Clearswift SECURE Web Gateway Evaluation Guide

Full text


Clearswift SECURE

Web Gateway

Evaluation Guide

Revision 1.1



Thank you for taking the time to evaluate the Clearswift SECURE Web Gateway.

Balancing the requirement for strong network security with the need to harness collaborative web technologies is essential for business growth. The Clearswift SECURE Web Gateway is a trusted internet security solution for your web gateway that does just that.

The SECURE Web Gateway’s policy-based content-filtering engine allows your organisation to both exploit and benefit from modern

web technologies and services, while ensuring that the company network remains fully protected against incoming threats and data leakage.

With the Web Gateway deployed, the web is transformed from a high-risk environment to a place of free and safe collaboration and communication. Business-enhancing online technologies, like webmail, social-media websites and collaborative services, can

therefore be enabled with confidence.

This evaluation guide explores and explains some of the many

benefits of the SECURE Web Gateway. Rather than overwhelm

you with an in-depth analysis of every feature our intention is to present the essential information that will allow you to continue to explore and evaluate of SECURE Web Gateway at your own pace. Note that this guide assumes that you have already followed the Clearswift SECURE Web Gateway Getting Started Guide. As such, you should have completed the Initial Setup Wizard and be able to log in to SECURE Web Gateway. If this is not the case then the Getting Started Guide can be found on the Technical Guides area of the Clearswift website – please read it before proceeding. We’ll start with a brief overview of what you can expect to see – the graphical user interface. As that’s a bit of a mouthful, we’ll call it the ‘GUI’ from here on.



When you first log in you will be presented with this Home page:

The Home page is the starting point for managing SECURE Web

Gateway’s features and for implementing and maintaining an Acceptable Usage Policy (AUP) for your organisation. It is supported by a further five pages, or Management Centers, displayed as tabs across the top of the GUI – Policy, Reports, System, Health and Users. Let’s take a closer look at these...

Here’s a close-up of the six tabs used to navigate SECURE Web Gateway – just click on one to access the associated features.

• The Home page presents an overview of SECURE Web Gateway. It is the first page displayed each time you log in.

• The Policy Center lets you define and maintain an Acceptable Usage Policy (AUP) for your organisation. This involves creating rules to manage information flowing in to and out of your organisation. Use the Policy Center to block the viewing of particular websites, for example, or to allow specific users access to certain types of content.

• The Report Center provides access to the monitoring capabilities of SECURE Web Gateway. It collates and presents information on the activities of users, from websites visited to time spent online. As well, the Report Center tracks bandwidth use and detected threats, like malware and phishing sites.

• The System Center is used to manage some of the more technical aspects of SECURE Web Gateway. The most important settings will have been configured during the Initial Setup Wizard, so there’s not too much to worry about with this Center. However, they can be edited from here at any time.

• The Health Center is the place to view real-time usage information for SECURE Web Gateway. Key metrics available here include number of concurrent connections, bandwidth use and the number of threats prevented from entering the organisation.


• The Users Center control access to the aforementioned Management Centers. Use it to create new administrative users, allowing access to all or selected Management Centers.

This evaluation guide will focus on the most important Management Centers, offering simple guidelines on making the most of them. Before proceeding, though, take pause for a brief (if mildly technical) tip. When evaluating SECURE Web Gateway it can be useful to have two web browsers available. Why? Well, it will help you to better understand the differing experiences of users and administrators. Configuring, say, Internet Explorer, to use SECURE Web Gateway as its proxy will simulate the users’ experience. Then, use Firefox to access the Management Centers without the proxy to understand how administrators will work.

Policy centre

We’ll start by exploring the Web Policy Routes page, in the Policy Center. We will examine SECURE Web Gateway’s default policy and gain an understanding of the policy options.



NTLM and Kerberos

authentication To identify users transparently so that individuals or departmental groups can have unique aspects of the policy applied and reporting can be specific to an individual or department. Flexible and granular policy

construction for users,

departmental groups, machines and IP addresses

Easily define advanced policies to enable and allow Web 2.0 usage while minimizing risk.

Time and quota user web

access rights Define both times of day and total amount of time per day a user may browse the web. Acceptable usages ‘inform’ pages ‘Inform’ pages highlight

individual web usage is being monitored and is subject to com-pany policy.


