC BLOCKING SETUP SCREEN
3.
112
4.0.4
4.
Specify the Start Day and End Day. This specifies the start and end days of the interval in which
the rule will be enforced. The interval can be specified using only days of the week, Monday to
Sunday.
5.
Specify the Start Time and End Time. This specifies the start and end time of the interval in
which the rule will be enforced. 24 hour format must be used for these fields.
6.
To modify an existing traffic blocking policy:

1.
A list of existing policies is shown in the lower half of the screen. Clicking on
next to the policy
will bring up the policy details in the upper half of the screen for editing.
2.
3.
To delete an existing traffic blocking policy:

1.
next to the
3 .4.2 Application Control

Monitoring or blocking various Internet-enabled applications can be useful to prevent bandwidth wastage
(as is the case with peer-to-peer uploads and downloads), especially when network bandwidth is limited
or expensive. It is also useful in preventing possible time wasting activities (such as online video gaming
and personal messaging software) from occurring on a network that is devoted to more productive
pursuits.
The available categories and their descriptions are list on the Next-Gen Firewall > Application Control
screen, as shown in Figure 87. Selection of any of these categories will apply to all traffic source and
destination endpoints.
To protect the network from unauthorized use by undesirable application software:
1.
Select Application Control from the Next-Gen Firewall menu.
2.
Select either Detect or Block for any desired categories. Detect will only log any rule matches.
Block will prevent passage of the traffic.
3.
Click Save. A green icon next to the category indicates that the category is active.
113
4.0.4
FIGURE 87: APPLICATION CONTROL
3 .4.3 Se r ver Security

A wide variety of attacks are regularly made on servers that listen to connections from the Internet.
Many of these attacks involve patterns that can be recognized by examining request and response
behaviour and source and destination endpoints of the traffic.
FIGURE 88: SERVER SECURITY
Recognized attack behaviour can be detected or blocked, based on the perceived risk and experienced
frequency.
The available categories and their descriptions are list on the Next-Gen Firewall > Server Security screen,
as shown in Figure 88. Selection of any of these categories will apply to all traffic source and destination
endpoints.
114
4.0.4
To protect the network from available known attack types:

1.
Select Server Security from the Next-Gen Firewall menu.
2.
Select either Detect or Block for any desired categories. Detect will only log any rule matches.
Block will prevent passage of the traffic.
3.
Click Save. A green icon next to the category indicates that the category is active.
3.5 Reports
BeSecure provides you with comprehensive reporting features, allowing you to review the system log
information, statistics, serviced clients, policy details, and administrator accounts.
3 .5.1 L ogs
To access the logs summary information:
1.
Select Logs from the Reports menu. The screen shown in Figure 89 will be displayed.
These Logs are a short summary of what is visible using System > Logging Setup, and show:
System Start Time: the last time BeSecure was powered on or restarted
Last Clean Shutdown Time: the last time BeSecure was shut down
Last Configuration Modification Time: the last time the configuration was changed
Last Modification Admin Name: the last administrator to modify the configuration
Last Anti-Virus Signature Update: the last time the virus database was updated
Last Anti-Spam Signature Update: the last time the spam database was updated
Last WebFilter Signature Update: the last time the WebFilter database was updated
FIGURE 89: LOGS SCREEN
115
4.0.4
3 .5.2 St at istics
To view specific scanner statistics, select Statistics from the Reports menu. The screen in Figure 90 will be
displayed. Statistics grouped by protocol are shown.
3 .5.3 Se r viced Clients

To access a list of all the currently active policies for a particular service:
1.
Select Serviced Clients from the Reports menu. The screen in Figure 91 will be displayed.
2.
Select the services for which a list of current policies is desired.
3.
Click the Display button. The screen shown in Figure 92 will appear providing a complete listing
of the policies that are active for the selected services.
FIGURE 90: STATISTICS SCREEN
116
4.0.4
FIGURE 91: SERVICED CLIENTS QUERY SCREEN
117
4.0.4
FIGURE 92: SERVICED CLIENTS RESULTS SCREEN
3 .5.4 Policy Details

The management console can provide you a report of all the policies that are currently active for a specific
source and destination IP address (individual or network) pair.
To generate a list of all active policies for a particular IP address source and destination pair:
1.
Select Policy Details from the Reports menu. The screen in Figure 93 will be displayed.
2.
Enter the Source and Destination endpoints for which a list of active policies is desired.
3.
Enter a Name and select Group? if desired.
4.
Click the Show Policies button. The screen shown in Figure 94 will appear, providing a complete
listing of the policies applicable to the specified addresses.
118
4.0.4
FIGURE 93: POLICY DETAILS QUERY SCREEN
FIGURE 94: POLICY DETAILS RESULTS SCREEN
3 .5.5 Adm inistrators

To access a complete report of all the administrator accounts currently configured, select Administrators
from the Reports menu. The screen in Figure 95 will appear.
This provides:
Name: The administrator user name.
Status: On if the user is logged in, or off if not.
Access Rights: Read / write or read only.
119
4.0.4
FIGURE 95: ADMINISTRATORS REPORT SCREEN
3 .5.6 Syst em, Service, SubSonic, and Network Graphs

The System Graphs, Service Graphs, and Network Graphs page provide a visualization of various timesequenced system statistics, and means to adjust the viewing windows. Figure 96 shows System Graphs.
To adjust the time period that any graph page displays, select Past Hour, Past Day, Past Week, or Past
Month using the radio buttons at the top or bottom of any graph screen.
The y-axis range can be adjusted as well. Along the right side of any graph are several icons :
Reduce the y-axis range
Automatically size the y-axis range
Increase the y-axis range
To adjust the y-axis range of a graph, click the appropriate icon as outlined above, as many times as
necessary to achieve the desired view.
Figure 97 shows the results of reducing the y-axis range twice for the CPU Usage graph.
120
4.0.4
FIGURE 96: GRAPHS SCREEN
FIGURE 97: GRAPH WITH Y-AXIS RANGE INCREASED
System Graphs
The following graphs are currently available:
CPU Usage: Shows the percentage of CPU time spent in
121
4.0.4
user: The percentage of CPU spent on processes running in User Mode.

purposes.
sys: The percentage of CPU spent on processes running in System Mode. For advanced diagnostic
purposes.
nice: The percentage of CPU spent on handling niced tasks. For advanced diagnostic purposes.
idle: The idleness of the CPU. This is the indicator of how much stress the system is under in handling
standard tasks.
iowait: The percentage of CPU spent on handling I/O wait for the processes. For advanced diagnostic
purposes.
For advanced diagnostic
Memory Usage:
used: Actual memory in use by BeSecure.
buffers: Buffers in use by the BeSecure kernel.
cached: Memory in the page cache (disk cache) minus the swap cache.
free: Free system memory.
System Temperature: Both CPU and system temperature over time measured in Celsius
Fan Speed: The speed of the various system fans in revolutions per minute (RPM)
Processes: Event/sec tracking of new processes, process forks, and process blocking
File System Usage: Percentage measurement of file system usage for
Flash memory: The primary BeSecure mode of persistent storage. Log files are stored here
periodically when localhost is specified as the syslog host (see Section 0).
RAM disk for scanning:

scanning.
RAM disk for logging: Log messages are stored here, until the size exceeds a pre-defined limit. At
that point, the older logs are backed up onto the flash memory.
Temporary RAM-based file system for storage of files and messages while
Service Graphs
Service Graphs contains graphs relating to the BeSecure services and policies. As the time scale is
adjusted, the values in the legend show the total number of viruses blocked, spam detected, or traffic
scanned for that range of time. The following graphs are currently available:
Viruses Blocked: The number of viruses detected and blocked, colour coded by protocol.
Spam Detected:
protocol.
122
The number of spam messages detected and marked/blocked, colour coded by
4.0.4
Scanned Traffic for Each Protocol: The bytes/sec measurement of scanned traffic for each protocol.
This is only traffic that is scanned as a result of an active policy. Larger values indicate greater
volumes of traffic for that protocol at that point in time.
SubSonic Graphs
SubSonic Graphs displays statistics related to the performance of the SubSonic Content Recognition
mechanism of BeSecure. These provide a more graphic representation of the numbers available on the
Reports > Statistics page. The following graphs are available:
SubSonic Cache Hit Percentage: The percentage of request/response scanning accelerated by the
SubSonic mechanism. The gray area represents ALL protocols, and the value for each separate
protocol is displayed as a different coloured line. The legend displays the current cache hit
percentage for each protocol.
SubSonic Cache Hit Rate:

The number of requests/responses accelerated by the SubSonic
mechanism per unit of time. Larger values indicate greater volumes of traffic accelerated by
SubSonic for that protocol at that point in time. As the time scale is adjusted, the values in the legend
show the total number of cache hits during that range of time.
SubSonic Scan Savings: The bytes/sec measurement of traffic accelerated by SubSonic for each
protocol. This can be compared to the total Scanned Traffic for each protocol on the Reports >
Service Graphs screen. As the time scale is adjusted, the values in the legend show the total number
of bytes accelerated by SubSonic during that range of time.
Network Graphs
Network Graphs contains graphs relating to the traffic throughput of each of the active network
interfaces. Each graph shows incoming and outgoing data rates in bytes/sec. The positive y-axis shows
the incoming data rate and the negative y-axis shows the outgoing data rate. The following graphs are
currently available:
Ingress Interface: Traffic passing through the INGRESS interface.
Egress Interface: Traffic passing through the EGRESS interface.
Control Interface: Traffic passing through the control port (when configured).
123
4.0.4
3 .5.7 Eve nt List and Event Summary

The Event List and Event Summary allow an easy means of viewing the APPACTION system log entries
outlined in Appendix B: System Log Entries. These events detail the results of BeSecure scanning
activities as a result of configured policies.
The APPACTION event fields visible using the event list is as follows:
Field Name
Description
Possible Values
Time Stamp
The time and date of the event.
YYYY-MM-DD hh:mm:ss
Protocol
Protocol scanner that generated

this event.
HTTP, POP3, SMTP, IMAP,

FTP, UNDEFINED
Action
Reason
Action taken on event.

Reason that action was taken.
Typically corresponds to a
specific policy type.
DETECTED, BLOCKED
VIRUS, SPAM, KEYWORD,
URL, WEBFILTER, OVERSIZE
Source IP Address
IP address of the client making

the request.
IP address of the requested host.
The directory service user name
that maps to the source IP
address, if configured.
E-mail from address.
A valid IP address.
Destination IP Address
User Name
Source Info
Destination info
Detail
The requested URL or e-mail

recipients.
Policy-specific data.
A valid IP address.
A user name character
string.
A valid e-mail address.
Virus name, keyword/URL

matched, spam score,
WebFilter category etc.
FIGURE 98: EVENT LIST FIELDS
To generate an Event List:

1.
Navigate to Reports > Event List. The event list filter will be displayed, as in Figure 99.
2.
Provide any desired filtering criteria, or if all events are desired, leave the fields blank.
3.
Click Generate Report. Figure 100 shows the results.
The Clear Filter button can be used to reset the filter parameter and content of the generated list.
The top of the Event List page displays whether the Event Reporting is enabled. Clicking
the ENABLED/DISABLED link (see Figure 99) will take you to the System > Event
Reporting page, where reporting configuration (including enabling/disabling) can be
done. See Section 3.1.12.
124
4.0.4
FIGURE 99: EVENT LIST FILTER
FIGURE 100: EVENT LIST
125
4.0.4
The Reports > Event Summary page presents an overview of the events from the event list in a visual
manner. See Figure 101 and Figure 102 for details.
Each section of the summary is a pie chart and table of data displaying:
Event Distribution by Reason See Figure 98 for list of reasons
Top Destinations most common servers providing data to clients, as IP addresses
Top Source IP Addresses most common client IP addresses making requests
Top Detail Information virus names, keywords blocked, WebFilter categories matched, etc.
FIGURE 101: EVENT SUMMARY
To display a summary of events:

1.
Navigate to Reports > Event Summary.
2.
Enter a Start Date and/or an End Date. Leave the fields blank if all events are desired.
3.
Click Generate Report.
Each panel of the event summary will appear similar to the one shown in Figure 102. The details that
each panel displays can be limited by selecting a Protocol or Reason from the drop down lists. The chart
and table will be updated appropriately.
126
4.0.4
FIGURE 102: EVENT SUMMARY RESULTS (TOP DETAIL INFORMATION)
3.6 Diagnostics
The Diagnostics menu contains several tools that can be used to test configurations and troubleshoot
network issues.
3 .6.1 Configuration Check

The Configuration Check tool allows an administrator to quickly validate the basic configuration.
To run the configuration check:
1.
Select Configuration Check from the Diagnostics menu. See Figure 103.
2.
Click the Go button.
127
4.0.4
FIGURE 103: CONFIGURATION CHECK
3 .6.2 He alth Monitor

The Health Monitor (see Section 4.11 for more information) ensures that the various system components
are in working order, and the device is ready to accept connections and scan traffic. Figure 104 shows the
Health Monitor user interface. This screen displays each periodically run system check, along with its
current status (passing, failing, disabled, etc.), organized alphabetically and grouped by family. Health
checks are grouped into families if they monitor the health of system components that provide same or
similar services. For example, simultaneously licensed anti-virus engines will be displayed under the AntiVirus family. This provides a service redundancy, in case one of the engines fails to operate as expected
(for example, if one AV engine does not detect a virus due to a delay in the provider adding a signature to
the database).
It is possible, using this page, (though strongly NOT recommended) to disable a specific system health
check.
To disable or enable a Health Monitor system health check:
1.
Change the state of the particular checkbox(es).
2.
Click Apply Changes.
Any changes made here will only apply until the next Restart Services, Reboot, or Shutdown.
128
4.0.4
Any changes made to the Diagnostics > Health Monitor configuration will only last until
the next Restart Services, Reboot, or Shutdown, found on the System > Shutdown
screen.
The various states that can be displayed as an icon to the left of the test names are as follows. The bold
labels are visible as tooltips when the cursor is held over the icon:
Passing, initial (no check has occurred yet), or recovered (passing again after failure).
Disabled, but was passing before it was disabled.
Failing.
Disabled, and was failing prior to being disabled.
FIGURE 104: HEALTH MONITOR
129
4.0.4
This screen also allows direct control over the Health Monitor triggered online/offline. If Health Monitor
puts the system into OFFLINE mode (shown in the header of any web management console page, as in
Figure 105), the Go Online button can be used once the failure condition has be rectified.
Normally, if extremely high CPU usage is consistently experienced over a period of time, the CPU Usage
Health Monitor system check can put the system into OFFLINE mode to prevent network performance
degradation. If high stress situations are typical, such as heavy traffic with a large number of sessions
with small payloads, rather than allowing the Health Monitor to take the system offline it can be desirable
to instead bypass a percentage of the traffic. Enable traffic bypassing on high CPU usage allows the
bypass of a percentage amount of traffic based on how consistently high the CPU load is. Note that this
bypass will not begin until the CPU is consistently at a very high value (above 95%), and this will occur very
rarely. The longer that the CPU usage is above this threshold level, the greater the percentage of traffic
bypassed. The system will return to its regular scanning levels when it is determined that the network
performance or stability will not be adversely affected.
FIGURE 105: SYSTEM OFFLINE
Should a critical failure cause the device to go offline, steps should be immediately taken to rectify the
situation. Usually, the failure mode is temporary, and the test can be re-enabled and the device brought
back online. See Section 4.11.
3 .6.3 Pr oblem Report

