Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention

Applications
November, 2010

2010 Websense, Inc. All rights reserved. Websense is a registered trademark of Websense, Inc. in the United States and certain international markets. Websense has numerous other registered and unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owner.

Contents
SolutionSummary................................................................................................................................... 3 SolutionDiagram..................................................................................................................................... 3 Introduction............................................................................................................................................ 4
Howitworks:...............................................................................................................................................................................................4 BeforeYouBegin........................................................................................................................................................................................4 ConfiguringtheWebsenseContentGatewayICAPClient........................................................................................................5

ConfiguringtheICAPServer..................................................................................................................... 7

SolutionSummary
WebsenseWebSecurityGatewayprovidesrealtimecontentscanningandWebsiteclassificationto protectnetworkcomputersfrommaliciousWebcontentwhilecontrollingemployeeaccesstodynamic, usergeneratedWeb2.0content. Webcontenthasevolvedfromastaticinformationsourcetoasophisticatedplatformfor2way communications,whichcanbeavaluableproductivitytoolwhenadequatelysecured.Thedilemmafor administratorsishowmuchaccesstoallow.Web2.0sitesrelyprimarilyonHTTP/HTTPSprotocols,which cannotbeblockedwithouthaltingallInternettraffic.Maliciouscontentcanusethismeansofentryintoa companynetwork. WebsenseWebSecurityGatewaycontainsahighperformanceWebproxyWebsenseContent Gateway,thatsupportsdeepcontentinspection. TheWebsenseContentGatewaymoduleoffers: AutomaticcategorizationofdynamicWeb2.0sites Automaticcategorizationofnew,unclassifiedsites HTTPScontentinspection Enterpriseproxycachingcapabilities

WebsenseContentGatewaysupportstheICAPv1protocolforintegrationwiththirdpartydataloss prevention(DLP)applications,suchasSymantecDataLossPrevention(formerlyVontuDataLoss Prevention),andRSADataLossPrevention.Datalosspreventionapplicationsdelivermultiprotocol monitoringandblockingofsensitivedataleavingthenetwork.DLPisavailableinvariousconfigurations, oneofwhichutilizesaHTTP/HTTPS/FTPproxywithICAPclientsuchastheWebsenseContentGateway formonitoringandblockingofsensitivedata. ThisdocumentprovidesinstructionsonconfiguringWebsenseContentGatewayasanICAPclientfor nonWebsenseDLPproductsactingastheICAPserver.

SolutionDiagram

Introduction
WebsenseContentGatewaysupportsintegrationwithSymantecDataLossPreventionandRSADataLoss PreventionthroughtheICAPv1(InternetContentAdaptationProtocol)interface. SymantecandRSAsitescanapplytheirDLPtoolstotheflowoftrafficthattransitsContentGatewayon itswaytotheInternet.TheintegrationfacilitatesoffloadingofHTTPPOST,HTTPSPOST(ifSSLManager isenabled),andFTPPUTtoadesignatedDLPserverforcontentanalysisandpolicyenforcement.Inthis configuration,ContentGatewayactsasanICAPclientcommunicatingwiththeDLPapplication,which actsasanICAPserver. Howitworks: 1. ContentGatewayinterceptsoutboundcontentandprovidesthatcontenttotheDLPapplication viaICAPv1. 2. TheDLPapplicationdeterminesiftheWebpostingorFTPuploadisallowedorblocked. Thedeterminationisbasedonpolicy. ThedispositioniscommunicatedtoContentGateway. TheDLPapplicationlogsthetransaction.

3. ContentGatewayactsonthedetermination. a. Ifthecontentisblocked,itisnottransmittedtotheremotehostandtheDLPapplication returnsablockpagetothesender.* b. Ifthecontentisallowed,itisforwardedtoitsdestination. TransactiondetailsareloggedbytheDLPapplication,peritsconfiguration. *Blockpagehandling WhenarequestisblockedandtheDLPserversendsablockpageinresponse: ContentGatewayforwardstheblockpagetothesenderina403Forbiddenmessage. Theblockpagemustbelargerthan512bytesorsomeuseragents(e.g.,InternetExplorer)will substituteagenericerrormessage.

BeforeYouBegin ThissectionprovidesinstructionsforintegratingwiththethirdpartyDLPapplication.Thisdocumentis notintendedtosuggestoptimuminstallationsorconfigurations. Itisassumedthatthereaderhasworkingknowledgeofallproductsinvolved,andtheabilitytoperform thetasksoutlinedinthissection.Administratorsshouldhaveaccesstotheproductdocumentationforall productsinordertoinstalltherequiredcomponents. Allvendorproductsandcomponentsmustbeinstalledandworkingpriortotheintegration.Performthe necessaryteststoconfirmthatthisistruebeforeproceeding.

 ConfiguringtheWebsenseContentGatewayICAPClient
Note: This document assumes that the administrator has deployed and configured Websense Content Gateway to proxy HTTP(S) and/or FTP traffic as outlined in the Deploying with Websense Content Gateway Guide. Ensure that all proxy traffic is working properly before beginning any of the procedures listed below.

TheContentGatewayICAPv1interfacesupportsWebsenseDataSecuritySuite,SymantecDataLoss Prevention,RSADataLossPrevention,andotherapplicationsthatactasICAPservers. ToconfigureintegrationwithICAP,logontoContentGatewayManagerandgototheConfigure> MyProxy>Basic>Generalpage.

1. IntheNetworkingsectionoftheFeaturestable,selectDataSecurityOn,andselectICAP.

2. ClickApply,andthenclickRestart(topofpage).

 3. NavigatetoConfigure>Networking>ICAP>General.

 4. IntheICAPServiceURIfield,entertheUniformResourceIdentifier(URI)fortheICAPserver. AURIissimilartoaURL,buttheURIendswithadirectory,ratherthanapage.Obtaintheidentifier fromyourDLPapplicationadministrator.EntertheURIinthefollowingformat: icap://hostname:port/path Forhostname,entertheIPaddressorhostnameoftheDLPserver. ThedefaultICAPportis1344. PathisthepathoftheICAPserviceonthehostmachine. Forexample: icap://ICAP_machine:1344/REQMOD YoudonotneedtospecifytheportifyouareusingthedefaultICAPport1344. 5. UnderAnalyzeHTTPSContent,indicateifdecryptedtrafficshouldbesenttotheDLPserverfor analysisorsentdirectlytothedestination.YoumustberunningSSLManagertosendHTTPStrafficto theDLPserver. 6. UnderAnalyzeFTPUploads,selectwhethertosendFTPuploadrequeststotheDLPserverfor analysis.TheFTPproxyfeaturemustbeenabledtosendFTPtraffictotheDLPserver. 7. UnderActionforCommunicationErrors,selectwhethertopermittrafficorsendablockpageif ContentGatewayencountersanerrorwhilecommunicatingwiththeDLPserver. 8. UnderActionforLargeFiles,selectwhethertopermittrafficorsendablockpageifafilelargerthan thesizelimitspecifiedbytheDLPserverissent. 9. ClickApply. NOTE:IfyouchangetheURI,youmustrestartContentGateway.Otherchangesdonotrequirearestart.

ConfiguringtheICAPServer
ConfiguretheSymantecorRSADLPserverforICAPperthevendorsproductdocumentation.