SERVICE DESCRIPTION Web Proxy

(1)

SERVICE DESCRIPTION

Web Proxy

Date: 14.12.2015

(2)

(3)

1 INTRODUCTION

This document describes the Web Proxy managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service.

Field of application

Our office life would be unthinkable today without access to the Internet. The Web Proxy service puts an additional security stage between the user and the Internet: incoming and outgoing data traffic is captured by the proxy, checked and then forwarded to the intended recipient.

Benefits

All HTTP and FTP traffic is buffered on the proxy. Data traffic is minimised by a sophisticated caching process. Requests are answered more quickly as the data does not have to be first downloaded from the Internet, but can be taken from the local cache.

(4)

2 SERVICE DESCRIPTION

2.1 Basic service

The basic service provides the basic functionality of a transparent or explicit proxy, including antivirus services.

Name of service Web Proxy Service abbreviation MSS-WP

Service version 2.0

Status Operational

Operating hours OH1: Monday – Friday, 08:00 – 17:00 CET OH2: Monday – Saturday, 07:00 – 21:00 CET OH3: Monday – Sunday, 0:00 – 23:59 CET OH4: Monday – Friday, 08:00 – 17:00 local time Availability guarantee ACA: best effort

ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours

Usage parameter The service is assessed on the basis of the number of users using the service concurrently.

Description The basic service offers a forward proxy operated either transparently or explicitly. The proxy receives all the HTTP and FTP data traffic on behalf of the intended recipient. The data is examined for viruses, malware and other dangerous software. The data stream is then forwarded to the intended recipient.

Benefits The data is examined by the proxy for viruses, malware and other

dangerous software. This traps and renders harmless damaging software as soon as it reaches the perimeter of your company network, significantly enhancing the protection of your internal resources.

The proxy buffers the data in its own cache. Content that is retrieved many times need only be downloaded from the Internet the first time. The content is then read locally from the cache making accesses to such content

considerably faster.

The proxy receives requests and then forwards them. This process anonymises the actual sender. Security is thus enhanced, as internal addressing is concealed.

Key Performance Indicators (KPIs)

(5)

Reporting The following service-specific values are collated in the monthly reports: - infrastructure workload

- incoming and outgoing data volume per day - viruses detected

- most-visited websites

Virus detection reports are provided in personalised form.

Measuring points The following measuring points are monitored to monitor the service: - CPU/RAM utilisation

- log status

- number of concurrent users

- incoming and outgoing data volume - status of the AV signature updates

Conditions of use The proxy infrastructure must be implemented redundantly for availability guarantees that are better than ACA.

The Web Proxy service requires a valid Fortiguard or Forticare subscription for the infrastructure.

The AV signatures are updated automatically on a regular basis. Fortigate must be able to access the Fortiguard service via TCP port 443.

(6)

2.2 Options

2.2.1 Web Filter

The Web Filter service offers the customer the capability of blocking specified URL categories.

Name of the service option Web Filter

Abbreviation MSS-WP-URLF

Usage parameter The service option is assessed by analogy with the basic service.

Description The Web Filter service option allows blocking of web addresses. The Web Filter database is divided into six main categories with a total of 79 sub-categories.

The categories are maintained centrally. Requests for changes can be can be submitted directly to Fortiguard or through the USP Security Operations Center. All mutations are checked by a team of analysts and implemented only after a positive outcome is obtained. This generally happens within 24 hours.

In addition to the categories, blacklists and whitelists can be maintained so that regional circumstances can be taken into consideration, for example. The blacklists and whitelists are managed by the USP Security Operations Center.

When a requested address is blocked the request is diverted to a customer-specific block page. Pages can be blocked generally or a customer-specific times. Blocked pages can be temporarily unblocked.

Benefits In many companies, private use of the Internet, visiting social media websites for instance, is regulated. The Web Filter service gives our customers the capability of implementing these policies effectively. Websites known for phishing attacks, malware or other hazards can be blocked as long as they constitute a risk. This reduces the risk of a client becoming infected by protecting users against access and becoming infected without their knowledge.

