Secure Web Gateway Network Guardian Administration Guide

(1)

Secure Web Gateway

Network Guardian Administration Guide

For future reference

Network Guardian serial number: Date installed:

(2)

Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Network Guardian.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall.

Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.

Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation.

All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries.

Acknowledgements

Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.

Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor.

Network Guardian contains graphics taken from the Open Icon Library project http:// openiconlibrary.sourceforge.net/

Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom Email info@smoothwall.net

Web www.smoothwall.net

Telephone USA and Canada: United Kingdom: All other countries:

1 800 959 3760 0870 1 999 500 +44 870 1 999 500

Fax USA and Canada:

United Kingdom: All other countries:

1 888 899 9164 0870 1 991 399 +44 870 1 991 399

(3)

About This Guide

Smoothwall’s Network Guardian is a licenced feature of your Smoothwall System. This manual provides guidance for configuring Network Guardian.

Audience and Scope

This guide is aimed at system administrators maintaining and deploying Network Guardian. This guide assumes the following prerequisite knowledge:

• An overall understanding of the functionality of the Smoothwall System • An overall understanding of networking concepts

Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative.

Organization and Use

This guide is made up of the following chapters and appendices: • Chapter 1, Introduction on page 3

• Chapter 2, Network Guardian Overview on page 5 • Chapter 3, Working with Interfaces on page 25 • Chapter 4, Deploying Web Filtering on page 31 • Chapter 5, Working with Policies on page 37

• Chapter 6, Managing Authentication Policies on page 77 • Chapter 7, Managing Web Security on page 93

(12)

• Chapter 9, General Network Security Settings on page 127 • Chapter 10, Configuring Inter-Zone Security on page 135 • Chapter 11, Authentication and User Management on page 143 • Chapter 12, Centrally Managing Smoothwall Systems on page 167 • Appendix A:User Authentication on page 179

• Glossary on page 185 • Index on page 195

Conventions

The following typographical conventions are used in this guide:

This guide is written in such a way as to be printed on both sides of the paper.

1 Introduction

This chapter introduces Network Guardian, including: • Overview of Network Guardian on page 3 • Annual Renewal on page 3

Overview of Network Guardian

Welcome to Network Guardian, the intelligent web content filter that dynamically analyses, understands and categorizes all web content requested by your users.

Network Guardian provides:

• Protection from pornography and objectionable content

• Controlled access to non work-related sites, such as news, sport, travel and auctions. • Protection from web-borne spyware, malware and browser exploits

• Reporting on Internet behavior and resource utilization

• Email security: anti-spam, anti-malware, mail relay and control.

Annual Renewal

To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative.

(14)

(15)

2 Network Guardian

Overview

In this chapter:

• How to access Network Guardian

• An overview of the pages used to configure and manage Network Guardian.

Accessing Network Guardian

To access Network Guardian:

1. In a web browser, enter the address of your Network Guardian, for example: https://192.168.72.141:441

Note: The example address above uses HTTPS to ensure secure communication with your Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Network Guardian as described in the Network Guardian Installation and Setup Guide.

(16)

3. Enter the following information:

4. Click Login. The Dashboard opens.

The following sections give an overview of Network Guardian’s default sections and pages.

Dashboard

The dashboard is the default home page of your Network Guardian system. It displays service information and customizable summary reports.

Logs and reports

The Logs and reports section contains the following sub-sections and pages:

Field Information

Username Enter admin This is the default Network Guardian administrator account.

Password Enter the password you specified for the admin account when installing Network Guardian.

(17)

Reports

Alerts

Pages Description

Summary Displays a number of generated reports. For more information, refer to the

Network Guardian Operations Guide.

Reports Where you generate and organize reports. For more information, refer to the

Recent and saved Lists recently-generated and previously saved reports. For more information, refer to the Network Guardian Operations Guide.

Scheduled Sets which reports are automatically generated and delivered. For more information, refer to the Network Guardian Operations Guide.

Custom Enables you to create and view custom reports. For more information, refer to the Network Guardian Operations Guide.

Alerts Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Network Guardian Operations Guide.

Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Network Guardian Operations Guide.

(18)

Realtime

Logs

System A real time view of the system log with some filtering options. For more information, refer to the Network Guardian Operations Guide.

Firewall A real time view of the firewall log with some filtering options. For more information, refer to the Network Guardian Operations Guide.

Email Displays the email log viewer running in real time mode. For more information, see Email Logs on page 112.

Portal A real time view of activity on user portals. For more information, refer to the

IM proxy A real time view of recent instant messaging conversations. For more information, see Realtime Instant Messaging on page 104.

Web filter Displays the web filter log viewer running in real time mode. For more information, see Web Filter Logs on page 105.

Traffic graphs Displays a real time bar graph of the bandwidth being used. For more information, refer to the Network Guardian Operations Guide.

System Simple logging information for the internal system services. For more information, refer to the Network Guardian Operations Guide.

Firewall Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Network Guardian Operations Guide.

Email Displays sender, recipient, subject and other email message information. For more information, see Email Logs on page 112.

IM proxy Displays information on instant messaging conversations. For more information, see IM Proxy Logs on page 116.

Web filter Displays time, username, source IP and other web filtering information. For more information, see Web Filter Logs on page 105.

Log settings Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the

(19)

Settings

Networking

The Networking section contains the following sub-sections and pages:

Filtering

Routing

Datastore settings Contains settings to manage the storing of log files. For more information, refer to the Network Guardian Operations Guide.

Groups Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Network Guardian Operations Guide

Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Network Guardian Operations Guide.

Zone bridging Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 135.

Group bridging Used to define the network zones that are accessible to authenticated groups of users. For more information, see Group Bridging on page 140.

IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 127.

Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see

Creating Subnets on page 123.

RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using RIP on page 124.

(20)

Interfaces

Settings

Services

The Services section contains the following sub-sections and pages:

Interfaces Configure and display information on your Network Guardian’s internal interfaces. For more information, see Configuring Global Settings for Interfaces

on page 26.

Internal aliases Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet – without the need for physical switches. For more information, see on page 126.

Port groups Create and edit groups of ports for use throughout Network Guardian. For more information, see Working with Port Groups on page 132.

Advanced Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page 129.

(21)

Authentication

User Portal

Settings Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 144.

Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Servers on page 145.

Groups Used to customize group names. For more information, see Managing Groups of Users on page 156.

Temporary bans Enables you to manage temporarily banned user accounts. For more information, see Managing Temporarily Banned Users on page 159.

User activity Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 161.

SSL login Used to customize the end-user SSL login page. For more information, see

About SSL Authentication on page 162.

Kerberos keytabs This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 164.

BYOD Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Network Guardian Operations Guide.

Portals This page enables you to configure and manage user portals. For more information, refer to the Network Guardian Operations Guide.

Group access This page enables you to assign groups of users to portals. For more information, refer to the Network Guardian Operations Guide.

User access This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Network Guardian Operations Guide.

(22)

Proxies

SNMP

Message Censor

Instant messenger Used to configure and enable instant messaging proxying. For more information, refer to the Network Guardian Operations Guide.

FTP Used to configure and enable a proxy to manage FTP traffic. For more information, refer to the Network Guardian Operations Guide.

SNMP Used to activate Network Guardian’s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Network Guardian Operations Guide.

Policies Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Network Guardian Operations Guide.

Filters This is where you create and manage filters for matching particular types of message content. For more information, refer to the Network Guardian Operations Guide.

Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the

Custom categories Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Network Guardian Operations Guide.

(23)

System

The System section contains the following sub-sections and pages:

Maintenance

Central Management

Updates Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Network Guardian Operations Guide.

Modules Used to upload, view, check, install and remove Network Guardian modules. For more information, refer to the Network Guardian Operations Guide.

Licenses Used to display and update license information for the licensable components of the system. For more information, refer to the Network Guardian Operations Guide.

Archives Used to create and restore archives of system configuration information. For more information, refer to the Network Guardian Operations Guide.

Scheduler Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the

Shutdown Used to shutdown or reboot the system. For more information, refer to the

Overview This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System

on page 173.

Child nodes This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 169.

Local node settings This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page 168.

(24)

Preferences

Administration

Hardware

User interface Used to manage Network Guardian’s dashboard settings. For more information, refer to the Network Guardian Operations Guide.

Time Used to manage Network Guardian’s time zone, date and time settings. For more information, refer to the Network Guardian Operations Guide.

Registration options Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, refer to the Network Guardian Operations Guide.

Hostname Used to configure Network Guardian’s hostname. For more information, refer to the Network Guardian Operations Guide.

Admin options Used to enable secure access to Network Guardian using SSH, and to enable referral checking. For more information, refer to the Network Guardian Operations Guide.

External access Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Network Guardian. For more information, refer to the Network Guardian Operations Guide.

Administrative users Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Network Guardian Operations Guide.

UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Network Guardian Operations Guide.

Modem Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, refer to the Network Guardian Operations Guide.

(25)

Diagnostics

Certificates

Guardian

The Guardian section contains the following sub-sections and pages:

Functionality tests Used to ensure that your current Network Guardian settings are not likely to cause problems. For more information, refer to the Network Guardian Operations Guide.

Configuration report Used to create diagnostic files for support purposes. For more information, refer to the Network Guardian Operations Guide.

IP tools Contains the ping and trace route IP tools. For more information, refer to the

Whois Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Network Guardian Operations Guide.

Traffic analysis Used to generate and display detailed information on current traffic. For more information, refer to the Network Guardian Operations Guide.

Page Description

Certificate authorities

Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, refer to the Network Guardian Operations Guide.

(26)

Quick Links

Web Filter Policies

Page Description

Getting started This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Guardian Getting Started on page 40.

Shortcuts This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see

About Shortcuts on page 35.

Quick block/allow This page enables you to block or allow content immediately. For more information, see Blocking and Allowing Content Immediately on page 32.

Policy tester The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Using the Policy Tester on page 69.

Manage policies This is where you manage how web filtering policies are applied. For more information, see Managing Web Filter Policies on page 49.

Policy wizard This is where you can configure a custom web filtering policy. For more information, see Creating Web Filter Policies on page 50.

Location blocking Enables you to block computers at a specific location from accessing web content. For more information, see Blocking Locations on page 33.

Exceptions Here you can exempt computers from any web filtering. For more information, see Excepting Computers from Web Filtering on page 33.

Outgoing This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Censoring Web Form Content on page 72.

(27)

HTTPS Inspection Policies

Content Modification Policies

Manage policies This is where you manage HTTPS inspection policies that decrypt and inspect encrypted communications. For more information, see Managing HTTPS Inspection Policies on page 53.

Policy wizard This is where you create custom policies for managing encrypted

communications. For more information, see Creating an HTTPS Inspection Policy on page 54.

Settings This is where you manage CA security certificates and configure HTTPS interception messages. For more information, see Configuring HTTPS Inspection Policy Settings on page 57.

Manage policies This is where you manage content modification policies that apply

recommended security rules and enforce SafeSearch in browsers. For more information, see Managing Content Modification Policies on page 59.

Policy wizard Enables you to create custom policies for applying security rules and enforcing SafeSearch in browsers. For more information, see Creating a Content Modification Policy on page 60.

(28)

Anti-malware Policies

Block Page Policies

Policy Objects

Manage policies This is where you manage policies that protect against malware. For more information, see Managing Anti-malware Policies on page 64.

Policy wizard This is where you can create custom policies to protect against malware. For more information, see Creating an Anti-malware Policy on page 64.

Status page Enables you to customize anti-malware information shown when downloading files. For more information, see Configuring Anti-malware Status Information on page 67.

Settings This is where you enable malware protection. For more information, see

Creating an Anti-malware Policy on page 64.