At first glance there’s a lot to take in here but the information is actually very easy to read. The rows represent different types of web content – or ‘routes’. Notice that access to some routes is allowed (indicated by green ‘Allow’ symbols), while other routes are blocked (red ‘Block’ symbols). SECURE Web Gateway’s default policy blocks some routes because the content from these categories may be considered inappropriate for the workplace. Blocked routes include ‘Sexually Explicit’, ‘Violence/ Offensive’, ‘Weapons’, ‘Gambling’ and so forth.

Of course, access to any or all of these routes can be allowed or blocked as desired. Regardless, SECURE Web Gateway’s default policy provides a good starting place for creating an Acceptable Usage Policy for your organisation. It can also help to gain an understanding of SECURE Web Gateway’s key features – so let’s try out aspects of the default policy right now.

Notice that the default policy is to block content that fits the Weapons route. Moreover, ‘Everyone’ is blocked from this route – meaning all users. To see this in action, fire up the web browser configured for users (Internet Explorer, if you followed our earlier suggestion) and visit www. SECURE Web Gateway intercepts the request and displays this block message in the browser window:

To begin, click the Policy tab. Now select Web Policy Routes from the submenu to view SECURE Web Gateway’s default policy. Here’s what you should see:


Now refer back to the Manage Policy Routes screenshot on the previous page. Examine it a little more closely and you’ll notice that the ‘block’ symbol on the Gambling route is complemented by a secondary symbol – the soft block symbol. It looks like this:

While we’re focused more closely on this screen, you may spot another symbol – a little clock:

This clock symbol indicates that access to the relevant route is restricted by a time schedule, which could be specific hours during the day (the company lunch hour, say) or for a limited amount of time throughout the day.

Note, too, that the Web Policy Routes screen summarises which users are allowed or denied access to particular routes. The default policy either blocks, soft blocks or allows ‘Everyone’. However, much more flexibility is possible. As we’ll see later, it’s possible, for example, to define specific user groups, such as ‘Sales’, ‘Marketing’ and ‘Finance’, and apply different policies to the various departments within your organisation.

Now, blocking all users from accessing a particular type of web content will sometimes be wholly appropriate – but it’s a rather blunt tool. As an alternative, SECURE Web Gateway allows administrators to restrict some routes with a ‘soft block’. A soft block presents the user with the option to continue if required, but only after they have acknowledged the block page. This may be useful for routes that are blocked primarily for productivity reasons, helping users to respect your organisation’s policy while affording them the freedom to continue with essential business. To see a soft block in action, use Internet Explorer to browse to www. This time, SECURE Web Gateway will present a soft block page, distinguished by the option to ‘Continue Browsing’:


Web Policy Routes & Content Rules

SECURE Web Gateway policy routes are supported by content rules. These determine the content that is allowed to flow between the organisation and the websites defined by the route. Routes may have any number of content rules added, with seven applied by default. These are:

• Block Virus

• Block Encrypted Data • Block Spyware

• Block Spyware Call Home • Remove Tracking Cookie

• Block Executables including ActiveX • Processing of requests or response Fails

The presence of these default rules is indicated by the ‘7’ in the Rules column on the Web Policy Routes screen. We’ll explore rules in more detail in just a moment but before we proceed, notice that the ‘Trusted Sites’ route lacks content rules. This means that the traffic flowing via the ‘Trusted Sites’ route will not checked against any rules – but this is intentional. The route exists as a place to categorise automatic update servers, such those used by Microsoft or Clearswift. Applying content rules to such servers, or indeed deleting this route, may cause any automatic updates to fail – an undesirable situation.

Let’s take a closer look at how policy and rules work together. Click ‘Show Printable Version’ on the left-hand side of the GUI. You should see something like this:

W eb P oli cy R ou te s a re se le cte d t op d ow n, fi rs t t o m at ch

Content Rules are processed left to right Show printable


If SECURE Web Gateway detects web content that matches a particular rule then a ‘block’ or ‘allow’ action will be triggered. The content rules included with the default policy are all set to ‘block’. If the user attempts to access content that contravenes one of these rules then a block page will be shown in their web browser. Here, for instance, the user has attempted to download an executable file and has been blocked by the ‘Block Executables including ActiveX’ content rule:

As we’ve already seen, SECURE Web Gateway’s default policy includes a number of ready-made content rules for each route. However, it is simple to define new content rules or edit existing ones. We’ll demonstrate by editing route number 8, which relates to ‘Non-Business Related’ traffic. To do this, simply double-click the route or click once to highlight and then click the Edit button.

Notice that the route has five editable sections: Overview, Traffic, Default Action, Schedule and Content Rules. The last four are the most important, so we’ll explore these one at a time.