To assist with troubleshooting persistent problems, a problem report can be generated. This report
includes a variety of files describing the current state of the device, as well as recent log information. This
report can be submitted to Wedge Networks or a qualified re-seller for analysis. The problem report can
also be generated from the command-line interface (see Section 4.1).
Once generated, the problem report can be uploaded to Wedge Networks for analysis.
To generate a problem report using the management console:
130
4.0.4
1.
Select Problem Report from the Diagnostics menu. See Figure 103.
2.
Click the Generate new problem report button to generate a new problem report. Note that
this will overwrite any previously generated problem report available as a link below this button.
To download a generated problem report:

1.
Click the link below the Generate new problem report button to download the most recently
generated problem report.
FIGURE 106: PROBLEM REPORT
3 .6.4 Tr affic Capture

Data traffic passing through BeSecure can be captured and logged for diagnostic purposes. This report
can be submitted to Wedge Networks or a qualified re-seller for analysis. This traffic capture can also be
done using the command-line interface (see Section 0).
Due to storage constraints, the size of the traffic capture is limited to two 10 MB rotating files, using a
similar technique to the BeSecure log files. Once 10 MB of data is captured in the first file, it is archived,
and a second file is used for the data. When the second file reaches 10 MB in size, the first file is
removed, the second file is archived (now the earlier data), and a new file is used to capture the current
data. In this manner, a reasonable amount of capture data is retained without filling up storage space.
Depending on the amount of traffic passing through BeSecure as well as the IP Address and Port settings,
the traffic capture can contain a maximum of as little as 30 seconds to as much as several minutes of
capture data.
To generate a traffic capture report using the management console:
1.
Select Traffic Capture from the Diagnostics menu. See Figure 107.
2.
Optionally, enter values for Port and/or IP Address to limit the capture data to that port number
and/or host IP address. This will apply to requests and responses.
3.
Click the Start button to generate a new traffic capture report. Note that this will overwrite any
previously generated traffic capture report available as a link below this button.
131
4.0.4
4.
At this time, generate the traffic to be captured and analyzed. For example, make the HTTP
request, or check the e-mail account that is experiencing unusual behaviour.
5.
Click the Stop button when finished to complete the generation of the traffic capture report. The
report download will be available via the hyperlink below the buttons.
To download a generated problem report:

1.
Click the link below the Start button to download the most recently generated traffic capture
report.
FIGURE 107: TRAFFIC CAPTURE
3 .6.5 Subm itting a Problem Report or Traffic Capture for Analysis

The generated problem report and traffic capture (diagnostic) files can be uploaded to Wedge Networks
for analysis. These reports can be optionally linked to a problem ticket previously opened by sending an
e-mail to support@wedgene tworks.com. File uploading is accomplished using the contents of the Submit
to Product Support toggle panel at the base of the Problem Report and Traffic Capture pages.
FIGURE 108: SUBMITTING A PROBLEM REPORT
132
4.0.4
To submit a problem report or traffic capture file for analysis:

1.
Select Problem Report or Traffic Capture from the Diagnostics menu.
2.
Generate the diagnostic file using the steps outlined in Section 3.6.3 or 3.6.4.
3.
At the base of the page, expand the Submit to Product Support panel.
4.
Enter the Ticket No., if you have one. If not, leave it blank and a new ticket will be opened.
5.
Enter a Contact E-mail. This is only required if an existing ticket number is not entered in Step 4.
6.
Enter a Description of the problem. This is important for Wedge Networks personnel to
understand what the nature of the problem is.
7.
Click Upload. The upload will proceed as shown in Figure 108.
If a new ticket is issued (if an existing Ticket No. isnt entered), an automated e-mail will be sent to the
Contact E-mail specified. Otherwise, the upload is associated with the existing ticket number.
Regardless, Wedge Networks support staff will contact you as soon as possible.
133
4.0.4
3 .6.6 Ping, Nslookup, Traceroute

The Diagnostics > Ping tool sends an ICMP echo request packet to an IP address or host name. The
Diagnostics > Nslookup tool queries the configured name server (DNS, See Section 3.1.3) for a specific
host name. Diagnostics > Traceroute is a tool used to determine the route taken by packets across an IP
network. To use any of these tools:
1.
Enter the IP address or host name into the Host field. See Figure 109 for the Ping tool.
2.
Click the Go button.
The results will be similar to those shown in Figure 109 for Ping.
Several of the Diagnostics console pages wait until the system command is complete
before returning a command result. Please allow several seconds for the command to
complete and the result to be returned.
FIGURE 109: PING TOOL
134
4.0.4
4 ADVANCED TOPICS
This section provides you with more in-depth discussion of advanced BeSecure configuration.
4.1 Command Line Interface (CLI)

All versions of BeSecure have a command line interface accessible through a direct serial port connection,
or an SSH connection over the network. The default login username and password are the same as for
the management console, and the System > Administrators screen can be used to change the password,
or add addition readwrite administrator accounts to access both the management console and the CLI
(Section 4.1). Only readwrite administrator accounts created using the management console can access
the CLI. Accounts that have readonly access cannot access the CLI. The CLI admin command can also be
used to created administrator accounts. See Section 4.1.2.
4 .1.1 Acce ssing the CLI

To access the CLI via the serial port:
1.
Connect your client machines serial port to the BeSecure console port. This is the 9-pin serial
port or the RJ-45 jack labeled
2.
or CON.
Using a terminal client such as HyperTerminal, create a new connection that uses your clients
serial port (example: COM1) and the following settings.
9600 bps
8 data bits
No parity
1 stop bit
At the prompt, log in using the default administrator username admin and password admin.
To access the CLI via SSH:
1.
Using an SSH client on a network connected to a BeSecure interface, connect to the BeSecure
machine using:
ssh admin@<your BeSecure IP address>
Login using the default password admin.
Administrator accounts can be added and edited using System > Administrators in the
management console, or using the admin CLI command (see below). Only readwrite
administrators can access the CLI. CLI accounts created using the admin command are
readwrite users of the management console as well.
When finished, use the quit command to exit.
Wedge Networks | Advanced Topics
135
4.0.4
4 .1.2 Com mands and Usage
Command
Description
admin
Change admin accounts and allowed IP addresses.
backup
Backup configuration settings to backup file. Can be restored using

system restore. Use with system command.
bdav
Configure Bitdefender anti-virus service. Use with service command.
bitdefender
Configure Bitdefender anti-virus service. Use with service command.
cd
Change working directory.
cloudmark
Change Cloudmark anti-spam service. Use with service command.
cm
Change Cloudmark anti-spam service. Use with service command.
cwd
Display current working directory.
exit
Exit CLI.
gen
Generate a traffic capture or problem report.
generate
Generate a traffic capture or problem report.
healthmonitor
Configure Health Monitor settings.
help
Display command help.
kaspersky
Configure Kaspersky anti-virus service. Use with service command.
kav
Configure Kaspersky anti-virus service. Use with service command.
license
Manage system and component licenses.
log
Edit logging settings, such as log level and remote syslog host.
ls
List contents of current working directory.
net
Manage network settings.
network
Manage network settings.
pwd
Display current working directory.
quit
Exit CLI.
quota
Control quota service.
raid
Configure the RAID (if available). Use with service command..
reboot
Reboot the system.
reporting
Configure event reporting.
restore
Restore configuration settings from backup file generate with system
reset
backup. Use with system command.

Reset to factory default settings.
route
Configure static routes.
scanner
Configure the scanning engine.
scp
Secure copy (scp) a local file to a remote host.

136
Advanced Topics | Wedge Networks
4.0.4
scr
Configure SubSonic Content Recognition.
sdav
Configure StreamDefender stream scanning service.
service
shutdown
Configure system services. The subcommands kaspersky, kav,

bitdefender, bdav, cloudmark, webfilter, and quota are
used with this.
Shutdown the system.
snmp
Change or view SNMP settings.
statistics
Manage the statistics database.
status
Show current system status.
streamdefender
Configure StreamDefender stream scanning service.
subsonic
Configure SubSonic Content Recognition.
system
tcp
Configure raid, backup, or update settings. Using the command system

raid is the same as using raid, etc.
Change or view TCP settings.
traffic
Configure running traffic profile.
usage
Displays a command's usage message.
webfilter
Configure the WebFilter service. Use with service command.
wf
Configure the WebFilter service. Use with service command.
Help Usage
The help command will get you the above list of commands. Using help <command> will get you
detailed help on usage of the specified command. Some standards used in the usage messages:
[ ] - the item is optional
{ | } - select one of the items within '{}' and between '|'. For example: { control | device }
means the user needs to type 'control' or 'device'
<string> - a value/string is required. 'string' is replaced with an useful identifier to remind users
what is required. For example, <ip> means an IP address is required.
token - A character sequence with no whitespace and none of the following characters:
This represents a string that needs to be entered as it is shown. Examples: host, add.
[]{}|<> .
Here is an example usage message:

Usage: route
route
route
route
route
device }
show
host add <ip> [ gateway <ip> ] via { control | device }
host { rm | remove } <ip> [ gateway <ip> ] via { control | device }
net add <ip> netmask <netmask> [ gateway <ip> ] via { control | device }
net { rm | remove } <ip> netmask <netmask> [ gateway <ip> ] via { control |
137
4.0.4
All commands can end with an optional ';'. Therefore, either of these are valid:
route show
route show;
This also allows multiple ;-separated commands to be typed in and executed on the same line.
CLI History
The CLI has a built-in history. It can be accessed with the:
1. The Up/Down arrow keys.
2. The Ctrl-p/Ctrl-n key combinations.
Either method allows access to the previous or the next command in the history list. The history is NOT
saved between login sessions.
Command Line Editing

Left/Right arrow keys - move cursor left or right one character
Home/End keys - position cursor at the beginning or end of line
It also supports emacs style key bindings:
Ctrl-a - position cursor at the beginning of line
Ctrl-e - position cursor at the end
of line
Ctrl-f - move cursor forward/right one character
Ctrl-b - move cursor back/left one character
Ctrl-d - delete character at current cursor position
4 .1.3 Re se t of Administrator Password

Should it become necessary to restore the admin accounts password to the default value, there is an
account available only via connection to the serial port that will allow this action.
138
4.0.4
Upgrading from 3.1.2: Because there is no way of knowing the current value of the admin
password when a System Update occurs, the CLI password will need to be manually reset
in order to synchronize it with the current management console admin account
password. To do this:
1.
2.
3.
4.
Go to System > Administrators.

Edit the admin user account.
Re-enter a password.
Click Save.
The management console and CLI admin user account passwords will now be
synchronized.
To reset the admin password to its default value:

a.
Connect a client machines serial port to the BeSecure console port. This is the 9-pin serial port
or the RJ-45 jack labeled
b.
or CON.
Using a terminal client such as HyperTerminal, create a new connection that uses your clients
serial port (example: COM1) and the following settings.
c.
9600 bps
8 data bits
No parity
1 stop bit
At the prompt, use the username resetpassword and the password default! to login. The
following will be displayed:
Reset password for admin (y/n)?
d.
Press y to reset the admin password to admin and exit. Press n to exit without resetting the
password.
4.2 Advanced Scanner Configuration Using the CLI

The BeSecure CLI contains a variety of advanced commands that can be used to tweak the scanning
behaviour. Many of these do not have an equivalent in the web user interface, and they are outlined in
this section.
The scanner command controls several functions and customization options for the following
situations:
1.
Scanner bypass when scanner too busy.

scanner bypass all { enable | disable }
139
4.0.4
Normally, when scanning resources are fully utilized, new connections will wait until scanning resources
are available (scanner bypass is disabled). By enabling scanner bypass, any new connections will bypass
the scanning engine. This eliminates any latency that will occur when the device is under constant heavy
load. However, it also means that some traffic is not scanned, increasing the chance of malware entering
the network.
2.
Scanner bypass when an IP address has too many concurrent scans occurring.
scanner bypass ip { enable | disable }
scanner bypass ip set max <number>
Enabling the scanner bypass by IP address limits a particular IP address to the set number of concurrent
scans.
3.
HTTP partial content requests.

scanner http { partial -content | part } { block | pass }
Certain browsers allow a previously canceled download of compressed or archived content to be resumed
with the client browser requesting only the remainder of the content that wasnt previously downloaded
(due to the initial part of the file existing in the browser cache). In these cases, BeSecure does not have
access to the beginning portion of the file content, so it cannot decompress it to perform an effective scan
on this compressed partial content.
To handle these types of cases, BeSecure can be configured to pass (allow through without scanning) or
block the remaining bytes of these partial archives.
Configuring BeSecure with block, the user whose browser requests a remainder of compressed partial
content will see an error when attempting this type of download. They are required to clear their
browser cache to eliminate this error. This will ensure that the file is downloaded again in its entirety, and
a proper decompression and scan will occur.
With pass, the end user will receive their content without any error, but neither portion of the
compressed content will have been scanned for malware.
4.
Exclusion of specific MIME content types from HTTP anti-virus scanning.

scanner ht tp content-type exclude show
scanner ht tp content-type exclude { add | rm } <type>
If it known that a particular type of file has a very low chance of containing malware, the HTTP AV
scanning can be configured to not scan that MIME type. This can increase performance by lowering the
number of scans taking place, especially if that MIME type is normally getting scanned very frequently. To
return the list of MIME type exclusions to default, use
scanner http content-type exclude default
5.
Collect statistics about content types that are getting scanned.