This option allows sites that lead to high bandwidth consumption to be blocked, for example sites that provide Torrent downloads. Blocking this category will save you valuable bandwidth that will then be available to your business applications.

Compliance with the SLA is determined using the KPIs for the basic service.

(7)

Measuring points The USP Security Operations Center will be informed if a notable repetition of block events for a specific URL within a short period of time is detected. Repeated errors of Fortiguard requests lead to a notification to the USP Security Operations Center.

(8)

2.2.2 Authentication

The users are authenticated on the proxy.

Name of the service option Proxy Authentication

Abbreviation MSS-WP-AUTH

Usage parameter The service option is measured on the basis of the number of users. Description The users must have a valid AD account before they can use the proxy.

Exceptions, for example system users, can be excluded from authentication on the basis of various criteria, such as client address.

The users are communicated to the proxy together with the AD groups. User authorizations are determined on the basis of their membership of AD groups.

Benefits Granting rights at the AD group level allows a finely-tuend rights model that matches company policies and the needs of the individual user groups. Access to social media websites can be limited for the bulk of the staff, for example, while the marketing department retains full access so that it can maintain the relevant company profiles.

The web page accesses of individual users are logged. While this data is kept confidential in normal operation, if necessary (if ordered by a court, for instance) it can be provided in detail so that legal requirements, even in strictly regulated environments such as banking or the health care sector, can be complied with.

Reporting The users are not listed separately in the monthly reports. These reports are only available with the written approval of the customer's legal entity. Measuring points The USP Security Operations Center is notified if the number of failed

authentication attempts increases significantly.

Conditions of use User authentication requires the installation of an FSSO agent on a member server. This server need not be dedicated. The customer is responsible for operating this server.

(9)

2.2.3 SSL Inspection

This option is provided for the inspection of encrypted data traffic.

Name of the service option SSL Inspection

Abbreviation MSS-WP-SSL

Usage parameter The magnitude is defined on the basis of the basic service.

Description Data traffic encrypted with SSL is terminated and inspected on the proxy. The data is then re-encrypted with the system's own certificate and forwarded to the intended recipient.

Various web applications do not permit encryption with an external

certificate. These applications are excluded from scanning by SSL whitelists. All eGov and eBanking sites are excluded by default.

Benefits Websites, including for example even Google or Facebook, are increasingly using the encrypted variant https. Encrypted websites, because of their growing numbers, are increasingly becoming the targets of attacks and manipulations, so that it is no longer possible to guarantee the

trustworthiness of such sites. All the protective mechanisms the proxy has can also be applied to encrypted data traffic thanks to the SSL Inspection option. SSL Inspection thus becomes an important building block for protecting your staff, and also your internal network.

Reporting Reporting is not changed. The https sites are, however, added to the existing filter reports.

Measuring points No additional measuring points are introduced for this option. Where USP issues the proxy certificates necessary, USP will also monitor their validity. Conditions of use USP can issue the proxy certificates required (see MSS-WP-CERT) if desired.

It is the customer's responsibility to distribute the certificates. The customer is responsible for ensuring the validity of the certificates if the certificates are issued by the customer himself, or a third party is commissioned to do so.

(10)

2.2.4 Application Control

The data is assigned to the original applications.

Name of the service option Application Control

Abbreviation MSS-WP-AC

Usage parameter The service option is assessed on the basis of the size of the basic service. Description This service option analyses all data packets and assigns each data packet to an application. This data will be logged so that use can be submitted for detailed analysis.

Data assignment can be applied to other USP services. This allows the data traffic for individual applications to be blocked. Or data can be prioritised in conjunction with the quality of service option in the USP Wide Area Network service (MSS-WAN).

Unknown applications, for example customer-specific applications, can be recognised by way of custom patterns. USP Security Operations Center is able to manage custom patterns if the customer makes them available. Benefits Often a detailed analysis is not able to give a conclusive answer as to which

applications are using how much bandwidth and so causing bottlenecks in the network. The Application Control option provides detailed information on Layer 7 so that performance-enhancing measures can be configured with the greatest precision.