Web Policy Route: Traffic

The Traffic section is the key to building flexible policies. It is possible, for instance, to allow different groups within the organisation to have different rules applied to their browsing activity. The selected route, remember, is concerned with traffic between ‘Everyone’ and websites considered ‘Non-Business Related’ – we call this an ‘Internet Zone’. This is how the Traffic section looks currently:


It is very easy to edit this route in order to apply it to different groups within the organisation or to different Internet Zones. To explore this further, click the ‘Click here to change these setting’ link on the right. Here’s what you’ll see:


Policy > User Names Policy > Machines


Policy > Internet Zones

As you can see from the above screenshot, this particular SECURE Web Gateway has various departmental groups set up, such as Marketing, Product Management and Sales; and also a couple of groups based on machines, rather than departments. Of course, these are just examples to aid clarity: you will need to define your own groups. Changing the route is a simple case of placing ticks in the appropriate category boxes listed below the ‘Between’ and ‘And’ headings.

To aid understanding, we’ll consider the Between and And lists in a little more depth.

Between – User Name Lists and Machine Lists

SECURE Web Gateway draws on Clearswift’s renowned MIMEsweeper policy engine. This is a very powerful tool that can be used to specify granular policies for users grouped by department or even individuals. Grouping users by department offers both administrative simplicity and flexibility when setting policy for the many job functions within an organisation. An IT support department, for instance, may require unfettered access to large downloads or executable files, while marketing staff may be granted unrestricted use of social-networking websites and services. Groups also aid SECURE Web Gateway’s powerful reporting features, because generated reports can be focused on the activities of specific departments.

By the same token, the ability to apply policy right down to the level of individual users means an organisation has the freedom to fine-tune enforcement for job-specific needs.

And – Internet Zones

As noted earlier, we refer to a route’s destination as an Internet Zone. An Internet Zone is made up of one or more URL categories. The Non-Business Related Internet Zone, for example, includes URLs categorised as Gaming, Hobbies, Job Search, Personal Ads and Dating.

Not all businesses are the same, of course, so you may wish to review the Non-Business Related Internet Zone in order select different non-business categories. To do this, click the Policy tab at the top (to go to the Policy Center) and then select Internet Zones.




URL filter with Security Risk

categories included Prevents access to high risk Malware, Phishing, Remote Proxy and Hacking sites.

Real-time categorisation Assigns a category to previously uncategorised sites in real-time to ensure undesirable content is prevented from entering the organisation.

Embedded URL Classification Provides a greater depth of analysis and categorisation for embedded URLs to categorise and prevent ‘inappropriate’ content delivered from Google or Yahoo! cached pages.

Web Policy Route: Action

As we’ve already seen, SECURE Web Gateway presents block pages when it detects content that contravenes policy. These are the result of ‘Actions’. The default Action for a route can be set to either ‘Allow’ or ‘Block’ the request. The default’s policy’s Non-Business Related route that we’re exploring, for instance, is set to Allow – but only during scheduled periods (and we’ll cover SECURE Web Gateway’s scheduling options in just a moment). Here’s what it looks like:

Again, it is easy to change the way this works. To block Non-Business Related browsing at all times, for example, hit the ‘Click here to change these settings’ link and use the dropdown menus to choose ‘Block the communicating using’ and ‘Generic Route Block Page’. Like this:


A handy tip here: to create a ‘soft block’, as discussed earlier, just place a tick in the box labelled ‘Allow the user to continue browsing if they acknowledge the block page’. Remember, this will still result in the user being presented with a block page, reminding them of your organisation’s Acceptable Use Policy, but they will be offered the option to continue browsing. This is typical of the flexibility provided by SECURE Web Gateway, protecting your organisation while allowing employees freedom to conduct essential business.

Web Policy Route: Schedule

SECURE Web Gateway’s schedule controls allow you to specify quotas or periods during which users can browse websites matching a particular route. Here, for example, is the schedule for the default policy’s Non-Business Related route:

Select time quota colour before filling schedule Drag mouse to set time quota colour

The green cells indicate access is allowed but users will be unable to access the route during periods marked by white cells. The orange cells, incidentally, signify a period during which quotas apply. So, in this example, no access is allowed after 8am and before 5pm, Monday to Friday, but there is a three-hour window in the middle of the day when users are allowed up to 60 minutes access to web content covered by the route. A schedule like this helps keep minds focused on work during business hours, while affording freedom to conduct personal activities during lunch breaks.


