Whitepaper
DriveLock Websecurity
Cloud-based internet security
CenterTools Software GmbH 2015
Contents
1 DRIVELOCK WEBSECURITY ... 2
1.1 WEBSECURITY – CLOUDBASIERTE INTERNETSICHERHEIT ... 2
1.2 KONFIGURATION VON DRIVELOCK WEBSECURITY ... 3
1.2.1 Globale Einstellungen ... 3
1 DriveLock Websecurity
1.1 Websecurity – cloud-based internet security
Classic Web Security is stuck in a legacy approach defined for a 1990s computing model – centralized and static. Today Network Security Appliances protect computers as long as they are within a company’s network but struggle, if computers are connected via public or home networks.
Contrary to the classic approach, DriveLock WebSecurity protects directly at the endpoint, independent of the type of the network connection.
The foundation of DriveLock WebSecurity is the CYREN GlobalView™ Cloud infrastructure, the largest security network of its kind in the world. The GlobalView™ Cloud processes over 13 Billion transactions every day and protects 550 million users in 190 countries from Internet threats. With local, regional, and continental redundancy, GlobalView™ Cloud provides multiple global points-of-presence, ensuring near-zero latency.
DriveLock WebSecurity utilizes the CYREN GlobalView™ Cloud to check each internet connection before it allows or denies access based on categories derived from the GlobalView™ Cloud. It blocks connections to phishing and other malicious sites, preventing infection and loss of login/credential data. The CYREN GlobalView™ Cloud is continuously updated with the most up-to-date information on phishing, advanced persistent threat, and other unsafe sites.
Additionally to assessing the categories from CYREN, Domain-URLs can be added to whitelists or blacklists.
1.2 Configure DriveLock Websecurity
To configure DriveLock WebSecurity, open or create a policy using the DriveLock Management Console. In the navigation are select DriveLock Websecurity.
DriveLock Websecurity requires a valid subscription licence (see „Activating your Licence“)
1.2.1 Global Settings
URL filtering mode (blacklist or whitelist mode)
Basically there are two different modes to operate DriveLock WebSecurity, the blacklist mode and the whitelist mode. Blacklist mode initially doesn't block anything, until a category or domain-URL is configured in a blacklist. In opposite, the whitelist mode blocks any access but the categories or domain-URLs configured in a whitelist. Simulation means, that only events and user notification are generated, but access isn't really blocked. The audit only mode just logs events according to the configuration, but does not generate user notifications. You may use these modes to evaluate your configuration, before you activate real blocking.
To temporary deactivate DriveLock WebSecurity, switch URL filtering mode to “Off”, your configuration remains valid.
Always audit accessed URLs
When enabled, each accessed URL is audited, not only the ones filtered by a rule.
Target IP addresses to ignore
Create a list of IP addresses, which should be completely ignored by DriveLock WebSecurity, no filtering and no auditing will apply.
Ports to filter
By default, DriveLock WebSecurity listens on ports 80, 443 an 8080. If you want to filter different ports (e.g. because you use a proxy with non standard ports), you have to enter the complete list of ports you want to filter.
In-Browser notification
By default, DriveLock WebSecurity redirects a blocked request to a built-in blocking page. You may also: configure a redirection to another URL - enter a fully qualified URL scheme, e.g. http://www.my_site.com/
my_blocked_page
create your own blocking page - the content may be a valid HTML page or pure text
Custom user notification messages
Enter your own user notification message for blocked pages. Use the place holder %URL% to display the blocked URL within your text.
Advanced settings
These settings should not be changed without specific reason
Event settings - when accessing webpages multiple requests are sent to a server. To avoid multiple events to be generated for each request, multiple access to the same server name is collected as one event for the given time. Default is one minute (60 seconds). To configure the WebSecurity events, in the policy open
Global Configuration / Event message transfer settings / Events
and scroll down to the section for DriveLock WebSecurity (almost at the end).
Cache settings - the URL category of accessed websites is cached in memory for the given time to reduce the number of requests to the CYREN GlobalView™ Cloud. Default is one day (86400 seconds). If available and enabled, DriveLock Websecurity will first ask the DriveLock Enterprise Service (DES) about the category of a website. The DES will cache the category too (for all agents connected). If many users work on the same websites, this will further reduces request to the CYREN GlobalView™ Cloud. To enable the URL category caching of the DES, in the DriveLock Management Console open DriveLock Enterprise Services / Servers / double-click <Server Name> / Update synchronization and check Enable URL categorization.
1.2.2 URL – Filterring Rules
URL filtering can be configured based on URL categories and/or URL lists. A group of categories can be configured as a set of categories using the category group rule.