Manage policies This is where you manage block page policies. For more information, see

Managing Block Page Policies on page 120.

Policy wizard This is where you create and edit block page policies. For more information, see

Configuring a Block Page Policy on page 119.

Block pages This is where you create and edit block pages. For more information, see

Managing Block Pages on page 114.

Category groups This is where you manage content categories used when applying a web filtering policy. For more information, see Working with Category Group Objects

on page 40.

User defined This is where you manage custom content categories. For more information, see Creating Custom Categories on page 42.

Time slots This is where you create and manage time slot policy objects for use in content filtering policies. For more information, see Working with Time Slot Objects on page 44.

Locations This is where you create and manage location policy objects for use in content filtering policies. For more information, see Working with Location Objects on page 45.

Quotas This is where you create and manage quota policy objects for use in content filtering policies. For more information, see Working with Quota Objects on page 47.

(29)

Swurl

Web Proxy

The Web proxy section contains the following sub-sections and pages:

Web Proxy

Upstream Proxy

Settings This is where you configure your organization’s Swurl account. For more information, see Configuring Organization Accounts on page 74.

Settings This is where you configure and manage web proxy settings. For more information, see Overview of the Web Proxy on page 94.

Automatic configuration

This is where you create and make available proxy auto-configuration (PAC) scripts. For more information, see Using PAC Scripts on page 98.

Bandwidth limiting This is where you can manage how much bandwidth is made available to clients. For more information, see Limiting Bandwidth Use on page 100.

WCCP This is where you can configure Network Guardian to join a Web Cache Coordination Protocol (WCCP) cache engine cluster. For more information, see

Configuring WCCP on page 102.

Manage policies This is where you manage upstream proxy policies. For more information, see

Working with Multiple Upstream Proxies on page 110.

Proxies This is where you configure upstream proxy settings. For more information, see

Configuring an Upstream Proxy on page 105.

Filters This is where you manage upstream proxy source and destination filters. For more information, see Configuring Source and Destination Filters on page 107.

(30)

Authentication

MobileProxy

Configuration Guidelines

This section provides guidance about how to enter suitable values for frequently required configuration settings.

Specifying Networks, Hosts and Ports

IP Address

An IP address defines the network location of a single network host. The following format is used: 192.168.10.1

IP Address Range

An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example:

Manage polices This is where you manage authentication policies which determine which web filter policies are applied. For more information, see Chapter 6, Managing Authentication Policies on page 77.

Policy wizard This is where you create and edit authentication policies. For more information, see Creating Authentication Policies on page 78.

Exceptions This is where you can exempt content from authentication. For more information, see Managing Authentication Exceptions on page 87.

Ident by location This is where you configure identification of groups and/or users by their location. For more information, see Identification by Location on page 88.

Settings On this page, you configure global MobileProxy server settings. For more information, refer to the Network Guardian Operations Guide.

Proxies On this page, you manage MobileProxyservers for use with mobile devices. For more information, refer to the Network Guardian Operations Guide.

Exceptions On this page, you specify proxy exceptions. For more information, refer to the

(31)

192.168.10.1-192.168.10.20 192.168.10.1-192.168.12.255

Subnet Addresses

A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways: 192.168.10.0/255.255.255.0

192.168.10.0/24

Netmasks

A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples:

255.255.255.0 255.255.0.0 255.255.248.0

Service and Ports

A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:

21 7070

Port Range

A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used:

137:139

Using Comments

Almost every configurable aspect of Network Guardian can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement.

Comments are entered in the Comment fields and displayed alongside saved configuration information.

Creating, Editing and Removing Rules

Much of Network Guardian is configured by creating rules – for example, IP block rules and administration access rules.

(32)

Creating a Rule

To create a rule:

1. Enter configuration details in the Add a new rule area.

2. Click Add to create the rule and add it to the appropriate Current rules area.

Editing a Rule

To edit a rule:

1. Find the rule in the Current rules area and select its adjacent Mark option.

2. Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current configuration values.

3. Change the configuration values as necessary.

4. Click Add to re-create the edited rule and add it to the Current rules area.

Removing a Rule

To remove one or more rules:

1. Select the rule(s) to be removed in the Current rules area. 2. Click Remove to remove the selected rule(s).

Note: The same processes for creating, editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc.

Connecting via the Console

You can access Network Guardian via a console using the Secure Shell (SSH) protocol.

Note: By default, Network Guardian only allows SSH access if it has been specifically configured. See Configuring Administration Access Options on page 144 for more information.

Connecting Using a Client

When SSH access is enabled, you can connect to Network Guardian via a secure shell application, such as PuTTY.

To connect using an SSH client:

1. Check SSH access is enabled on Network Guardian. See Configuring Administration Access Options on page 144 for more information.

(33)

2. Start PuTTY or an equivalent client.

3. Enter the following information:

4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Network Guardian command line.

Secure Communication

When you connect your web browser to Network Guardian’s web-based interface on a HTTPS port for the first time, your browser will display a warning that Network Guardian’s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site.

Unknown Entity Warning

This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Network Guardian’s certificate is a self-signed certificate. Note: The data traveling between your browser and Network Guardian is secure and encrypted.

To remove this warning, your web browser needs to be told to trust certificates generated by Network Guardian.

To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser’s documentation for information on how to import the certificate.

Field Description

Host Name (or IP address)

Enter Network Guardian’s host name or IP address.

Port Enter 222

(34)

Inconsistent Site Address

Your browser will generate a warning if Network Guardian’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Network Guardian’s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Network Guardian using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future.

Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption.

(35)

3 Working with Interfaces

This chapter describes how to configure the interfaces (network interface cards) on your Network Guardian, including:

• Configuring Global Settings for Interfaces on page 26 • Working with Bridges on page 27

• Working with Bonded Interfaces on page 28 • Configuring IP Addresses on page 29

(36)

Configuring Global Settings for Interfaces

Global settings determine Network Guardian’s primary and secondary DNS addresses. To configure global settings:

1. Browse to the Networking > Interfaces > Interfaces page.

The following settings global interface settings are available:

Setting Description

Default gateway A drop-down list of the current gateways available.

Primary DNS If Network Guardian is to be integrated as part of an existing DNS

infrastructure, enter the appropriate DNS server information within the existing infrastructure.

For more information, see Network Guardian and DNS on page 181.

(37)

Working with Bridges

It is possible to deploy Network Guardian in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible.

The following sections explain how to create, edit and delete bridges.

Creating Bridges

To create a bridge:

1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings:

3. Click Add. Network Guardian adds the bridge to the list on the Networking > Interfaces > Interfaces page.

Editing Bridges

To edit a bridge:

1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bridges on page 27

for information on the settings available.

3. Click Save changes. Network Guardian applies the changes.

Deleting Bridges

To delete a bridge:

1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Delete. 2. When prompted, click Delete to confirm you want to delete the bridge. Network Guardian

deletes the bridge.

Name Enter a name for the bridge.

Type Select Bridge.

Ports From the ports listed as available, select the ports to be used as bridge members.

Use as Select one of the following:

External – Select to use the bridge as an external interface.

Basic interface – Select to use the bridge as an interface with one or more IP addresses on it.

(38)

Working with Bonded Interfaces

Network Guardian enables you to bind two or more NICs into a single bond. Bonding enables the NICs to act as one thus providing high availability.

Creating Bonds

To create a bond:

1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings:

3. Click Add. Network Guardian adds the bond to the list on the Networking > Interfaces > Interfaces page.

Editing Bonds

To edit a bond:

1. On the Networking > Interfaces > Interfaces page, point to the bond and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bonds on page 28 for

information on the settings available.

3. Click Save changes. Network Guardian applies the changes.

Deleting Bonds

To delete a bond:

1. On the Networking > Interfaces > Interfaces page, point to the bond and click Delete. 2. When prompted, click Delete to confirm you want to delete the bond. Network Guardian

deletes the bond.

Name Enter a name for the bond.

Type Select Bonding.

Ports From the ports listed as available, select the ports to be used as bond members.

Use as Select one of the following:

External – Select to use the bond as an external interface.

Basic interface – Select to use the bond as an interface with one or more IP addresses on it.

Bridge member – Select to use the bond as a member of a bridge. For more information, see Working with Bridges on page 27.

(39)

Configuring IP Addresses

The following sections explain how to add, edit and delete IP addresses used by interfaces.

Adding an IP Address

To add an IP address:

1. On the Networking > Interfaces > Interfaces page, click on the interface you want to add an IP address to.

2. In the IP addresses dialog box, click Add new address. In the Add new address dialog box, configure the following settings:

3. Click Add. Network Guardian adds the IP address to the interface.

Editing an IP Address

To edit an IP address:

1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to edit.

2. In the IP addresses dialog box, point to the address and click Edit.

3. In the Edit address dialog box, make the changes needed and click Save changes. Network Guardian applies the changes.

Deleting an IP Address

To edit an IP address:

1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to delete.

2. In the IP addresses dialog box, point to the address and click Delete. 3. When prompted, click Delete. Network Guardian deletes the address.

Status Select Enabled to enable the IP address for the NIC.

IP address Enter an IP address.

Subnet mask Enter the subnet mask.

(40)

(41)

4 Deploying Web Filtering

This chapter describes how to deploy Guardian’s web filter, including: • Getting Up and Running on page 31

• About Network Guardian’s Default Policies on page 36

Getting Up and Running

By default, Network Guardian comes with a comprehensive set of web filter policies and an authentication policy which you can use immediately in order to protect your users and your organization.

The following section explains how to use these policies to get web filtering up and running quickly. Tip: Log in to our support portal and read about initial setup considerations, testing and refining filter settings and tips on content filtering.

To get up and running:

1. On users’ computers, configure the web browser to use port 800 on Network Guardian as the web proxy, that is, non-transparent proxying.

(42)

2. Navigate to the Web proxy > Web proxy > Settings page.

3. Check that the Guardian option is enabled.

4. Scroll to the bottom of the page and click Save and Restart. Network Guardian starts to provide web security.

5. On a user’s computer, browse to http://thepiratebay.se/ Network Guardian blocks access to the site and displays a block page

You can edit the default policies and create new policies to suit you organization. For more information, see Chapter 5, Working with Policies on page 37.

Blocking and Allowing Content Immediately

Network Guardian enables you to block or allow content immediately without having to create or edit a web filter policy.

To block or allow content immediately:

1. Browse to the Guardian > Quick links > Quick block/allow page.

(43)

3. Click Block or Allow depending on what you want. Network Guardian immediately blocks or allows the content and adds the URL to the appropriate custom blocked or allowed content lists.

Blocking Locations

Network Guardian enables you to block web-enabled resources at a specific location from accessing content.

To block a location:

1. Browse to the Guardian > Web filter > Location blocking page.

2. Locate the location and click Block. Network Guardian blocks any web-enabled resources at that location from accessing web content. For more information on locations, see Chapter 5, Working with Location Objects on page 45.

Excepting Computers from Web Filtering

Network Guardian enables you to exempt specific computers from any web filtering. You can configure exceptions based on the source IP address or the destination IP address.

Configuring Source Exceptions

A source exception IP using a non-transparent connection will have unfiltered access to the Internet if configured to use port 801. A source exception IP going through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Network Guardian. A source exception IP using a transparent connection requires no client browser configuration.

(44)

To configure a source exception:

1. Browse to the Guardian > Web filter > Exceptions page.

2. In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Network Guardian exempts the computer(s) from any web filtering.

(45)

Configuring Destination Exceptions

A destination exception IP which goes through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Network Guardian.

To configure a destination exception:

1. Browse to the Guardian > Web filter > Exceptions page.

2. In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Network Guardian exempts the computer(s) from any web filtering.

About Shortcuts

Network Guardian provides a number of shortcuts to tasks you might carry out on a daily basis. To access the shortcuts:

1. Browse to the Guardian > Quick links > Shortcuts page. 2. Click on a link to be taken to the task’s page.

(46)

About Network Guardian’s Default Policies

The following sections discuss Network Guardian’s default web filtering and authentication policies.

About the Default Web Filter Policies

Network Guardian’s default web filtering default policies are:

• Web filter policies – these policies allow users access to custom specified content, access to specific web sites at lunch time and Microsoft Windows updates. They also block core and custom specified undesirable content and adverts and enforce file security. To review this policy, browse to the Guardian > Web filter > Manage policies page. For information on customizing web filter policies, see Chapter 5, Managing Web Filter Policies on page 49. • HTTPS inspection policies – these policies can be enabled to allow users to access online

banking sites securely while inspecting encrypted traffic and checking security certificates. To review these policies, browse to the Guardian > HTTPS inspection > Manage policies page. For information on customizing HTTPS inspection policies, see Chapter 5, Managing HTTPS Inspection Policies on page 53.

• Content modification policies – these policies apply recommended security rules and force search engines to use SafeSearch functionality. To review these policies, browse to the Guardian > Content modification policies > Policy page. For information on customizing content modification policies, see Chapter 5, Managing Content Modification Policies on page 59. • Anti-malware policy – this policy protects against malware and viruses. To review this policy,

browse to the Guardian > Anti-malware > Manage policies page. For information on

customizing anti-malware policies, see Chapter 5, Managing Anti-malware Policies on page 64.

About the Default Authentication Policies

Network Guardian comes with the following authentication policy ready for use:

• Non-transparent authentication policy – any user’s browser configured to use Network Guardian on port 800 as its web proxy will have this authentication policy applied to it. For information on creating more authentication policies, see Chapter 6, About Authentication Policies on page 77.

(47)

5 Working with Policies

This chapter describes how to configure, and maintain, Guardian policies, including: • An Overview of Policies on page 38

• Working with Category Group Objects on page 40 • Working with Time Slot Objects on page 44 • Working with Location Objects on page 45 • Working with Quota Objects on page 47 • Managing Web Filter Policies on page 49

• Managing HTTPS Inspection Policies on page 53 • Managing Content Modification Policies on page 59 • Managing Anti-malware Policies on page 64 • Using the Policy Tester on page 69

• Working with Policy Folders on page 70 • Censoring Web Form Content on page 72 • Configuring Organization Accounts on page 74

(48)

An Overview of Policies

Policies determine how Network Guardian handles web content to best protect your users and your organization. You can create and deploy custom policies to fit your organization. Deploying custom policies entails:

• Configuring custom policies based on your organization’s Acceptable Usage Policies (AUPs); for more information, see Types of Policies on page 38

• Configuring authentication policies; for more information, see Chapter 6, Creating Authentication Policies on page 78

• Configuring users’ browsers or network connections to use Network Guardian as their web proxy or default gateway; for more information, see Connecting to Network Guardian on page 89.

Types of Policies

Network Guardian enables you to create the following types of policies:

• Web filter policies – Web filter policies determine whether to allow, block, soft block or whitelist web content that a user has requested. For more information, see Managing Web Filter Policies on page 49

• HTTPS inspection policies – when enabled, HTTPS inspection policies determine whether to decrypt and inspect encrypted content in order to determine to handle the content based on web filter policies. HTTPS inspection policies can also be used to validate web site certificates. For more information, see Managing HTTPS Inspection Policies on page 53

• Content modification policies – Content modification policies can be used to identify and stop malicious content embedded in web pages from being accessed. For information, see

Managing Content Modification Policies on page 59.

• Anti-malware policies – Anti-malware policies are used to against malware and viruses. For information on customizing anti-malware policies, see Managing Anti-malware Policies on page 64.

How Policies are Applied

How Network Guardian applies policies depends on the original web request from a user. The following diagrams give a high-level view of what happens when a user makes a non-encrypted (HTTP) web request and an encrypted (HTTPS) web request.

(49)

(50)

Guardian Getting Started

The Getting started page explains policies and policy objects.

Working with Category Group Objects

A category group object is a collection of URLs, domains, phrases, lists of file types and/or security rules. Network Guardian uses category group objects in policies to determine if a user should be allowed access to the content they have requested using their web browser.

(51)

Creating Category Group Objects

The following section explains how to create a category group object to be used in a web filter policy. To create a category group object:

1. Browse to the Guardian > Policy objects > Category groups page.

2. In the Manage category groups area, configure the following settings:

3. Click Save. The category group object is saved and added to the list of groups of content available.

Name Enter a name for the category group.

Comment Optionally, enter a comment to make it easier to remember what the category contains.

Content categories Select the content you want to include in the category group object. Click

[ + ] to access and view any sub-categories available.

Tip: Click the Advanced view option to access more detailed information on the content.

(52)

Creating Custom Categories

You can define new categories of content for use in category group objects to suit you organizations requirements.

To create custom categories, do the following:

1. Browse to the Guardian > Policy objects > Categories page.

2. From the Manage categories panel, configure the following parameters:

 Name — The name of the category.

 Comment — Enter an optional description for this category.

 Domain/URL filtering — Enter the domains and or URLs for this category. Only one entry is allowed per line. Note that www. is not needed for URLs. 3. Optionally, click Advanced to access the following settings:

Search term filtering Enter one search term, surrounded by delimiters, per line for example:

( hardcore ) (xxx)

Spaces before and after a term are not removed, thus simplifying searching for whole words.

Parenthesis are required.

Secure Web Gateway Network Guardian Administration Guide

Secure Web Gateway

Network Guardian Administration Guide

Contents

About This Guide ... 1

Audience and Scope ... 1

Organization and Use ... 1

Conventions... 2

Related Documentation... 2

Chapter 1

Introduction ... 3

Overview of Network Guardian... 3

Annual Renewal... 3

Chapter 2

Network Guardian Overview ... 5

Accessing Network Guardian ... 5

Dashboard ... 6

Logs and reports ... 6

Reports ... 7

Alerts ... 7

Realtime... 8

Logs ... 8

Settings... 9

Networking ... 9

Filtering ... 9

Routing ... 9

Interfaces... 10

Settings... 10

Services... 10

Authentication ... 11

User Portal... 11

Proxies ... 12

SNMP ... 12

Message Censor ... 12

System ... 13

Maintenance... 13

Central Management ... 13

Preferences ... 14

Administration... 14

Hardware ... 14

Diagnostics... 15

Certificates ... 15

Guardian... 15

Quick Links... 16

Web Filter Policies ... 16

HTTPS Inspection Policies... 17

Content Modification Policies ... 17

Anti-malware Policies ... 18

Block Page Policies ... 18

Policy Objects ... 18

Swurl ... 19

Web Proxy... 19

Web Proxy ... 19

Upstream Proxy ... 19

Authentication ... 20

MobileProxy... 20

Configuration Guidelines... 20

Specifying Networks, Hosts and Ports ... 20

Using Comments ... 21

Creating, Editing and Removing Rules ... 21

Connecting via the Console ... 22

Connecting Using a Client ... 22

Secure Communication ... 23

Unknown Entity Warning... 23

Inconsistent Site Address ... 24

Chapter 3

Working with Interfaces ... 25

Configuring Global Settings for Interfaces ... 26

Working with Bridges ... 27

Creating Bridges ... 27

Editing Bridges... 27

Deleting Bridges ... 27

Working with Bonded Interfaces ... 28

Creating Bonds ... 28

Editing Bonds ... 28

Deleting Bonds... 28

Configuring IP Addresses ... 29

Adding an IP Address ... 29

Editing an IP Address ... 29

Deleting an IP Address... 29