scanner ht tp content-type statistics { enable | disable }
140
4.0.4
scanner ht tp content-type statistics { clear | show}

Enable collection of statistics on scanned HTTP AV content types, check current counts, and clear any
accumulated content type statistics.
6.
SMTP spam blocking reply code and message need customization.
By default, when SMTP spam is blocked, a 554 5.6.0 reply code with a message Message contains spam
is returned to the sending MTA. This can be customized here should circumstances require it to change.
This can also be changed using the web user interface, on the Protection > Anti-Spam Setup page. See
Section 3.2.4 for more details. The commands to do this with the CLI are:
scanner smtp block show
scanner smtp block set code <number> text <text>
The number is the reply code in the format XXX X.X.X (example: 554 5.6.0) and the text is the
message desired. Following the standard outlined in RFC 2821, this means:
a. The error code is a number between 200 and 554 and must start with 2, 4, or 5.
b. The error code can be followed with an optional status.
This status is composed of 3 digits separated by dots (example: 5.6.0). The first digit must match
the first digit from the error code. The other two digits can be any numbers between 0 and 999.
c. The text message can only contain ASCII characters and is limited to 500 characters. Quotes are
not required when specifying the message using the CLI.
A list of SMTP reply codes can be found in Appendix D: SMTP Reply Codes.
7.
SMTP CHUNKING capability is used by a mail server.
The SMTP protocol RFC outlines a means of sending e-mail message content using a technique known as
CHUNKING. BeSecure does not support the scanning of messages using this capability, so must be
configured to pass through or block the CHUNKING technique from be used to transfer data.
scanner smtp chunking { block | pass }
By default, this is set to pass. This means that the message content will NOT be scanned. If set to
block, BeSecure will prevent the CHUNKING from occurring. The SMTP server will send the data in
another manner, and the content will be scanned normally.
8.
Prevent unwarranted spam blacklisting of NATed SMTP servers.

scanner rewrite ehlo { on | off }
scanner rewrite show
scanner rewrite value <text>
This command allows specifying a fixed value to be sent as a parameter with any SMTP EHLO command
sent by a server on the protected network, regardless of what the server has already specified as the
parameter.
141
4.0.4
This prevents situations where multiple SMTP servers behind a NAT gateway, each of which may be
sending different parameters with their EHLO, from causing the NAT external address to be blacklisted by
reputation authorities. Random EHLO parameters from the same address are seen as suspicious
behaviour. The result is regular email from behind that NAT address getting classified as spam.
9.
Longer socket timeouts required for scanning of any of the supported protocols.
The default timeout settings for all protocols are 60000 ms for read and 30000 ms for write. It may be
found in some deployments that the BeSecures default protocol socket timeout values are not adequate,
resulting in incomplete downloads or terminations of server connections with errors. This usually occurs
during downloads of larger files.
Adjusting the read and write timeout values can be helpful in these cases. The write timeout determines
how long BeSecure will wait to send data. The read timeout determines the length of time BeSecure will
wait to receive data. In these cases, the read and write socket timeouts can be set on a per protocol
basis using:
scanner <protocol> timeout show
scanner <protocol> timeout { read | write } set <milliseconds>
The <protocol> is one of ftp, http, icap, imap, pop3, or smtp. The timeout value must be
between 2000 and 1800000 milliseconds. It can be difficult to determine which of the read or write
timeouts should be adjusted, so experimentation may be required. Please contact Wedge Product
Support for assistance if required, as this is an advanced feature and can impact performance if set
incorrectly.
Changing the timeout settings will cause a brief interruption in the traffic that is being
scanned. This command should only be run if you are prepared for the network traffic
interruption.
4.3 Advanced Network Configuration with the CLI

There are some commands available via the CLI that have no analog in the management console web
interface.
4 .3.1 ne t work icmp

network icmp block { always | auto }
network
icmp block is only applicable to 2-interface router mode, with HA turned off.
This command is only applicable to 2-interface router mode, with HA turned off. Normally, the BeSecure
142
4.0.4
will respond to ICMP requests on the INGRESS and EGRESS ports unless the control interface is active. In
that case, ICMP requests are blocked on the INGRESS and EGRESS ports.
The behavior changes in 2-interface router mode with HA off, and this command controls this new
behavior.
By default, this is set to always. ICMP (ping) is blocked on the INGRESS and EGRESS ports in 2-interface
router mode with HA off. It doesnt matter if the control interface is configured or not, ICMP (ping) will be
blocked.
In certain situations, it is desirable to allow ICMP requests, such as when deploying BeSecure into an
Alteon load-balancing environment, which requires ICMP for regular operation. In these situations, the
command
network icmp block auto
should be used to allow ICMP requests on the INGRESS and EGRESS ports, until the Health Monitor (see
Section 4.11) determines that a failure mode has occurred, at which point ICMP will be blocked until the
failure is resolved.
4.4 Advanced Configuration Management with CLI

Backup and restore are easily done using the management console System > Backup/Restore page. This
backup file can be downloaded and restored using a client computer.
However, the CLI has the ability to archive and upload the backup file to a web server or FTP server. It can
also restore from the files remote location.
system backup <url>
Where url is of the format
<protocol>://[user:password@]hostname/[path]
Examples:
http://server/path/to/share
ftp://user:password@server/path/to/dir
scp://user:pass@host/home/path/mybackup.tar.gz
If the <url> value ends with / (no filename specified), then a default filename of <product>.<time>.ta r.gz
will be created.
To restore from this backup, use
system restore <url>
specifying <url> as above, with the path including the filename of the backup file.
143
4.0.4
4.5 Selective SubSonic Content Recognition

Certain enterprises can find that there is an abundance of one or more types of traffic that enter their
network on a regular basis, composed of very large files obtained by many clients on the network. An
example of this is Microsoft Update. The SubSonic mechanism yields the greatest impact when restricted
to larger, more complex file types. The caching mechanism has limitations that impact its effectiveness,
one of which is the size of the SubSonic cache. If the use of the cache is limited to only those file types
that are the most common, large and complex, the load on the device will be significantly less.
The CLI includes a set of commands that can be used to customize the MIME types that the SubSonic
mechanism acts upon.
subsonic { show | enable | disable }
This enables and disables the SubSonic mechanism, just as the System > SubSonic page does using the
management console.
Include list
empty?
File is accessed
No
Include
matches content
type of file?
Yes
Yes
No
Exclude
matches content
type of file?
Yes
Regular Scan
Yes
Exclude
matches content
type of file?
No
SubSonic Scan
No
FIGURE 110: SELECTIVE SUBSONIC IN ACTION
subsonic
subsonic
subsonic
subsonic
mime
mime
mime
mime
{
{
{
{
include
include
include
include
|
|
|
|
exclude
exclude
exclude
exclude
}
}
}
}
show
clear
add <mime-type>
{ remove | rm } <mime-type>
This set allows the specification of a content (MIME) type include and exclude list. The list of include
entries is checked first, and then the exclude list is checked. By default, all types are included. Specifying
include entries allows SubSonic to be applied to only a subset of content types. Specifying exclude entries
further refines the list by listing types that should not be SubSonic scanned, of the types that are included.
See Figure 110 for a graphical explanation.
subsonic
subsonic
subsonic
subsonic
subsonic
subsonic
144
filesize
filesize
filesize
filesize
filesize
filesize
max set <integer>

max set default
max show
mime exclude show
mime exclude clear
mime exclude add <mime-type>
4.0.4
subsonic filesize mime exclude { remove | rm } <mime-type>
This set of commands allows a maximum file size to be used to determine whether data with a particular
content type should be SubSonic scanned. As stated above, the performance increase enabled by
SubSonic is greater when used with larger data sizes.
As with keywords and URLs specified in Keyword and URL Policies, the syntax used when specifying the
MIME type is:
? - matches any single character
* - matches zero or more characters
+ - matches one or more characters
For example, text/* will match text/html and text/plain. See Section 3.3.3 for further details.
4.6 Fiber Data Ports

Certain BeSecure models are equipped with optical fiber data ports, which can be used instead of the
default cat5 data ports for INGRESS and EGRESS, providing a substantial increase in scanning throughput.
To enable the fiber ports for INGRESS and EGRESS:
1.
Select Network under the System menu.
2.
Under Fiber Support (near the bottom of the screen), select Use fiber ports as data ports. See
Figure 111.
3.
The port status displayed on the System > Status page will update the Function to show that the fiber
ports are now INGRESS and EGRESS.
FIGURE 111: FIBER SUPPORT CHECKBOX
145
4.0.4
4.7 Spam Feedback Network

Wedge Networks has partnered with Cloudmark to provide a proven spam signature database anti-spam
solution. This highly accurate solution is based on a trusted evaluation network. Cloudmark has over 100
million reporters in 163 countries who collaboratively vote on messages. Feedback is automatically
incorporated into Cloudmarks fingerprinting database as each message arrives; a list of fingerprints for
the message is generated and each fingerprint is run through Cloudmarks six fingerprinting algorithms,
building a database of spam fingerprints.
The Cloudmark anti-spam functionality provided by BeSecure is improved through feedback from its
users. Since BeSecure spam signature database is updated continuously, your feedback to the system will
have an immediate impact on the spam accuracy of your BeSecure appliance. Here is how to provide this
feedback.
Spam and Phishing Messages

If a message gets through to you that is obviously spam but is not tagged by BeSecure as such, then you
are likely one of the first people in the BeSecure community to receive that type of spam message. You
can report such spam messages by sending us the complete, original e-mail message. Instructions on how
to send this message in a format that can be used by the feedback system are provided below for your
specific e-mail client. The address for reporting spam messages is:
spam@wedgenetworks.com
Further, if you receive a message that is not only spam but also fraudulently tries to get you to click
through to a dangerous web site (by hiding the true destination of a hyper-link), then this type of message
is called phishing and requires different reporting. To report phishing messages, please send it
as an attachment to:
phishing@wedgenetworks.com
Please do not simply forward spam or phishing e-mails, as the critical header information will be lost and
we will be unable to process the report. Please see the sections below for instructions on how to do this
with your e-mail client.
Wrongfully Classified as Spam

Occasionally, wide-spread e-mail messages such as mailing list postings or newsletters may be tagged as
Spam. If you find an e-mail that has been incorrectly categorized as Spam or Phishing, please send it as an
attachment to:
notspam@wedgenetworks.com
How to Submit E-mail Messages with Outlook/Outlook Express or Thunderbird

1.
Go to the File menu and select New >Mail Message to compose a new, empty e-mail message.
2.
In the To: field type in the e-mail address. For
146
spam messages, use spam@wedgenetworks.com
phishing messages, use phishing@wedgenetworks.com
wrongfully classified messages, use notspam@wedgenetworks.com
4.0.4
3.
From the message list in Outlook/Outlook Express, grab the e-mail icon for the misclassified email and drag it into the new e-mail created in step 1. You may drag and drop as many e-mails as
you like into the report, up to the size limit of your out-going e-mail.
4.
Click the Send button to send the message.
How to Submit E-mail Messages with Mac OS X Mail

1.
Select the misclassified message in the message list.
2.
Go to the File->Save As option in the top menu.
3.
Select Format: Raw Message Source in the save window.
4.
Save the file in a location of your choice (e.g. Desktop).
5.
Go to File->New Message.
6.
Type the e-mail address as appropriate into the To: field.
7.
Go to File->Attach File, and select the file saved above.
8.
Click Send.
How to Submit E-mail Messages with Eudora

1.
Select the misclassified message in the message list.
2.
Go to the File->Save As option at the top menu.
3.
Select Include Headers in the save window.
4.
Save the file in a location of your choice (e.g. Desktop).
5.
Go to File->New Message.
6.
Type the e-mail address as appropriate into the To: field.
7.
Go to Message >Attach File, and select the file saved above.
8.
Click Send.
4.8 WebFilter URL Categorization Feedback

The WebFilter component of BeSecure uses the Secure Computing SmartFilter database of categorized
URLs. If a newer URL is missing a categorization, or an existing URL is not categorized to a user's
satisfaction, a suggested update can be submitted through the Secure Computing website.
1.
Navigate to http://www.truste dsource.org/.
2.
Create an Account, using the link in the upper right corner, and activate the account using the email message sent to you.
3.
Login to your user account.

147
4.0.4
4.
Under the Feedback menu, select Check Single URL.
5.
From the pull down menu, select SmartFilter v4.
6.
Type in the URL you want to check, and then click on Check URL.
7.
On the results page, suggest any category changes that you feel are appropriate. Add a detailed
note explaining your reasoning, if desired.
8.
Click Submit URL for Review.
9.
On the E-mail Notification page, enter an e-mail address to which status updates will to be sent.
Click Submit.
10. Click Track URL Ticket Status under the Feedback menu. Your request will be displayed along
with its ticket ID and status.
At any time, the status can be checked under Track URL Ticket Status. E-mail messages will be sent to the
e-mail address specified in Step 8, as the status of the request changes. If approved, the URL category
changes will be included in the next signature update.
4.9 Internet Content Adaptation Protocol (ICAP)

ICAP is a lightweight protocol for executing a "remote procedure call" on HTTP messages. It allows clients
to pass HTTP messages to servers intended to apply a sort of transformation or other processing
("adaptation") to the forwarded content. The server executes its transformation service on messages and
sends back responses to the client, usually with modified messages. Typically, the adapted messages are
either HTTP requests or HTTP responses.
BeSecure implements the server side of ICAP described in RFC 3507, with support for all three methods
described in RFC 3507 (OPTIONS, REQMOD, and RESPMOD). The BeSecure ICAP server applies the HTTP
policies to the encapsulated HTTP content.
To enable BeSecure ICAP support, see Section 3.1.4.
4 .9.1 HTTP Policies and IP Addresses

It is important to know how your ICAP client works to successfully setup the HTTP policies on BeSecure.
This is because RFC 3507 does not allow for identifying the original client and server IP addresses in the
encapsulated HTTP request. However, the ICAP extension headers X-Client-IP and X-Server-IP do provide
this functionality. The headers are described here:
http://www.icap-forum.org/docume nts/s pecification/draft -ste che r-icap-subid-00.txt
When setting up the HTTP policies it is important to know whether your ICAP client supports these
extension headers, so the policies work as expected. The algorithms used by BeSecure to determine the
source and destination IP addresses when applying the HTTP policies to ICAP traffic is as follows.
For the Source IP address of the HTTP policy:
if X-Client-IP header exists
Source address is X-Client-I P value
else
148
4.0.4
Source address is IP address of ICAP client