Web Policy Route: Content Rules

SECURE Web Gateway’s content rules define the type of information that is allowed to flow to and from your organisation. It’s possible, for example, to create a rule that allows Word and Excel documents to be downloaded but not uploaded – limiting data leaks.

We’ll explore now how text within documents can also be examined, using SECURE Web Gateway’s powerful Detect Lexical Expressions content rule. A common policy requirement is to prevent document uploads only when specific watermarks are detected within the

document. Similarly, you may wish to scan documents uploads for other sensitive information such as credit card, National Insurance or Social Security numbers. Given their importance, let’s explore content rules in more detail.

Ability to copy Content Rules from an existing Route to save time

Policy > Content Rules

That completes the overview of the Web Policy Routes. We shall now explore the content rules in more detail.


Content Rules

SECURE Web Gateway’s content rules provide the real-time protection when a website is being accessed. Their purpose is to examine all data that flows into and out of your organisation, protecting against known and unknown malware threats and performing deep, content-aware inspection.



Bi-directional anti-malware

scanning Stops known and unknown malware infection, entering or leaving the network.

Bi-directional anti-spyware

scanning Stops spyware, adware, key loggers and spyware call homes, and identifies infected user machines.

Deep content-aware inspection The ability to look inside containers being uploaded or downloaded and detect and prevent policy violations even when the file type is embedded in other file types/containers. True ‘binary file-type’

identification Provides accurate identification of file types, embedded attachments and direction. File identification is based on the binary type and NOT the file name or reported MIME type which can be misrepresented. Real-time categorisation Prevents undesirable content

from new or uncategorised sites such as pornography. And prevent access to remote proxy sites that appear every day.

Suspicious script detection Protection from web content that includes suspicious script commands.


As noted, SECURE Web Gateway’s powerful content rules make real-time decisions about the information that is allowed to flow into and out of your organisation. So, how do content rules apply in practical situations? Well, consider these three questions:

• Should a document containing the phrase ’top secret’ be allowed to leave the organisation?

• Should a document with multiple credit card numbers be allowed to leave the organisation?

Policy > Content Rues SECURE Web Gateway includes comprehensive set of default content rules that have been set to detect various types of web content. To view them, click the Policy tab and then select Content Rules. This is what you’ll see:


All rules in SECURE Web Gateway – including those provided with the default policy – are built from a base set of content rules. This table provides an idea of how these base content rules were used to build the content rules that make up default policy.

Policy > Content Rues > New Editing the default content rules to reflect the specific needs of your organisation is straightforward – as is creating rules from scratch. To see how this is done, click the Policy tab, select Content Rules and then click New. This is what you’ll see:


To explain what’s going on here, the leftmost column one lists SECURE Web Gateway’s default content rules, while the middle column details the base rule on which each content rule was built. The right-hand column, by the way, shows the lexical expression list (if any) that the rule draws on. So, for example, the Block Confidential Office Documents rule has been built on the ‘Detect Lexical Expressions’ base rule, and draws on the ‘Confidential Material’ lexical expressions list.

Of course, deciding which base content rule is the most appropriate for a particular policy depends on the desired outcome. However, it is fair to say that ‘Detect Media Type’ and ‘Detect Lexical Expressions’ are the most powerful and the most frequently used base rules.

For example, if wanting to detect a particular data format or file type then use the Detect Media Type base rule. To scan for particular words or phrases, regardless of whether the focus is an upload, download, web page or URL, begin with the Detect Lexical Expression base rule.

Let’s consider a few examples of desired outcomes and see how they can be achieved by building on SECURE Web Gateway’s base content rules:


To prevent the usage of unauthorised browsers (Chrome, Safari, and Opera, for example), use the ‘Detect Lexical Expression’ base content rule to search HTTP headers for the appropriate User Agent Header string.

2 To stop the viewing of specific YouTube videos, use the ‘Detect Lexical Expression’ base content rule to search requested URLs for the video’s identification number.

3 To prevent the upload of Microsoft Office documents (Word, Excel, etc), use the ‘Detect Media Type’ base content rule and set the direction to ‘Leaving the Company’.


To prevent data leaks, use the ‘Detect Lexical Expression’ base content rule, set the direction to ‘Leaving the Company’ and search for phrases such as ‘Top Secret’, ‘Sensitive’ and ‘Confidential’.

As we’ve seen, all content rules reference other policy components, be it Block Pages or Lexical Expression Lists. These referenced items are referred to as ‘Policy References’ and can be found on the lower part of the main policy page. We have already seen examples of how some of these Policy References can be used within the content rules and Web Policy Routes but here’s a summary.