Individual functions within applications frequently cause security problems, while the remainder of the application is harmless or even vital for the business. Skype, for example, is a widely-used communcation application, yet the function for sending data to and fro through Skype is often not wanted. The Application Control option is able to restrict applications to the functions that are truly needed.

Reporting The following information is added to the reported data: - applications with the greatest bandwidth consumption - most-blocked applications

Measuring points No additional measuring points are introduced for this option.

(11)

2.2.5 Intrusion Detection

This option makes it possible to detect and prevent attacks.

Name of the service option IDS / IPS

Abbreviation MSS-WP-IDS

Usage parameter The service option is assessed on the basis of the size of the basic service. Description The data flow is examined for patterns by which attacks can be detected.

The patterns against which the data flow is compared are grouped into categories according to the attack targets, typically operating systems. Valuable resources are saved and false alarms are avoided because only patterns of realistic targets are checked.

Attacks are only detected and results logged in the acclimatisation phase. At the end of this phase, USP will work with the customer to set up the

optimum configuration. Attacks detected will then automatically be blocked by the firewall, if desired.

Benefits It is frequently very difficult to detect an attack and to reproduce it later when a system is infiltrated by an attacker. The log data collated by an intrusion detection system is an important component in reproducing an infiltration. Analyses allow attacks to be illustrated, corresponding countermeasures to be taken and the security measures of the targets of the attack to be further developed.

Reporting The following information is added to the reported data: - detected/blocked attacks

Additional alarm messages are sent to the USP Security Operations Center in addition to the reports. These alarm messages may also be sent to the customer if desired.

(12)

2.2.6 PAC File

The PAC file is made available to the clients on the proxy.

Name of the service option PAC File

Abbreviation MSS-WP-PAC

Usage parameter The service option is assessed at a fixed rate independently of the basic service.

Description The client browsers have to be configured before it is possible to access the Internet via the proxy when an explicit proxy is deployed. This configuration is sent to the clients in a standardised format using a Proxy

AutoConfiguration (PAC) file. The file is provided to the clients on the proxy using a web service.

Benefits The use of a PAC file means that it is no longer necessary to distribute the configurations to the clients manually, instead the clients download the configuration from the proxy automatically, which means that modifications can be quickly and easily distributed to all clients.

The use of an additional web server at each location is not necessary thanks to the ability to host the PAC file on the proxy.

Reporting This service option is not listed in the reports. Measuring points Accessibility of the web service is monitored.

(13)

2.2.7 Certificate Management

The USP Security Operations Center manages the web proxy certificate required for the SSL Inspection option.

Name of the service option Certificate Management

Abbreviation MSS-WP-CERT

Usage parameter The service option is assessed at a fixed rate independently of the basic service.

Description SSL data traffic that is terminated and examined on the proxy must

subsequently be re-encrypted with a certificate so that it can be sent to the recipient securely. The certificate required can be purchased or issued by the customer himself as long as he has a PKI. Taking up the Certificate Management option means that the USP Security Operations Center takes over the issue and administration of the proxy certificates necessary. Benefits The full life-cycle of the proxy certificate is handled by the USP Security

Operations Center. The certificate is renewed in good time before it expires, so that sufficient time remains to roll the certificate out to the clients. This avoids annoying and unnecessary interruptions caused by expired

certificates. The customer's IT department does not need to worry about life-cycle tasks, and consequently has less work.

(14)

3 ADDITIONAL DOCUMENTS

The present document describes the functional scope of USP's Web Proxy service. General information on the Service Level Agreement and on operation may be found in the additional documents.

Service management and SL catalogue

This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees.

Services catalogue The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. Price list The prices of all services and options are laid down in the price list.

4 DISCLAIMER

This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement.

USP's General Terms and Conditions shall apply unless higher-ranking provisions apply.