For the Destination IP address of the HTTP policy:
if X-Server-IP header exists
Destination address is X -Server- IP value
else
Destination address is 0.0.0.0/0 (to match any IP address)
4 .9.2 Tr affic Blocking with ICAP

Traffic blocking rules do not work with ICAP. It is likely you can configure the ICAP client to only send
traffic you wish to be scanned.
4 .9.3 Configuring the ICAP Client to Work with the BeSecure ICAP Server
BeSecure has three services:
reqmod-scan: For the ICAP REQMOD method, use this service.
respmod-scan: To use the ICAP RESPMOD method, use this service.
scan: This service can be used with both the ICAP REQMOD and RESPMOD. It is intended for those
devices or applications in which only one ICAP URI can be specified (ex. Websense)
Each service can be configured in the ICAP client with the following URI structure:
icap://<BeSecure IP Address>:1344/<service name as in list above>
The port number is the default ICAP port of 1344. It may or may not need to be specified directly in the
URI. This depends on the ICAP client being configured.
Here are sample entries for a Squid 3.0 ICAP client configuration:
icap_service service_1 reqmod_precache
0 \
icap://<BeSecure IP address>:1344/reqmod-scan
icap_service service_2 respmod_precache 0 \
icap://<BeSecure IP address>:1344/respmod -scan
4.10 Web Cache Communications Protocol (WCCP)

The Web Cache Communications Protocol (WCCP) is a protocol that is used to redirect traffic (usually
HTTP web page requests) to another device in real time. This device can provide any sort of service or
perform any operation on the data, such as web caching or filtering.
BeSecure can receive traffic as a WCCP device in order to perform any scanning operation on this data.
The WCCP settings only work with a correctly configured WCCP-capable router or switch. BeSecure can
support up to 2 WCCP-capable devices.
WCCP version 2 is supported by default, with version 1-only support selectable via the version
command. Also by default, BeSecure supports HTTP port 80 only, but additional ports can be added.
149
4.0.4
BeSecure WCCP supports scanning of SMTP, POP3, IMAP, and HTTP. NOTE: FTP is not supported.
FTP scanning is not supported by BeSecure via WCCP.
This is how it works:

1.
A client makes a request, which goes to a WCCP-capable router or switch.
2.
The router or switch encapsulates the request (to prevent any modifications to the original
packet) using WCCP and redirects it to the BeSecure appliance.
3.
The BeSecure appliance then makes the request to the destination server on behalf of the client,
scanning the request, and provides the response supplied by the destination server, scanning it if
necessary.
Some benefits of WCCP include:
Selective real-time routing of traffic
BeSecure services provided without being in-line with the data traffic
Manage BeSecure failover without HA, with the router deciding on the fly what to do on failure
detection
Router can manage multi-BeSecure load balancing
There are two basic modes of BeSecure WCCP operation, router and switch. The router mode is the
default, and is meant to operate with various routers that use GRE tunneling for forwarding and return of
data. The switch mode is for switches that use L2/MAC redirection for its forwarding and return
methods. Table 4-1 outlines the default method settings for these two modes.
The WCCP version is set to 2 by default. Version 1 can be selected using the version
command. Only router mode is available under version 1. If the version is changed to 1, the mode will
automatically be set to router, and the defaults set as in Table 4-1.
As well, when router or switch mode is selected using the CLI command, all the methods are changed
back to the default settings as listed in Table 4-1.
TABLE 4-1: WCCP MODES DEFAULT SETTINGS
Mode
Methods
Forwarding
Return
Assignment
Router
GRE tunneling
GRE tunneling
hash
Switch
L2/MAC redirection
L2/MAC redirection
mask
150
4.0.4
For some WCCP-enabled network appliances that behave differently from the default, the forwarding and
return methods of BeSecure can be overridden using the forwarding and return commands, and the
assignment method using the assignment command. See Table 5-3. The documentation for any WCCP
router or switch should be consulted to determine the correct settings for each of these BeSecure WCCP
methods. When a command is used to change a WCCP method type, the mode shown using the net
wccp show command will display custom, as opposed to router or switch, indicating a method
override has taken place.
TABLE 4-2: WCCP EXAMPLE MODE AND METHOD CONFIGURATIONS FOR NETWORK DEVICES
Device
Mode
Methods
Forwarding
Return
Assignment
Cisco 2800 series
router
GRE
GRE
hash
Cisco 3550
switch
L2/MAC
GRE
hash
Cisco 3750
switch
L2/MAC
L2/MAC
mask
Cisco 4506
switch
L2/MAC
L2/MAC
mask
Cisco 6509
switch
L2/MAC
GRE
mask
Indicates override is necessary

To initially configure basic BeSecure WCCP support:
1.
Configure the router or switch that will be used to forward the request to BeS ecure via WCCP
(vendor specific).
2.
Log in to the CLI. See Section 4.1.

Set the BeSecure WCCP mode to the one appropriate to the WCCP-enabled router or switch in
use on the network.
network wccp device mode { router | switch }
3.
Set the IP address of the WCCP-capable router or switch:
4.
network wccp device set <IP address>

If router mode was selected in Step 2, set the IP address of the remote end-point of the GRE
tunnel. This is usually the same as the address set in Step 3. If the redirection mode is switch,
skip this step.
network wccp remote set <IP address>
5.
Enable WCCP.
network wccp enable
6.
Connect ONE of the INGRESS or EGRESS ports to the network. Only one connection is required.
To configure a second WCCP device:
151
4.0.4
1.
Configure the router or switch that will be used to forward the request to BeSecure via WCCP
(vendor specific). This device should be configured with different address settings than the first
router or switch.
2.
Set the IP address of the second WCCP-capable router or switch:

network wccp device set <IP address> server 2
3.
Set the remote end-point of the second GRE tunnel

network wccp remote set <IP address> server 2
To add additional ports:

1.
Configure BeSecure for basic WCCP support, shown above.
2.
Add support for SMTP (port 25), POP3 (port 110), IMAP (port 143):
net wccp redirect port add 25,110,143
3.
Configure the WCCP-capable router or switch with the appropriate service group numbers. In
this case, add service groups 60 (for outgoing traffic) and 160 (for return traffic).
BeSecure assigns 7 ports to each service group. Service groups start at group number 60 for the
client side (which redirects when the destination port matches the port in the list configured in
Step 2), and 160 for the server side (which redirects when the source port matches). See Section
4.10.1 for more details.
Policies MUST exist for a WCCP-configured port; otherwise BeSecure will not accept the
WCCP connection request.
To remove any additionally configured ports, use the command

net wccp redirect port remove <port, port, >
To remove the ports added in the above steps,
net wccp redirect port remove 25,110,143
152
4.0.4
4 .10.1 Se r vice Groups

Service groups are a means through which a WCCP-capable router or switch identifies the port traffic that
should be redirected to BeSecure for scanning. Currently, BeSecure systematically assigns each set of
seven ports added to successive service group numbers, starting with group number 60 and 160. The
group numbers are incremented for each additional group of seven ports.
The order of the ports listed under wccp redirect ports using the CLI command
network wccp show
will be the order in which the ports are assigned to the service group numbers. For example, the output
of this command may contain:
wccp redirect ports:25,110,143,8080,8787,88,60000,60001
In this case, ports 25, 110, 143, 8080, 8787, 88, and 60000 will be assigned to service group number 60
and 160. 60001 will be assigned to service group number 61 and 161. Therefore, any WCCP-enabled
router or switch configured to send its traffic on any of these additional ports to BeSecure must specify
service group numbers 60, 61, 160, and 161.
4 .10.2 Configuring the Router or Switch

The BeSecure service groups starting at 60 are configured to match on the destination port of the request.
The ones starting at 160 match on the source port of the response. Both of these sets of service groups
need to be added to the WCCP-enabled router/switch for full IP transparency capability.
For example, using a Cisco 3550 switch with eth0 attached to the client network, and eth1 leading to
the internet, the following commands need to be used for both eth0 and eth1 to allow the switch to
forward traffic to BeSecure at the appropriate time, which will be acting as a WCCP content engine:
ip wccp 60 redirect in
ip wccp 160 redirect in
Of course, to enable full IP address transparency, the option must be selected on the System > Network
page. See Section 3.1.3.
4 .10.3 WCCP CLI Commands

Table 5-3 shows the full set of available WCCP CLI commands and their usage, obtained using the CLI
command:
network wccp help
Each of the commands is used as follows:
network wccp <command below>
153
4.0.4
TABLE 4-3: WCCP CLI COMMANDS

show
Display the current WCCP settings.
enable
Start the WCCP service. WCCP can only be started if the

router and remote IP addresses have been set.
disable
Stop the WCCP service.
debug enable
Enable verbose logging of WCCP events to the WCCP log

file.
debug disable
Disable verbose logging of WCCP events to the WCCP log

file.
md5 enable password <password>
Enable md5 authentication for the WCCP service by

setting the password.
md5 disable
Disable md5 authentication for the WCCP service. This

also clears the current password.
remote set <address> [ server <number>

]
Set the IP address to use for the remote end point of the
GRE tunnel. This should be the Router ID, which the
WCCP device should generate. Perform 'show ip wccp'
on the device to find this address. The server number
indicates which WCCP server this address corresponds
to. The default server number is 1.
device set <address> [ server <number>

]
Set the IP address of the connected WCCP device

interface. The server number indicates which WCCP
server this address corresponds to. The default server
number is 1.
version set { 1 | 2 }
Set the WCCP protocol version the WCCP capable router

is using. The default version is 2.
virtual set <address> netmask <netmask>

[ server <number> ]
Set the virtual IP address and network mask. The

configured defaults only need to be changed if they
conflict with your current network settings. The server
number indicates which WCCP server this address
corresponds to. The default server number is 1.
device mode { router | switch }
Sets the WCCP V2 redirection method. Default mode is

router, which uses GRE tunneling for forwarding and
return methods.
Mode switch enables L2/MAC
redirection, intended for most switches.
forwarding method { gre | mac }
Sets WCCP v2 forwarding method, overriding the default

setting determined by the selected WCCP mode. Note:
only effective when WCCP version 2 is used (the default).
Choose between GRE tunneling (gre) and L2/MAC
redirection (mac).
return method { gre | mac }
154
Sets the WCCP v2 return method. Same rules apply as to

the forwarding command.
4.0.4
assignment method { hash | mask }
Sets the WCCP v2 assignment method, overriding the

default setting determined by the selected WCCP mode.
Note: only effective when WCCP version 2 is used
(default). Choose between hash and mask assignment.
redirect port
Enables WCCP to redirect TCP ports other than HTTP

(default). Port values in lists are separated by commas
clear
Removes all of the redirection ports and disables WCCP

V2 redirection to these ports
add <number>,..<number>
Adds new ports to the existing list. Duplicate ports are

removed automatically.
remove <number>,..<number>
Removes the specified ports from the existing list of

ports.
4.11 Health Monitor

The Health Monitor periodically checks many aspects of the device to ensure smooth, uninterrupted
scanning of traffic. Should critical issues be encountered with any system component, recovery actions
are attempted to rectify the situation.
The Health Monitor manages two types of system health checks: critical and non-critical.
Critical Health Checks

Critical health checks monitor the health of the most important modules and characteristics of the
running system. Currently, these include:
Anti-Virus
Anti-Spam
WebFilter
Protocol Scanner Watchdog
Each of the critical system health checks has the ability to take the device into offline mode. This will
occur if the health check experiences a failure with no successful automatic recovery actions. If one of the
Health Monitor tests fails for one of the above components, the status indicator (System > Status) for that
component will display in red. Automatic recovery actions are attempted several times before the system
gives up and remains in offline mode. Notifications are sent via e-mail (if configured on the System >
Notification page, Section 3.1.7), and a prominent OFFLINE message will be displayed in the header of the
web management console. This is displayed regardless of the interface screen the user is currently on.
See Figure 105 for an example. Section 3.6.2 contains more information on the web management console
user interface behaviour. See later in this section for CLI commands to show the current Health Monitor
status and configure the Health Monitor tests.
Regardless of which critical system check failed, all scanning will cease on the device. Offline mode has
different behaviour in different device configurations:
155
4.0.4
HA mode: the device will enter a failover condition and send notifications that it is offline, so that one of
the HA Stand-By devices can go into Active mode and handle traffic. Scanning will continue to occur, as
long as there is a stand by device to take over.
Non-HA mode: the device will enter a software bypass mode, with all traffic allowed through the device
without any scans occurring.
WCCP enabled: WCCP is disabled, causing the WCCP router or switch to cease forwarding traffic for
scanning. No scanning will occur until the failure condition is rectified and WCCP is re-enabled.
Alteon load balancing: If in an Alteon load balancing situation and the network icmp block CLI
configuration option is set to auto (see the network CLI command), ICMP (ping) will be blocked on both
INGRESS and EGRESS.
Offline Recovery
Should a critical failure cause the device to go offline, these steps should be immediately taken to rectify
the situation:
1.
Identify the failing component by examining the System > Status page or Diagnostics > Health
Monitor screen.
2.
On the Diagnostics > Health Monitor page, re-enable the test by selecting the checkbox and
clicking Apply Changes.
3.
If the test passes, click Go Online. The device will return to normal operation. If the test
continues to fail, go onto Step 3.
4.
Use the System > Shut Down page to Restart Services.
5.
If that fails, System > Shutdown > Reboot should be attempted. Success will be indicated by a
green status indicator on the System > Status page for all components, as well as for all the
system health checks on the Diagnostics > Health Monitor page.
If the problem cannot be resolved, please contact product support immediately.
Non-critical Health Checks

The non-critical health checks monitor aspects of the system that may be performance impacting, but
failure of these do not require taking the device offline. It may indicate that the device is over-utilized, or
the device can be better configured or optimized for its current network environment. Sometimes, a
product upgrade (whether firmware or hardware) may be required to bring the system parameters back
into a more reasonable range. These system checks are:
Protocol Scanner Usage
CPU Usage
Disk Usage
Memory Usage
156
4.0.4
Notification and Logging

As already stated, important Health Monitor notifications can be received using e-mail notification,
configured under System > Notification using the appropriate checkbox and e-mail configuration. Details
about irregular system health check behaviour are included in the notification e-mail. See Section 3.1.7.
More verbose messages are sent to the system logging mechanism, available when the system logs are
sent to any remote syslog host using Syslog Configuration on the System > Logging Setup page. See
Section 0.
The Wedge Reporter product is also available to provide this service for one or many
BeSecure products simultaneously, as well as providing log file reporting facilities.
The Health Monitor sends out notifications listing the component first, such as Anti-Spam or
Anti-Virus,
then the applicable message, typically one of the following:

FAILED, attempting recovery, scanning device is off-line
indicates that a test for a
component has failed

RECOVERY SUCCESSFUL (or FAILED), scanning device is on-line (or off-line)
the result of a
recovery attempt after a test fails

on-line action FAILED cannot
bring the specified component back on-line
For CPU Usage, Memory Usage, Disk Usage, and Protocol Scanner Usage notifications, an example failure
message is
FAILED, Memory Usage has been greater than 90% for 12m49s.
This indicates that the specified test has failed for the specified number of minutes and seconds. In these
cases, the threshold varies per platform, and is selected based on platform CPU, memory and disk size.
The failure must exist for a minimum of 5 minutes before any notification is sent, and a notification will
only be sent every 2 hours, unless the failure mode has been resolved.
If the memory, disk and proxy thread pool usage thresholds are frequently exceeded, it may indicate that
the scanning load on the appliance is too high. Product support personnel can assist with this
determination.
At that point, a success notification message will be sent, in the following format:
PASSED, Memory Usage is within normal operating range.
Each of the notifications will identify which of the components listed above that it relates to. Other
messages will be formatted as follows:
[2010-05-13 17:17:57-0600]
BeSecure (3.1.8-394); IP Address: 192.168.100.67
157
4.0.4
This mail was generated automatically by BeSecure from Wedge Networks.

HealthMonitor notification for test: Protocol-Scanners, RECOVERY SUCCESSFUL
Line 1 shows the time of the event, line 2 shows the BeSecure version number and IP address, and line 4
indicates the component name (in the above case, the protocol scanners), which event occurred
(recovery) and the result of the event (successful).
Health Monitor CLI Commands

The following commands can be used to show the current status of, and change the configuration of the
Health Monitor using the CLI.
Each of the commands is used as follows:
healthmonitor <command below>
TABLE 4-4: HEALTH MONITOR CLI COMMANDS
show
Display the current Health Monitor status.
enable { <test-name> | all }
Enable the specified test, or all the tests. The available

test names can be obtained using the show command
output.
disable { <test-name> | all }
Disable the specified test, or all the tests. The available

test names can be obtained using the show command
output.
system offline
Force the scanning engines OFFLINE.
system online
Force the scanning engines online. This can be used in

recovery operations.
158
4.0.4
4.12 Problem Report and Traffic Capture Using the CLI

In addition to the Diagnostics > Problem Report and Traffic Capture (Sections 3.6.3 and 3.6.4) available
through the web-based management console, the BeSecure command line interface (CLI) includes
commands used to generate these files that can be used to facilitate the troubleshooting and diagnosing
of problems that may be experienced during the regular operation of BeSecure. The files generated using
these commands should be submitted to Wedge Networks or a qualified reseller.
NOTE: To access the generated files, a SSH server must be running on a remote device.
Generating the Files

To generate a traffic capture using the CLI:
1.
2.

Enter the following command at the prompt:
generate traffic-capture
To limit the data captured, use the port and/or host parameter of the command specifying a port
number or remote host IP address, such as:
generate traffic-capture port <number>
or
generate traffic-capture host <IP address>
The following will be displayed:
Traffic capture started.
3.
4.
At this time, the actions that cause the problematic behaviour should be taken. For example,
accessing of a web page with a client, triggering the scanning of HTTP traffic.
When complete, press the Enter key at the BeSecure CLI. A message such as the following will be
displayed:
Traffic capture created.
5.
Hit the enter key to stop the capture.
'/files/20081105162214.Capture.tar.gz'
Move the generated file to the remote SSH server:

scp /files/Capture200807082534.tar.gz \
<username>@<sshserver>:/<remotedirectory>
6.
Send the file to Wedge Networks or a qualified reseller for analysis.
To generate a problem report using the CLI:

1.
2.

gen problem-report
159
4.0.4
A message such as the following will be displayed:

Problem report created.
'/files/20080708172649.problemReport_<hostname>_state.tar.bz'
3.
Move the generated file to the remote SSH server:

scp /files/20080708172649.problemReport_<hostname>_state.tar.bz \
<username>@<sshserver>:/<remotedirectory>
4.
Send the file to Wedge Networks or a qualified reseller for analysis.
Installing an SSH Server in Windows XP

The Cygwin shell (a Linux-like environment for Windows) includes sshd, an SSH server that can be used to
retrieve the traffic capture and problem report files from BeSecure.
Install cygwin:
1.
Download http://www.cygwin.com/s etup.exe.
2.
Run setup.exe.
3.
Click Next >.
4.
Select Install from Internet. Click Next >.
5.
Select a different installation directory, or leave the default and click Next >.
6.
Select a different local package directory, or leave the default and click Next >.
7.
Select your Internet Connection. If you dont know which type of connection you have, just click
Next >.
8.
Select a download site.

and installation will be.
9.
Select Packages for installation. For our purposes, just ensure that the Bin? box is selected for
the All > Net > openssh package. Click Next >.
Typically, the closer the site to your location, the faster the download
Set up sshd and the Windows ssh service:

1.
Start the Cygwin Bash Shell using the shortcut placed on the desktop or in the Start menu.
2.
Enter the following command:

ssh-host-c onfig
3.
If asked, enter yes to overwrite existing /etc/ssh_config file.
4.
Answer yes to Should privilege separation be used?
5.
Answer yes to create a local user 'sshd' on this machine.
6.
Answer yes to install sshd as service.
7.
8.
Use CYGWIN=ntsec tty as the environment variable when prompted.

Ensure SSH Protocol 1 is disabled by editing the configuration file:
vi /etc/defaults/etc/sshd_config
160
4.0.4
Under the section stating Disable legacy (protocol version 1) support, make sure that the line
reads Protocol 2 and is not commented out with #.
9.
Start the sshd service:

net start sshd
You should see:
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.
You may now use your Windows XP client as the SSH server mentioned in the previous section,
Generating the Files. Replace <username>@<sshserver> with <Your Windows User>@<IP
address of your Windows machine>.
When prompted for the password when using the scp
command, use your Windows account password.
4.13 RAID
Certain models are equipped with dual hard disk/solid state drive slots, which are configured in a RAID
(Redundant Array of Inexpensive Disks). RAID enhances data safety and reliability through redundancy.
If a drive fails, the system will remain operational because the same data exists on the mirror drive. In
this situation, the failed drive should immediately be replaced by a new drive with the same technical
specifications. If the device operates in single drive mode, and that drive fails, the system will fail to
operate. Please contact Wedge Product Support for assistance in this situation.
The status of the RAID devices is displayed on the System > Status page (Section 3.1.1), as shown in Figure
112. Also, notification emails (Section 3.1.7) can be configured to be sent upon state changes of the RAID.
FIGURE 112: RAID STATUS ON STATUS PAGE
4 .13.1 RAID CL I Commands

1.
RAID Status
To view the status of the raid on the CLI:

1.
2.

161
4.0.4
raid show
If RAID is configured and operational on the system, the following will be displayed:
HDD-1 online
HDD-2 online
NOTE: If either device has failed, the status will display offline instead of online.
If a drive is rebuilding, the status will display:
updating XX%
Here, XX represents the update completion percentage.
2.
RAID Recover
If a hard disk drive fails during normal operation of the system, there will be no degradation in service or
performance. The mirror drive will continue working as a single drive. To recover the RAID, obtain a
new hard disk drive according to the specifications given to you by Wedge Product Support.
To recover the RAID:
1.
2.
3.
4.
5.
6.
7.
8.
Identify which hard disk drive has failed. This can be found on the System > Status page (Section
3.1.1) or indicated by an email notification (Section 3.1.7).
Shut down the system. See Section 2.8 or 4.1.2.
Remove the failed drive.
If the failed drive is installed in HDD-1, move the functioning drive from HDD-2 into HDD-1. If the
failed drive is installed in HDD-2, leave the functioning drive in HDD-1.
Insert the new drive into HDD-2.
Power on the system.
Log in to the CLI. See Section 4.1.1.
raid recover
If RAID is configured and operational on the system, the following will be displayed:
RAID Recovery started on HDD-2. This may take some time.
To check the status of the recovery, hover over the HDD-2 status icon on the System > Status
page to display the rebuilding progress of the drive.
Also, you can use the RAID CLI status
command to display the updating status.
9.
Once the command finishes, the following message will be displayed:

RAID device successfully recovered.
Check the System > Status page to ensure that the statuses of both drives are online
162
4.0.4
NOTE: A functioning drive should always be inserted in HDD-1 as the system can only boot from HDD-1.
HDD-2 acts as a secondary drive used only for mirroring the data on HDD-1.
163
4.0.4
5 APPENDIX A: SNMP WECAN-MIB MODULE

The WECAN-MIB module contains enterprise specific object identifiers (OIDs) that allow access to runtime
statistics and status of the device. Figure 113 shows the WECAN-MIB tree.
FIGURE 113: WECAN-MIB MODULE TREE
Briefly, the main branches of the tree cover the following:
wecanSystem: Process, system, and scanner information
wecanCpu: CPU load statistics
wecanDisk: Disk usage statistics
wecanMemory: System memory statistics
wecanNetwork: Network device information, such as bridgeStatus
antiVirus: Anti-Virus service data and statistics
antiSpam: Anti-Spam service data and statistics
wecanNotifica tions: Notifications and traps
wecanNotifica tionO bjects: Data objects encapsulated by notifications and traps
The current version of the detailed MIB structure can be obtained on the General tab of the System >
SNMP page of the management console, by clicking the MIB Definitions link. To use the WECAN-MIB
with SNMP management software, this WECAN-MIB.txt file will need to be imported into the softwares
collection of SNMP MIB definition files.
164
Appendix A: SNMP WECAN-MIB Module | Wedge Networks
4.0.4
6 APPENDIX B: SYSTEM LOG ENTRIES

With the addition of the Wedge Reporter to a BeSecure deployment, direct access to BeSecure system log
entries is available. The main logging mechanism of BeSecure can be configured as shown in Section 0.
The following information is logged:
Application scanning events and resulting actions

System and process status changes
Configuration changes
6.1 Logging Format

When set to store log information locally, the BeSecure log is saved to
/usr/local/guardian/log/besecure.log
The standard BeSecure logging format is as follows:
timestamp hostname BeSecure event data
timestamp: the date and time of the event, according to the system clock
hostname: the host name assigned to BeSecure on the System > Settings console page
event: the BeSecure event that generated this log message
data: the event-specific message fields
The possible events and their associated data fields are as follows:
1.
APPSCAN Event generated by an application scanning operation. Data fields for this event are:
Field Name
Description
Possible Values
protocol

this event
An ID from a directory service
mapped to the requesting clients
IP address
HTTP, POP3, SMTP,

IMAP, FTP, UNDEFINED
Empty if there is no
matching user ID for the
IP address
user ID
source IP address
destination IP address
destination info
source info
2.
Applicable to
Policies
IP address of the requesting

client
IP address of the requested host
The requested URL, or email
recipients
Email from address
All
All
All
All
HTTP, Mail
Mail
APPACTION Action taken by a BeSecure scanning event. Data fields for this event are:
Wedge Networks | Appendix B: System Log Entries
165
4.0.4
Field Name
Description
Possible Values
protocol

this event
HTTP, POP3, SMTP,

IMAP, FTP, UNDEFINED
user ID
An ID from a directory service

mapped to the requesting clients
IP address
IP address of the requesting
client
Empty if there is no
matching user ID for the
IP address
source IP address
destination IP address
action
DETECTED, BLOCKED
content type
The content type of the data
VIRUS, SPAM,
KEYWORD, URL,
WEBFILTER, OVERSIZE
Any MIME type
destination info
source info
The requested URL, POP account

name, or email recipients
Email from address
subject
detail
Subject line from the email

Policy-specific data
3.
4.
5.
All
All
IP address of the requested host

Action taken on event
reason
Applicable to
Policies
All
All
All
All
HTTP
All
HTTP, Mail
Virus name,
keyword/URL matched,
spam score, WebFilter
category etc.
Mail
All
APPEVENT - Event generated by a BeSecure application's normal operation, such as system and
process status
APPERROR Error caused by a BeSecure application level exception
APPCHANGE Configuration changes done through the web console or the CLI
These last three event types have the same fields:
Field Name
Description
Possible Values
log level
Message log level as listed on

System > Logging Setup
Description of the event or error
DEBUG, DETAIL, INFO,

WARN, ERROR, FATAL
Message
Applicable to
Policies
All
All
Example of log messages for a BLOCKED URL:

Dec 20 14:15:26 warsaw BeSecure APPSCAN HTTP "" 192.168.0.133 74.125.19.104 "www.google.ca/" ""
Dec 20 14:27:27 warsaw BeSecure APPACTION HTTP "" 192.168.0.133 64.236.16.20 BLOCKED URL ""
"www.cnn.com/" "" "" "www.cnn.com/"
166
Appendix B: System Log Entries | Wedge Networks
4.0.4
Example of log message for a blocked virus:

Dec 20 14:28:46 warsaw BeSecure APPACTION HTTP 192.168.0.133 203.70.84.28 BLOCKED VIRUS ""
"dl2.vx.netlux.org/dl/vir/Virus.ASP.Silly.a.zip" "" "" "Virus.ASP.Silly.a"
Wedge Networks | Appendix B: System Log Entries
167
4.0.4
7 APPENDIX C: OPEN PORTS

The following are the open ports for each of the BeSecure network interfaces.
In addition to those ports listed below, any additional protocol ports to scan added using the System >
Port Setup page (see Section 3.1.5) will also appear as open. The HA broadcast and sync ports are
configurable as well.
EGRESS
INGRESS
(not enabled in
router mode)
CONTROL
21
21
22
22
23
23
Default TCP Stream scanning**
25
25
Default SMTP traffic scanning
80
80
Default HTTP traffic scanning
110
110
Default POP traffic scanning
143
143
Default IMAP traffic scanning
443
443
2121
2121
FTP scanner*
8180
8180
HTTP scanner*
Default FTP traffic scanning

22
443
SSH access to CLI
HTTPS access to web console
9012
Default HA sync port
9013
Default HA broadcast port
9025
9025
SMTP scanner*
9110
9110
POP scanner*
9143
9143
IMAP scanner*
Black: active when control network enabled/disabled

Blue: active only when control network disabled
Red: active only when control network enabled
*open, but not accessible (connection attempts will be terminated)
**only if TCP Stream is licensed
168
Purpose
Appendix C: Open Ports | Wedge Networks
4.0.4
8 APPENDIX D: SMTP REPLY CODES

The following are the existing numeric SMTP reply codes available in the 2xx, 4xx, and 5xx ranges listed by
RFC 821. Source: http://www.faqs.org/rfcs/ rfc821.htm l.
Code
Description
211
System status, or system help reply
214
Help message [Information on how to use the receiver or the meaning of a particular nonstandard command; this reply is useful only to the human user]
220
<domain> Service ready
221
<domain> Service closing transmission channel
250
Requested mail action okay, completed
251
User not local; will forward to <forward-path>
421
<domain> Service not available, closing transmission channel [This may be a reply to any
command if the service knows it must shut down]
450
Requested mail action not taken: mailbox unavailable [E.g., mailbox busy]
451
Requested action aborted: local error in processing
452
Requested action not taken: insufficient system storage
500
Syntax error, command unrecognized [This may include errors such as command line too
long]
501
Syntax error in parameters or arguments
502
Command not implemented
503
Bad sequence of commands
504
Command parameter not implemented
550
Requested action not taken: mailbox unavailable [E.g., mailbox not found, no access]
551
User not local; please try <forward-path>
552
Requested mail action aborted: exceeded storage allocation
553
Requested action not taken: mailbox name not allowed [E.g., mailbox syntax incorrect]
554
Transaction failed
Wedge Networks | Appendix D: SMTP Reply Codes
169
4.0.4
9 APPENDIX E: ACTIVE DIRECTORY INTEGRATION

This device scans all the traffic on the network, but it is only aware of IP addresses, and knows nothing
about the users that are using the network, or the groups they belong to. If all users are authenticating
through a Domain Controller with Active Directory, then the BeSecure can learn which IP addresses are
associated with different users.
This device works in concert with the Domain Controller and Active Directory to obtain a mapping of user
names to IP addresses. It queries the Active Directory for user name to IP address mappings. Active
Directory does not normally store this mapping, which is why the logon and logoff scripts are necessary.
The logon and logoff scripts are installed on the Domain Controller, but are executed on the users
workstation when the user logs on or logs off. The logon and logoff scripts modify the url field of the
users Active Directory entry. The logon script will write the IP address of the users workstation to the url
field and the logoff script will clear the url field.
The device queries the Active Directory for the user name, the url field and the groups the user belongs
to.
There are several steps required to integrate Active Directory with BeSecure. After performing these
steps, the BeSecure can be configured to use user and group names to set up scanning policies:
1.
2.
3.
4.
5.
Obtain, modify, and test the logon and logoff scripts for your organization.
Install the logon and logoff scripts to your Domain Controller.
Enable TLS.
Add an Administrator user for this device to the Active Directory server.
Configure this device with the following items:
a. The name or IP of the Active Directory (AD) server
b. An AD account that has permission to query the AD server
c. The organizational unit (OU), that contains all the users
d. The items within the schema that contain the user name and IP address
9.1 The Logon and Logoff Scripts

The purpose of the logon and logoff scripts is to write IP address information into a users Active Directory
entry when that user logs on or logs off a workstation. In this section, you will obtain the scripts, modify
them to work with users on your domain, and test them.
9 .1.1
Obt ain the Scripts
The scripts logon.vbs and logoff.vbs are available from your device reseller or from Customer Support
(see contact information at the end of this document), who can provide you with the scripts via email or
direct you to a web address to download them from.
170
Appendix E: Active Directory Integration | Wedge Networks
9 .1.2
4.0.4
Modify the Scripts
The logon.vbs and logoff.vbs scripts need to be modified in the following ways:
1.
2.
The name of the Domain Controller (DC) must be changed from dc=bstest,dc=com to your DC
value.
The organizational unit (OU) must be changed from OU=Calgary to your OU value.
To edit the scripts, do the following for each of logon.vbs and logoff.vbs:
1.
2.
Open the file in a text editor, such as Notepad.

On line 17, where it currently has
LDAP://dc=bstest,dc=com
Change the
3.
dc
values to the current domain name.
On both lines 74 and 87, where it currently has

OU=Calgary,DC=bstest,DC=com
Change the OU value and the

file, 74 and 87.
9 .1.3
DC value.
Note that in this step, this change is on two lines in each
Te st the Scripts
The logon and logoff scripts should be tested them before installing them, as follows:
1.
Copy logon.vbs and logoff.vbs to a workstation with a domain user logged in using domain
credentials.
2.
Using Windows Explorer, navigate to the folder containing logon.vbs on the workstation, and
double-click to run the script.
3.
Check the Active Directory entry for that user. The url field should be filled in with the IP address
of the workstation.
4.
Run logoff.vbs on the workstation.
5.
Verify that the IP address is removed from the Active Directory entry.
9.2 Installing the Scripts using Group Policy Object (GPO)

The scripts need to be installed on the Domain Controller.
1.
Move scripts to Domain Controller.
2.
On the Domain Controller, open Windows Explorer and navigate to the folder containing the
scripts.
3.
Right-click and Copy the logon.vbs script.
Wedge Networks | Appendix E: Active Directory Integration
171
4.0.4
4.
Logon and logoff scripts run with the credentials of the user. It is recommended that the Domain
Users group be given permission to any resources used by either of these scripts.
5.
You do NOT assign the GPO to a user or users, but to an Organizational Unit (OU), to an Active
Directory Site, or to the entire Active Directory Domain. So, you must now decide if you want the
script to apply to ALL THE DOMAIN USERS, or just to a specific set of users located within one or
more OU (Organization Unit) in Active Directory Users and Computers. If you choose to apply on
all the users in the domain, you must create a Group Policy Object (or GPO) and link it to the
ENTIRE domain. If you choose to apply the script ONLY to a SPECIFIC SET of users, you must place
all the users in one OU (Organization Unit) in Active Directory Users and Computers, and link the
GPO to that OU.
6.
172
In order to assign the GPO and edit it, we'll use a tool called the Group Policy Management
console, or GPMC for short. See if the Administrative Tools folder has a tool called Group Policy
Management Console. If it does, skip top Step 8.
7.
4.0.4
If the GPMC is not installed, you will need to install it. It is not installed by default in Windows
Server 2003 or 2008.
a.
Windows Server 2003: You must download and install it.
b.
Windows Server 2008: GPMC is already a part of the operating system installation. you
simply need to add it. If the Windows Server 2008 server is also a Domain Controller,
GPMC will be automatically installed as part of the DCPROMO procedure.
For more details, see the System requirements and installation steps section at
http://technet.micros oft. com/ en-us/library/cc731892(v=ws.10).aspx
8.
Open Group Policy Management from the Administrative Tools folder. Alternatively, Start >
Run to open the Run window, then type
gpmc.msc
and press Enter.
173
4.0.4
9.
Select where to link the GPO:

a.
If, as described in the above paragraph, you decided to apply the script to ALL THE
DOMAIN USERS, expand the domain tree and locate the domain name. Right-click the
domain name and select Create a GPO in this domain, and Link it here.
b.
If, as described in the above paragraph, you decided to apply the script to ONLY a
SPECIFIC SET of users, expand the domain tree, locate the OU where the users from are
located. Right-click the OU and select Create a GPO in this domain, and Link it here.
Note: Of course it might be possible that a GPO already exists and it is linked to the object level
you need. In that case you, don't need to create a new GPO, you can use the existing one.
10. In the New GPO window, give the new GPO a descriptive name, such as "Logon Script GPO". Click
OK.
174
4.0.4
11. If you don't see it already, refresh the GPMC view and find the new GPO you've just created
under either the domain name, or the OU, depending on your previous choice.
12. When you click on the new GPO you might be prompted with a message window. Click OK.
13. Right-click the new GPO and select Edit.
14. In the Group Policy Management Editor window, expand User Configuration > Windows Settings
in the left column, and select Scripts.
175
4.0.4
15. Right-click Logon in the right-hand pane, and select Properties.

16. In the Logon Properties window, click Show Files.
17. The Logon window will open. The path will be a folder similar to the following:
\\bstest.com\SysVol\bstest.com\Policies\{070ACF10-4233-4B8C-9CC4925A010197DA}\User\Scripts\Logon
Right-click and Paste the logon script you copied in the previous part of this instruction.
176
4.0.4
You should now see your script in the folder:
18. Close the Logon window.
177
4.0.4
19. Back in the Logon Properties window, click Add.
20. In the Add a Script window, click Browse and you will see the script that you just added. DO NOT
manually browse for the file, as it should be clearly visible after clicking the Add button. If it's not
there, check that you have properly completed the previous steps.
178
4.0.4
21. Select the script and click Open.
22. Click OK.

23. Back in the Logon Properties window, verify that the logon script is listed.
179
4.0.4
24. Click OK to apply the changes and close the Logon Properties window.
25. Close the Group Policy Management Editor window.
26. Click the Refresh button in the Group Policy Management window.
27. Close the Group Policy Management window.

28. You must repeat the above steps to create another GPO for logoff.vbs.
29. Once both GPOs are created, open the Windows Command Prompt by:
180
a.
Clicking Start then Command Prompt.
b.
Clicking Start and in the search area type cmd.
4.0.4
30. Type:
gpupdate /force
This will force the policy to take effect immediately.
9.3 Enable TLS

TLS is required by the Active Directory server. These steps will show how to do it.
1.
On the Domain Controller, select Server Manager from Administrative Tools.
2.
In the left column, right-click on Roles and select Add Roles. This will start the Add Roles
Wizard.
3.
Read the Before You Begin screen, and ensure that you meet all the prerequisites. Click Next.
4.
On the Select Server Roles screen, select Active Directory Certificate Services and click Next.
5.
Read the Introduction to Active Directory Certificate Services, especially Things to Note (stating
that changing the computer name, joining a domain, etc. should be done BEFORE this certificate
process) and click Next.
6.
At Select Role Services, select both Certification Authority and Certification Authority Web
Enrollment. Click Next.
181
4.0.4
7.
At Specify Setup Type, select Enterprise and click Next.
8.
At Specify CA Type, select Root CA and click Next.
9.
At Set Up Private Key, select Create a new private key, and click Next.
10. At Configure Cryptography for CA, select RSA#Microsoft Software Key Storage Provider with a
key character length of 2048. Select sha1 as the hash algorithm. Click Next.
11. At Configure CA Name, enter a Common Name for this CA, and the appropriate Distinguished
name suffix for your domain. Click Next.
182
4.0.4
12. At Set Validity Period, choose 5 years. Click Next.

13. At Configure Certificate Database, choose appropriate locations for the Certificate database
location and Certificate database log location, or leave the default values. Click Next.
14. At Confirm Installation Selections, review the information. You should see a page similar to the
following screenshot. If everything is satisfactory, click Next.
183
4.0.4
15. At this point, installation will occur. When complete, you should see the following screen
indicating success.
184
4.0.4
16. Click Close.

17. Right-click on Revoked Certificates under your new CA name, and select All Tasks > Publish.
18. Click on Issued Certificates. You should the details of your newly issued certificate.
185
4.0.4
9.4 Add an Active Directory User for the Device

The device requires a user with permissions to access the user and group names IP address information
that the installed scripts are responsible for updating.
It is recommended that a new user be created with Administrator permissions on the AD server.
To add a user with Administrator permissions on the Active Directory Server:
1.
From the Start menu on the AD Server, select Administrative Tools > Active Directory Users and
Computers.
2.
Create a new user by right-clicking on Users in the left pane, selecting New > User.
3.
Select a User logon name. For simplicity, you can make the First name the same. Click Next.
186
4.
4.0.4
Enter a Password and Confirm password. Unselect User must change password at next logon.
Select User cannot change password, and Password never expires. Click Next.
5.
Review the information at the summary screen and click Finish.
6.
The new user should now be in the list. Right-click on the new user, and select Properties.
7.
Choose the Member Of tab, and click Add.
187
4.0.4
8.
Type administrators into the Enter the object names to select field, and click Check Names.
Administrators should be found, and underlined.
9.
188
Click OK.
4.0.4
9.5 Configure the Device

This device needs to be configured with the location of the Active Directory user data to enable scanning
for user and group name-based policies.
To configure Active Directory support on the device:
1.
Login to the management interface using a web browser and navigate to the System > AD/LDAP
page.
2.
Select Enable Service.
3.
Select Active Directory from the Server Type list.
4.
Enter the details of the Active Directory server:

Server Name/IP Address: The hostname or IP address of your AD server.
Server Port: 389
Server Timeout: 5000
Login User or DN: The Active Directory user created in the previous section, with permission to
query AD, in the format admin@bstest.com or as a valid distinguished name (ex.
cn=admin, ou=Calgary,dc=bstest ,dc=com).
Login Password: The password of the AD user creating in the previous section.
Search DN: The distinguished name of the OU where the logon/logoff scripts were set up, as in
Section 9.1.2. For example, ou=Calgary,dc=bstest,dc=com.
The User Object and Group Object fields will be autopopulated with the values applicable to
Active Directory. These cannot be edited.
5.
Click Test Settings (No Save) to validate the configuration.
6.
If correct, click Save for these settings to become active on the scanning device.
189
4.0.4
10 APPENDIX F: LDAP SERVER INTEGRATION

This device scans all the traffic on the network, but it is only aware of IP addresses, and knows nothing
about the users that are using the network, or the groups they belong to. If all users are authenticating
through an LDAP server, then the device can learn which IP addresses are associated with different users.
This device can operate with Apple Open Directory, OpenLDAP, FreeIPA, and many other LDAP servers.
Some scripts must be installed on every user workstation. These are run when a user logs on or off. The
scripts will report the IP address and user name information to this device, which will then use the
information to report activity or enforce policies based on the user and group names that are configured
in the LDAP server.
There are several steps required to integrate LDAP with this device. After performing these steps, user
and group names can be used to set up scanning policies:
1.
Obtain, modify and test the logon and logoff scripts for your organization.
2.
Install the logon and logoff scripts on each workstation in your network.
3.
Configure this device with the following items:

a.
The name or IP address of the LDAP server.
b.
The base schema search DN.
10.1 The Logon and Logoff scripts

The purpose of the logon.sh and logoff.sh scripts is to tell this device what IP address is associated with a
particular user. In this section, you will obtain the scripts, modify them to work with this device and LDAP
server, and test them.
10 .1.1 Obt ain the Scripts

The scripts logon.sh and logoff.sh are available from your device reseller or from Customer
Support (see contact information at the end of this document), who can provide you with the scripts via
email or direct you to a web address to download them from.
10 .1.2 Modify t he Scripts

The logon.sh and logoff.sh scripts need to be modified in the following ways:
1.
The name or IP address of the LDAP server must be provided.
2.
The name or IP address of this device must be provided.
3.
The base search DN must be provided.
To edit the scripts, do the following for each of logon.sh and logoff.sh:
190
Appendix F: LDAP Server Integration | Wedge Networks
1.
Open the file in a text editor.
2.
On the line that starts with
4.0.4
LDAP_SERVER_ADDRESS=
Put the name or IP address of your LDAP server after the '='. Do not put any spaces between the
'=' and the name or IP.
3.

BESECURE_ADDRESS=
Put the name or IP address of your device after the '='.

4.

BASE_SEARCH_DN=
Put the base search DN after the '='. Enclose the base search DN in double quotes. Do not put
any spaces between the '=' sign and the first '"' character.
10 .1.3 Te st the Scripts

The logon and logoff scripts should be tested before installing them, as follows:
1.
Copy logon.sh and logoff.sh to a workstation with a user logged in using LDAP
credentials. Copy them to the directory /usr/local/bin and make sure they are executable.
You may need to create the directory /usr/local/bin with the command
mkdir -p /usr/local/bin
To give the scripts execute permissions, use the command
chmod 755 /usr/local/bin/logo*.sh
Open a Terminal window on the workstation, or use ssh to access the workstation.
Find the user id, or "short name" of the logged in user (you can use the who or whoami
commands).
2.
Execute the script.
/usr/local/bin/logon.sh <userid>
Replace <userid> with the user id found in Step 1.

Wedge Networks | Appendix F: LDAP Server Integration
191
4.0.4
3.
If there is any output from the script, an error has occurred. You may need to alter the script for
your environment and network. If the script produces no output, it has run successfully.
4.
Run the logoff script in the same fashion. If the script produces no output, it has run successfully.
10.2 Install the Scripts

The scripts need to be installed on each workstation on your network. Each platform type will require
slightly different steps. The requirement is that logon.sh runs when the user logs onto the network, and
logoff.sh runs when the user logs off of the network.
For example, with Apple Open Directory and an OS X workstation, the way to do this would be to follow
these steps:
1.
Copy the scripts to the workstation using scp.

Use ssh to access the workstation. Move the scripts to /usr/local/bin and set execute
permissions.
2.
Execute the following commands
defaults write com.apple.loginwindow LoginHook /usr/local/bin/logon.sh

defaults write com.apple.loginwindow LogoutHook /usr/local/bin/logoff.sh
The logon and logoff scripts will run whenever a user logs on or off the workstation.
The scripts can be installed in any directory on the workstation. Another common location is under the
/opt directory. Be sure that the LoginHook and LogoutHook are set to the location where the
scripts are.
10.3 Configure the Device

1.
Login to the management interface using a web browser and navigate to the System > AD/LDAP
page.
2.
Select Enable Service.
3.
Select the appropriate server type from the Server Type list.
4.
Enter the details for the LDAP server:

Server Name/IP Address: The name or IP address of your Open Directory server.
Server Port: 389
Server Timeout: 5000
192
Appendix F: LDAP Server Integration | Wedge Networks
4.0.4
Login User or DN: A valid DN (distinguished name) that specifies the location of a user with
permission to query the LDAP server.
Login Password: The password for the login user.
Search DN for Users/Groups: The base search DN of your Open Directory. For example:
dc=bstest,dc=com
If a server type with a known configuration is used, the User Object Class, Name Attribute, and
Group Object Class fields will be auto-populated with the appropriate values. If these do not
match the existing LDAP schema, the Custom LDAP Server setting needs to be used. In this case,
the above three fields require values to be entered.
5.
Click Test Settings (No Save) to validate the configuration.
6.
If correct, click Save for these settings to become active on the scanning device.
Wedge Networks | Appendix F: LDAP Server Integration
193
4.0.4
11 APPENDIX G: SUPPORTED FILE FORMATS FOR DLP

TEXT EXTRACTION
The following is a list of file types readable by the DLP text extraction engine.
11.1 Archive
Document Format
Event List ID
7-Zip
7-ZipArchive
.7Z
ACE
ACE
.ACE
Apple Disk Image
DiskImage
.DMG
ARJ
ARJ
.ARJ
BZIP2
bzip2
.BZ2, TBZ2
ISO Disk Image
ISO
.ISO
Java Archive
Zip
.JAR
LZH
LZH
.LZH
Microsoft Cabinet
MSCabinet
.CAB
Microsoft Office Binder
MSBinder
.OBD
RedHat Package Manager
RPM
.RPM
Roshal Archive 1.5, 2.0, 2.9 .RAR
RAR
.RAR
Self-extracting .exe
SelfExtracting
.EXE
StuffIt Self Extracting Archive
SelfExtracting
.SEA, .EXE
StuffIt X
StuffItXArchive
.SITX
StuffIt
StuffItArchive
.SIT
GNU Zip
GZIP
UNIX cpio
cpioArchive
.CPIO
UNIX Tar
TAR
.TAR
Zip
Zip
PKZip, WinZip
Document Format
Event List ID
Version
Extension
dBase file
dBASE
3,4
.DBF
dBASE III file
dBASE
3,4
.DB, .DB3
Microsoft Access file
MSAccess
01/01/10
.MDB
Paradox Database File
ParadoxDB
Version
0.1, 1.0
Extension
.GZ
.ZIP
11.2 Database
194
.DB
Appendix G: Supported File Formats for DLP Text Extraction | Wedge Networks
4.0.4
11.3 Email and Messaging

Document Format
Event List ID
Version
Extension
Encoded mail message
EmailMessage
MHT
.MHT
EmailMessage
Multipart Alternative
EmailMessage
Multipart Digest
EmailMessage
Multipart Mixed
EmailMessage
Multipart News Group
EmailMessage
Multipart Signed
EmailMessage
TNEF
Eudora Classic
Microsoft Outlook
MSOutlook
Microsoft Outlook Express
MSOutlook
(1-7), OSE
.MBX
97-2007
.MSG
.EML
Microsoft Outlook Forms Template
.OFT
Microsoft Outlook
MSPST/OST
Sendmail "mbox"
SendmailMBOX
Thunderbird
SendmailMBOX
97-2007
.PST
.MBOX
1, 1.5, 2.x, 3.x
.MBOX
11.4 Multimedia
Document Format
Event List ID
Adobe Flash
Flash
.SWF
Audio Video Interleave (AVI)
AVI
.AVI
DVD Video Object
DVDVideoObject
.VOB
MPEG Video2
MPEGVideo
.MPG
MPEG-1 Audio Layer 3
MP3
ID3v1, ID3v2
.MP3
MPEG-2 Audio Layer 3
MP3
ID3v1, ID3v2
.MP3
Version
Extension
Wedge Networks | Appendix G: Supported File Formats for DLP Text Extraction
195
4.0.4
MPEG-4 Video2
MP4
.MP4
OGG FLAC Audio
OGGFLAC
.FLAC
OGG Vorbis Audio
OGGVorbis
.OGG
Real Media
RealMedia
.RM
Waveform Audio File (WAVE)
WAVE
.WAV, .AIFF
Windows Media Audio
MSWindowsMedia
WMT 4.0, WMA 2, 7,

8, 9
.WMA
Windows Media Video
MSWindowsMedia
WMV 7, 9
.WMV
Document Format
Event List ID
Version
Extension
Log File
LogFile
Microsoft Project
MSProject
98-2003
.MPP
Microsoft Project
MSProject
2007
.MPP, .MPX
Open Access II (OAII)
OAII
01/02/11
vCard
vCard
2.1
.VCF
Uniplex
Uniplex
11.5 Other
.LOG
11.6 Presentation
Document Format
Event List ID
Version
Extension
IBM Lotus Symphony Presentation
OpenDocFormat
1.x, 3.x
.SXI, .ODP
LibreOffice Presentation
OpenDocFormat
Beta 3
.ODS
Microsoft PowerPoint for Windows
MSPowerPoint
3.0-2007, 2010
.PPT, .PPTX
Microsoft PowerPoint for Mac
MSPowerPoint
1-4, 98, 2001, v. X,
.PPT, .PPTX
2004, 2008, 2011

OpenOffice Impress
OpenDocFormat
1.x, 2.x, 3.x
.ODP
StarOffice Impress
OpenDocFormat
8, 9
.SXI, .SDI,
196
4.0.4
.SDP
11.7 Raster Image

Document Format
Event List ID
Joint Photographic Experts Group
JPEGImage
Version
Extension
.JPEG, .JPG,
(JPEG)
.JPE, .JIF
Progressive JPEG
JPEGImage
.JPEG, .JPG
Microsoft Document Imaging
MSDocImaging
.MDI
PCX1
PCXImage
.PCX
Tagged Image Format File (TIFF)
TIFImage
Revision 3.0-5.0
.TIF, .TIFF
Document Format
Event List ID
Version
Extension
Comma Separated Values
Text
Framework Spreadsheet
FW3
III
.FW3
IBM Lotus Symphony Spreadsheet
OpenDocFormat
1.x, 3.x
.SXS, .SX,
11.8 Spreadsheet
.CSV
.ODS
LibreOffice Spreadsheet
OpenDocFormat
Lotus 1-2-3
Beta 3
.ODS
Through Millennium
.WK, .WKS,
9.6
.WK3, .WK4
Microsoft Excel for Windows
MSExcel
2.0 - 2010
.XLS, .XLSX
Microsoft Excel for Windows
MSExcel
2007 2010 (Binary)
.XLSB
Microsoft Excel for Mac
MSExcel
1, 1.5, 2.2, 3.0, 4.0, 5.0,
.XLS, .XLSX
8.0-14.0
Microsoft Works SS for DOS
MSWorks
.WPS
OpenOffice Calc
OpenDocFormat
1.1-2.0
.ODS
StarOffice Calc
OpenDocFormat
8, 9
.SXC, .SXS,
.ODS
197
4.0.4
11.9 Text and Markup

Document Format
Event List ID
Version
Extension
ASCII Text
Text
7-bit, 8-bit
.TXT
ANSI Text
Text
7-bit, 8-bit
.TXT
HTML (Text Only)
HTML
2.x, 3.x, 4.x
.HTM,
.HTML
HTML (Codes Revealed)
HTML
2.x, 3.x, 4.x
.HTM,
.HTML
HTML (Metadata Only)
HTML
2.x, 3.x, 4.x
.HTM,
.HTML
IBM DCA
.RFT, .TXT,
RFT, Text
.DCA
Microsoft HTML Help
MSHelp
1.0, 1.1a, 1.3, 1.32,
.CHM
1.33MAML
Microsoft OneNote
MSOneNote
2007, 2010
.ONE
Rich Text Format
RichTextFormat
1.0, 1.3, 1.5, 1.6, 1.7,

1.8, 1.9.1
.RTF
SGML Text
SGML
Source
SourceCode
Transcript
Transcript
Unicode UTF8
TextUTF
Unicode UTF16 (big e & little e)
TextUTF
Unicode UCS2 (big e & little e)
TextUTF
XML
XML(document)
Document File
.XML
XML
XML
Record View
.XML
198
.SGML
11.10
4.0.4
Vector Image
Document Format
Event List ID
Adobe Illustrator
Illustrator
Adobe InDesign
InDesign
Adobe Photoshop
PhotoshopImage
Version
Extension
.AI
1.x-7.x
.INDD
8.x, 9.x, 10.0 (CS
.PSD
1-3)
AutoCAD Drawing
AutoCAD
12, 13, 14, 2000,

2002, 2004, 2005,
2006, 2007, 2008,
.DWG
2009, 2010
AutoCAD Drawing Exchange Format
AutoCADDXF
.DXF
Intergraph-Microsta tion CAD
IntergraphCAD
.DGN
Microsoft Open XML Paper Spec
MSOpenXML
.XPS, .OXPS
Microsoft Visio
MSVisio
.VSD
11.11
Word Processing and General Office
Document Format
Event List ID
Version
Extension
Adobe PDF
PDF
1.0 1.7
(Extension 3, 5)
.PDF
(Acrobat 1 - 9)
Ami Pro for Windows
AmiPro
.AMI, .SAM
Apple iWork
iWork
.PAGES,
.NUMBERS, .KEY
Framework WP
FW3
.FW3
Hangul (>v3)
Hangul
.HWP
IBM DCA/FFT
DCA
.RFT, .FFT
IBM DisplayWrite
DisplayWrite4
.RFT, .DCA,
.DW4, .DOC
IBM DisplayWrite 5
DisplayWrite5
.RFT, .DCA,
.DW5, .DOC
199
4.0.4
IBM Lotus Symphony Document
OpenDocFormat
1.x, 3.x
JustSystems Ichitaro
.ODT
.JTD, .JBW, .JTT
LibreOffice Document
OpenDocFormat
Beta 3
.ODT
Lotus Manuscript
Manuscript
1.0, 2.x
.MANU, .MNU,
.MAN
Mass 11
Mass11
.M11
Microsoft Publisher
MSPublisher
Microsoft Word for DOS
MSWordDOS
4.0 - 6.0
.DOC
Microsoft Word for Windows
MSWordWIN
1.0 - 2010
.DOC, .DOCX
Microsoft Word for Mac
MSWordWIN
1-5, 5.1, 6, 98,

2001, v.X, 2004,
2008, 2010
.DOC, .DOCX
MultiMate
MultiMate
Through 4.0
.DOX
MultiMate Advantage
MultiMate
OpenOffice Writer
OpenDocFormat
1.1 - 3.0
.ODT
Professional Write for DOS
ProWrite
1, 2
.PW, .PW1,
.PUB
.DOX
.PW2
Professional Write Plus for Windows
ProWrite
.PW
Q&A Write
QA3
3, 4 (Classic), 5
.QA, .QA3
8, 9
.SXW, .SDW
StarOffice Writer
Wang WP
WangWP
.IWP
Wang WP Plus
WangWPPlus
.IWP
Windows Write
MSWrite
.WRI
WordPerfect for DOS
WordPerfect42
4.2
.WPD
WordPerfect for Macintosh
WordPerfect
1.0-1.0.7, 2.0, 2.1,
.WPD
3.0, 3.1, 3.5, 3.5e

WordPerfect for Windows
WordPerfect
WordStar 2000 for DOS
WordStar2000
200
5.1-12.0, X3, X4
.WPD
.WS2, .DOC
4.0.4
WordStar for DOS
WordStar
3.x-7
.WS, .WSx
WordStar for Windows
WordStar5
.WSD
XYwrite
XYWrite
I-III+, 4.0,
.XY
Windows
201
4.0.4
INDEX
802.1Q. See VLAN support
Active Directory configuration, 11, 170
Active Directory integration
AD user for device, 186
device configuration, 189
Active Directory integration, 170, See Directory
Agent
enable TLS, 181
logon and logoff scripts, 170
Active Directory integration, 194
AD/LDAP
Active Directory configuration, 170
and scanning policies, 76, 97
administrators
access rights, 119
list all, 119
Administrators, 28, 119
Alteon
load-balancing and ICMP, 143
Anti-Phishing. See Cloudmark Anti-Phishing
anti-spam
advanced settings, 86
blocking spam, 85, 86
blocking spam by policy, 80
custom header, 91
headers, 89
message headers, 89
Message Subject Marker, 89
signatures update, 85
SMTP reply for blocked spam, 86, 141
status, 28
subject line marker, 89
whitelist, 88
Anti-Spam Policies, 20, 80
adding, 80
editing and deleting, 81
exclusions, 81
Anti-Spam Setup, 85
anti-virus
block or detect by policy, 77
GreenStreaming. See anti-virus setup
202
Index | Wedge Networks
manual signature upload, 83

signature update, 82
status, 28
Virus Update Interval, 83
Anti-Virus Policies, 19, 76
adding, 76
editing and deleting, 78
exclusions, 78
URL whitelist, 79
user or group name, 77, 80
Anti-Virus Setup, 82
Apple Open Directory integration, 190, See
Directory Agent
Application Control, 113
auto-route, 33
AUX2
as EGRESS, 57
backup. See configuration
Backup/Restore, 67
Bing SafeSearch, 99
Bond to EGRESS, 37
Bond to INGRESS, 37
bridge mode, 12, 17, 30, 56, 57, 58
bypass
hardware. See LAN bypass
categories
keyword. See Keyword Categories
certificate revocation. See SSL/TLS
Chinese keyword matching, 106
CIDR, 11
CJK keyword matching, 106
CLI, 135
accounts for login, 28, 135
Cloudmark Anti-Phishing, 108
command line interface. See CLI
communities, SNMP, 63
Compliance Enforcement, 99
compressed partial content, 140
configuration
back up, 67
back up to remote server with CLI, 143
reset to factory defaults, 68

restore, 67
restore from remote server with CLI, 143
configuration check, 127
Configuration Sync, 60
contact info, 25
Content Control menu, 97
content types
exclude from scanning, 140
statistics using CLI, 140
control network, 34
control port, 35, 54, 59, 64, 67
and logging, 54
and router mode, 31
and SNMP, 64
configuration sync, 61
traffic graph, 123
CPU usage, 121
threshold notification format, 157
date. See system date and time
DCI. See deep content inspection
deep content inspection, 10, 11, 12
default settings, 15
Diagnostics menu, 127
Directory Agent, 40
Disk usage
DLP
supported file formats, 194
DLP Policies, 102
Action, 104
adding, 103
binary and compressed files, 103
Block access, 104
deleting, 105
Detect only, 104
modifying, 105
text extraction, 103
URL Whitelist, 105
user and group name policies, 104, 107
user or group name, 104, 107
egress
traffic graph, 123
4.0.4
Event List, 124

Event Reporting
database size, 69
setup, 68
Event Summary, 124
exclusion policies, 76
exclusions, 11
anti-spam, 81
anti-virus, 78
global. See Global Exclusions
fan speed, 122
features, 10
fiber ports, 145
file system usage, 122
flash memory, 122
FreeIPA integration, 190
Function. See port status
Global Exclusions, 92
user or group name policies, 92
Go to Active Mode button, 60
Go to Stand By Mode button, 60
Google SafeSearch, 99
graph
icons, 120
graphs, 120
reseting. See reset
time period, 120
GreenStreaming. See anti-virus
HA. See high availability
Health Monitor, 128, 155
and Alteon load balancing, 156
behaviour with HA, 156
behaviour with WCCP, 156
CLI command, 158
CPU, memory, disk usage notification
formats, 157
critical checks, 155
logging, 157
Non-critical checks, 156
notification, 157
OFFLINE recovery, 130, 156
Proxy Usage notification formats, 157
Wedge Networks | Index
203
4.0.4
traffic bypassing on high CPU, 130

high availability, 56
bridge mode, 56
bridge mode and NDP-1020, 57
router mode, 58
host name
router mode HA, 58, 59
setting, 38
HTTP Proxy Settings, 36
ICAP, 112, 148
client configuration, 149
enabling, 38
HTTP policies, 148
services, 149
traffic blocking, 149
with Websense, 149
X-Client-IP header, 148
X-Server-IP header, 148
ICMP
allow or block on INGRESS and EGRESS, 143
incidents
types of, 54
ingress
traffic graph, 123
Internet Content Adaptation Protocol. See ICAP
IP address transparency, 32
IP reputation
whitelisting addresses, 88
Japanese keyword matching, 106
keyword blocking
syntax, 106
Keyword Categories, 103
on DLP Policies page, 104
keyword policies. See DLP Policies
LAN bypass, 57
EGRESS port change, 27
language
selection, 25
LDAP integration. See Directory Agent
LDAP server integration, 190
license. See Manage Licenses
204
link bonding, 37
localization. See language
logging
default file location, 165
download logs, 54
format, 165
log level, 53
setup, 54
summary, 115
Logging Setup, 53
Logs, 115
Manage Licenses, 65
management information base module, 61
McAfee SmartFilter, 109
memory usage, 122
Memory usage
MIB. See management information base module
MIM Portal
configuration, 70
module status, 28
multi-language. See language
multiple instance management. See MIM Portal
nested VLANs. See VLAN support
Network, 29
Updates Via, 29
Network Graphs, 120
network redundancy. See link bonding
Network Time Protocol, 39
configuration sync, 61
Next-Gen Firewall, 112
notifications
CPU/memory/disk/proxy usage warnings, 54
e-mail, 54
failed service updates, 54
Health Monitor, 54
license expiration, 54
RAID status change, 55
SNMP, 63
Nslookup, 134
NTP. See Network Time Protocol
OCSP. See SSL/TLS
OFFLINE. See Health Monitor,

Monitor
OIDs, 61
open ports, 168, 169
OpenLDAP integration, 190
See
Health
pattern matching
keyword and URL, 106
Ping, 134
ping tool, 134
platform type, 25
policies, 11
exclusions, 11
IP address format, 11
list all by IP address, 118
list all by service, 116
reseting, 41
Type column, 76, 97
username or group name based, 76, 97
Policy Details, 118
Port Setup, 42
port status, 26, 29
Function, 27
Updates Via, 27
port usage policies, 168, 169
prevent SMTP server blacklisting, 141
problem report
generate from CLI, 159
generate using management console, 130
submitting to product support, 132
processes graph, 122
Protection menu, 76
protocol
changing scanned ports, 43
protocol scanners
status display, 27
protocols
anti-virus policies, 77, 78, 92
scanned ports, 42
Q-in-Q. See VLAN support
RAID, 161
notification on status change, 55
recovery, 162
4.0.4
ram disk, 122

reboot, 74
Reboot, 74
Reports menu, 115
reset
admin password, 138
policies, 41
statistics and graphs, 41
reset to default settings, 68
Restart Services, 74
restore. See configuration
rewrite SMTP EHLO, 141
router mode, 12, 31, 58, 59, 60
2 interfaces, 13
enabling egress interface, 31
Safe Search, 52
SafeSearch, 99
scanner bypass
on connection count exceeded, 140
on resource exhaustion, 139
Server Security, 114
Service Graphs, 120
Serviced Clients, 116
Settings, 38
shut down, 74
Shut Down, 74
Simple Network Management Protocol, 61
SmartFilter. See McAfee SmartFilter
SmartFilter. See WebFilter
SMTP CHUNKING, 141
SMTP tarpitting, 86
SNMP, 61, See Simple Network Management
Protocol
system-specific OIDs, 164
WECAN-MIB, 164
socket timeouts, 142
spam. See anti-spam
database, 146
false negative. See spam feedback
false positive. See spam feedback
feedback, 146
graph, detected, 122
SSH server
Windows, 160
205
4.0.4
SSL/TLS, 43
certificate generation, 48
certificate revocation, 46
Certificate Status, 51
CRL (certificate revocation list), 46
dynamic certificates, 43
enabling, 44
existing certificate upload, 50
HTTPS domain whitelist, 45
OCSP, 46
overview. See SSL/TLS
scanning. See SSL/TLS
static certificate, 43
Use Dynamic Certificates, 45
static route
control port, 36
statistics
by protocol, 116
reseting, 41
Statistics, 116
Status, 25
Updates Via, 29
stealth routing. See auto-route
SubSonic, 69
enabling, 69
example, 70
graphs, 123
selective using file size and MIME, 144
statistics, 70
sync
configuration. See Configuration Sync
HA. See Configuration Sync
syslog. See logging
system date and time, 39
system events
types of, 54
System Graphs, 120
system log entries. See logging
System menu, 25
system temperature, 122
System Update, 73
tarpitting. See SMTP tarpitting
TCP Stream, 11, 12, 42
technical support, 14
206
template
mail variables, 94
templates
e-mail message, 93
HTTP message, 95, 96
Templates, 93
Text Extraction, 103
time. See system date and time
display, 25
TLS. See SSL/TLS
Traceroute, 134
traffic blocking, 112
adding, 112
deleting, 113
modifying, 113
Traffic Blocking, 112
traffic bypassing on high CPU, 130
traffic capture, 159
submitting to product support, 132
using CLI, 159
using management console, 131
transparency
auto-route, 33
IP address, 32
MAC/VLAN, 33
transparent mode, 32
trap sink, 63
traps (SNMP), 63
troubleshooting
problem report, 159
traffic capture, 159
Updates Via. See port status
URL blocking. See URL Policies
modifying, 101
syntax, 106
URL deleting, 102
URL Policies, 97
Action, 99
Action decision flow, 100
adding, 98
Allowed URLs, 100
Block access, 98
Denied URLs, 100
Detect only, 98
HTTPS, 97
URL list file upload, 101
user or group name, 98
URL whitelist
Anti-Virus Policies, 79
DLP Policies, 105
WebFilter, 110
user manual
through console, 25
version number, 73
viruses. See anti-virus
graph, blocked, 122
VLAN support, 33
multiple VLANs, 33
WCCP, 149
add ports, 152
benefits, 150
CLI commands, 153
configure, 151
method overriding, 151
protocol support, 150
router/switch configuration, 153
service groups, 153
4.0.4
supported protocols, 150

with IP address transparency, 153
Web Cache Communications Protocol.
WCCP
WebFilter, 107
Action, 107
adding policies, 107
Block access, 107
categorization feedback, 147
checking URL category matches, 109
deleting policies, 109
Detect only, 107
modifying policies, 109
URL category change, 147
URL Whitelist, 110
user and group name policies, 107
Warn access, 107
whitelist
IP reputation, 88
wildcard syntax
keyword and URL blocking, 106
Yahoo SafeSearch, 99
YouTube for Schools, 99
207
See
Wedge Networks
www.wedgenetworks.com
+1.403.276.5356
+1.403.276.5568
support@wedgene tworks.com

WedgeOS 4.0.4 - UserManual

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

WedgeOS 4.0.4 - UserManual

Diunggah oleh

Hak Cipta:

Format Tersedia

BESECURE USER MANUAL

BESECURE USER MANUAL

QUICK ST ART ....................................................................................................................... 15

MANAGEMENT CONSO LE ...................................................................................................... 24

BESECURE USER MANUAL

ADVAN CED TOPI CS ..............................................................................................................135

Table of Contents | Wedge Networks

BESECURE USER MANUAL

APPEN DIX A: SNM P WECAN-MIB MODULE .............................................................................164

APPEN DIX B: SYSTEM LO G ENTRIES .......................................................................................165

LOGGI NG F ORMAT ............................................................................................................165

APPEN DIX C: OPEN PORTS ....................................................................................................168

APPEN DIX D: SMTP REPLY CODES ..........................................................................................169

APPEN DIX E: ACTIVE DIRECTOR Y INTEGR ATION ......................................................................170

APPEN DIX F: LDAP SERVER INTE GRATION ...........................................................................190

10.1 THE LOG ON AND LOG OFF SCRI PTS ...........................................................................................190

BESECURE USER MANUAL

Table of Contents | Wedge Networks

BESECURE USER MANUAL

LIST OF FIGURES AND TABLES

BESECURE USER MANUAL

F IGURE 44: EVENT REP ORT ING ............................................................................................................. 69

List of Figures and Tables | Wedge Networks

BESECURE USER MANUAL

F IGURE 89: LOGS S CREEN ..................................................................................................................115

Wedge Networks | List of Figures and Tables

BESECURE USER MANUAL

1.2 Key Features

Scanning of SSL/TLS traffic over SMTP and HTTP ports

Field-proven anti-virus engine that provides:

Support for most common file types and media formats

Field-proven anti-spam mechanism that provides:

Intelligent detection with very high accuracy

Signature database updated by a global, collaborative spam network

Introduction | Wedge Networks

BESECURE USER MANUAL

Easy to use browser-based management console.

Comprehensive command line interface (CLI)

Robust, high performance.

1.3 Main Concepts

These protocols are available for

BESECURE USER MANUAL

1 .3.4 De e p Content Inspection (DCI)

1.4 Network Modes

FIGURE 1: BESECURE IN BRIDGE MODE

1 .4.1 Br idge Mode

1 .4.2 Rout er Mode

Introduction | Wedge Networks

BESECURE USER MANUAL

Wedge Networks | Introduction

BESECURE USER MANUAL

1.5 Comments and Technical Support

1.6 About This User Manual

Information or examples of usage.

Introduction | Wedge Networks

BESECURE USER MANUAL

2.1 Default Settings

Bridge IP address: 192.168.0.88

Administrator account: Name=admin, Password=admin

No policies in place for services

2.2 System Configuration

FIGURE 3: WEB MANAGEMENT CONSOLE LOGIN SCREEN

Wedge Networks | Quick Start

BESECURE USER MANUAL