URL category rules / New / Category group rule. . . or URL category rules / New / URL category rule. . . or URL list rules / New / URL list rule. . .
Double-click an existing rule to edit its properties.
Use tab General to name the rule (Description) and to select the Rule type.
In blacklist mode, whitelists rules are of higher priority than blacklist rules, thus websites matching a whitelist rule are never blocked. In whitelist mode it is vice versa, websites matching a blacklist rule are always blocked. Use the corresponding tabs to select Time limits, Connections, Networks, Users and Permissions the rule should be valid for.
Use tab Messages to configure exceptions for user notifications and auditing.
URL-category rules
Available Categories and categories groups are shown in the table below. No Category Group => Category Security Parental Control Productivity General Use 3 Anonymizers X 5 Botnets X 9 Compromised X 35 Malware X 36 Network Errors X 40 Parked Domains X
43 Phishing & Fraud X
55 Spam Sites X
1 Advertisements & Pop-Ups X X
8 Child Abuse Images X X
11 Criminal Activity X X
12 Cults X X
13 Dating & Personals X X
20 Gambling X X
25 Hacking X X
26 Hate & Intolerance X X
28 Illegal Drug X X 29 Illegal Software X X 32 Instant Messaging X X 39 Nudity X X 41 Peer-to-Peer X X 45 Pornography/Sexually Explicit X X 54 Social Networking X X 58 Tasteless X X 62 Violence X X 63 Weapons X X
2 Alcohol & Tobacco X
7 Chat X 50 School Cheating X 52 Sex Education X 14 Download Sites X 21 Games X 30 Image Sharing X 33 Job Search X 53 Shopping X 56 Sports X
No Category Group => Category Security Parental Control Productivity General Use
57 Streaming Media & Downloads X
4 Arts X
6 Business X
10 Computers & Technology X
15 Education X
16 Entertainment X
17 Fashion & Beauty X
18 Finance X
19 Forums & Newsgroups X
22 General X
23 Government X
24 Greeting cards X
27 Health & Medicine X
31 Information Security X
34 Leisure & Recreation X
37 News X
38 Non-profits & NGOs X
42 Personal Sites X
44 Politics X
46 Private IP Addresses X
47 Real Estate X
48 Religion X
49 Restaurants & Dining X
51 Search Engines & Portals X
59 Translators X
60 Transportation X
61 Travel X
URL category rules
Open tab URL categories and check one or more Category groups or URL categories the rules should filter.
URL list rules
You may use wildcard characters to define patterns for URLs to be filtered. Use the asterisk (*) as a substitute for zero or more characters or the use the question mark (?) as a substitute for a single character.
Examples:
Pattern
Matches
Does not match
*.drivelock.com
www.drivelock.com
support.drivelock.com
Drivelock.com
www.
bad_drivelock.
com
*drivelock.com
www.drivelock.com
www.
bad_drivelock
.com
bad_drivelock
.com
drivelock.??
drivelock.de
drivelock.fr
drivelock.es
drivelock.com
drivelock.co.uk
drivelock.*
drivelock.de
drivelock.com
drivelock.co.uk
drivelock.phishing.com
*.*.*
Jede Subdomain. Second-Level
Domain. Top-Level Domain
Second-Level Domain.
Top-Level Domain
To avoid unwanted connections, be carefully with wildcard characters, especially if you use them in
whitelists and in second-level or top-level domains (see examples marked in red).
DriveLock WebSecurity does not send any content to the CYREN GlobalView™ Cloud but the
domain part of an URL to get the category back. DriveLock WebSecurity does not read the content
of encrypted connections. An open HTTPS connection will not be blocked as soon as a rule
changes, but when the connection will be open again. A refresh in the browser normally reuses the
Best Practice for Beginners
Use DriveLock WebSecurity in blacklist mode (nothing is blocked per default). Create a blacklist to block category group Security (unsecure content). Create a blacklist to block unwanted categories (e.g. Shopping).
Create a whitelist (URL list) to allow blocked but needed resources (e.g. *.amazon.com, *.amazon.de). Start in Simulation mode (otherwise your users may complain about blocked resources).
Switch on Always audit accessed URLs, to audit all requests.
Monitor the blocked/allowed/visited requests and adapt your rules accordingly. Switch off Simulation mode if your monitoring doesn't report unwanted blocking. Switch off Always audit accessed URLs to minimize audited events.
Copyright
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user.
© 2015 CenterTools Software GmbH. All rights reserved.
CenterTools and DriveLock and others are either registered trademarks or trademarks of CenterTools Software GmbH or its subsidiaries in the United States and/or other countries.