Define user groups and use to specify the ‘From’ on a Web Policy Route

Define machine groups and use to specify the ‘From’ on a Web Policy Route’

Define groups of websites by URL and category and use to specify the ‘To’ on a Web Policy Route. Create or amend the pages used to inform users about policy violations.

Create an inform email to alert IT or HR immediately when a potential policy violation occurs.

Identify your own internal servers to be categorised as ‘Intranet’

Allows specific file names to be specified and used with the Detect File Names content rule. Tip: to stop certain files types use the Detect Media Types content rule to look for binary signatures. Create lists of words and phrases that can be used with the Lexical Expressions content rule to prevent data leaks.


Clearswift SECURE Web Gateway includes versatile management and reporting facilities, all controlled from a simple web-based interface. Dozens of ready-made report templates are included and new ones can be created quickly and simply. Better still, SECURE Web Gateway’s reports are interactive: drill down on the fly to get to the data you need quickly and avoid producing useless reports.



Intuitive web-based interface Ease of use and no requirement to learn complex syntax or Linux commands.

Pre-defined customizable reports Easy to modify, run and share reports with interactive drilldowns.

Scheduled reporting Allows create once, run and distribute many times report circulation via email.

Multi-gateway policy

and reporting Consolidated policy and reporting view of user’s activities for centralised management and analysis.

Active Directory (AD) and

LDAP integration Full user-based policy control for flexible policy and audit reporting by group or indi vidual.

Scheduled spyware reporting Better control of spyware and the identification of user devices requiring remediation.


We’d suggest starting your evaluation of SECURE Web Gateway’s

reporting facilities using the reports grouped under the ‘Route’ heading. To do this, click the Reports tab and followed by the ‘+’ to expand the Route reports group.

The Route reports show how the users’ web requests are being processed by the Web Policy Routes. As you will now appreciate, the Web Policy Routes represent the organisation’s policy and the Route reports show how that policy is being processed, showing the most popular routes, users, time and bandwidth usage. Here’s what it looks like:

The provided reports display activity for all users. However, it is easy to create a new report that focuses on specific user groups or individuals. First select a report and click Copy. This will create a copy of the original report and place you in editing mode. This is what you can expect to see:


As mentioned, SECURE Web Gateway reporting system is interactive, so you can drill down on the fly. To see this in action, first run the ‘Top Routes to Top Categories’ report. Now, to drill down on a particular route, simply click on the route in the report screen. Drill down still further by clicking a category – like this:

Tip: After drilling down into a report, use the Back button in the web browser to return to the previous level. Note that when doing this, it may be necessary to press F5 to have the browser refresh the page.

We hope that this brief guide has given you a head start in your

evaluation of Clearswift SECURE Web Gateway. Of course, there’s plenty more to explore. For more help or guidance either follow the links below or simply give us a call – we’d love to hear from you.

For further information

Technical Guides:


Clearswift knowledge base:

Technical Support:

Clearswift user discussion forums:


Contact Clearswift

UK - International HQ

Clearswift Limited

1310 Waterside Arlington Business Park Theale Reading Berkshire RG7 4SA UK Tel : +44 (0) 118 903 8903 Fax : +44 (0) 118 903 9000 Sales: +44 (0) 118 903 8700 Technical Support: +44 (0) 118 903 8200 Email: Australia Clearswift 5th Floor 165 Walker Street North Sydney New South Wales, 2060

AUSTRALIA Tel : +61 2 9424 1200 Fax : +61 2 9424 1201 Email: Germany Clearswift GmbH Amsinckstrasse 67 20097 Hamburg GERMANY Tel : +49 40 23 999-0 Fax : +49 40 23 999-100 Email: Japan Clearswift K.K 7F Hanai Bldg. 1-2-9 Shibakouen, Minato-ku, Tokyo 105-0011 JAPAN Tel : +81 (3)5777 2248 Fax : +81 (3)5777 2249 Email: Spain Clearswift España S.L.

Cerro de los Gamos 1, Edif. 1 28224 Pozuelo de Alarcón Madrid SPAIN Tel : +34 91 7901219 / +34 91 7901220 Fax : +34 91 7901112 Email: United States Clearswift Corporation 161 Gaither Drive Centerpointe Suite 101 Mt. Laurel, NJ 08054 UNITED STATES Tel : +1 856-359-2360 Fax : +1 856-359-2361 Email: