Transcription
Clearswift SECURE GatewaysSecuring business critical information from internal and external threatswww.clearswift.com
Table of Contents2Introduction3Clearswift SECURE Gateways4Clearswift SECURE Email Gateway (SEG)7Clearswift SECURE Web Gateway (SWG)8Clearswift SECURE Exchange Gateway (SXG)10Clearswift SECURE ICAP Gateway (SIG)11Clearswift IG server (IGS)12Clearswift SECURE File Gateway (SFG)13Software Developer Kit (SDK)13Gateway Deployment Options14Support and Professional Services15Summary16About Clearswift17
IntroductionClearswift is a business with over twenty yearsof experience. Its content-aware, policy-basedsolutions are used by over 3000 organizationsglobally, enabling them to manage and maintainno-compromise data, web and email securityacross all Gateways and in all directions.Our track record in innovation includes developing many ofthe features the security industry now considers standard,including: Deep Content Inspection (DCI) Policy-based encryption Inbound and outbound content scanning across multiplecommunication channels Internal content scanning for collaboration softwareClearswift continues to lead the IT security industry withthe deployment of production-ready appliances and virtualGateways on the vSphere platform. Using powerful, effectiveand tested content-aware policies, these solutions protectour clients, employees and trusted third-partiesAs business practices change to adapt to the introductionof the cloud, big data and BYOD (Bring Your Own Device)coupled with the increasing amount of collaborationorganizations now face, Clearswift continuesto innovate and adapt our flagship solutions,the Clearswift SECURE Gateways.www.clearswift.com
Clearswift SECURE GatewaysCommon functionalitySecuring business critical information frominternal and external threatsThe Clearswift SECURE Gateways rely on shared coretechnology to make them easy to deploy and manage as wellas ensuring consistency across the different communicationprotocols. Clearswift made its name with its Deep ContentInspection engine, and it is this engine which lies at theheart of all the Gateways.With Web and Email traffic being the primary point of exitfor every organizations information, and the entry pointfor collaborative content from trusted 3rd parties, it makessense to protect them with consistent and complementarytechnologies. Whether you have an on-premise or cloudbased security strategy, the SECURE Gateways can be usedin multiple deployment modes to replace or augment yourexisting technology.Web and Email Gateways can be joined together so that theycan share policy items such as dictionaries, templates andrules, and have policy defined via a single console.While security solutions can be notoriously difficult to useand manage, the SECURE Gateways have been designed withthe administrator and the user in mind. They are focused onmasking the sophistication of the solution, making them botheasy to use and easy to manage.This year Information Governance capabilities are beingadded to enable scanning of SMTP email, Internet trafficand Exchange based email, all managed through a centralconsole.Easy to use, efficient to manageThe Gateways have been designed to be easy to install,deploy and manage. With installations on preconfiguredhardware, on a customer’s preferred hardware supplier orwith vSphere and Hyper-V, clients can be up and ready toconfigure a Gateway with their policies in less than30 minutes.Preconfigured and sample rulesets, including dictionariestfor PCI and PII, coupled with an intuitive user interfaceis provided for each configuration of client-specific policies.With a consistent policy management framework and userinterface style across products, system administrators canbe easily cross-trained between products, reducing trainingoverhead.Administrators will save time thanks to automated downloadsof updates, scheduled reporting, off-box backups, databaseoptimization and application monitoring and alerting.4Deep Content InspectionDeep Content Inspection identifies sensitive data duringfiltering of information through the Gateways. The DeepContent Inspection engine is responsible for: True file type detection Text extraction Text scanningClearswift has developed its own innovative extractionand scanning engine, enabling it to determine additionalimportant information. The ability to detect whether text isin a document’s header, footer or main body, for example,becomes important when designing detection policies.Without this additional intelligence, false positives canbecome unmanageable and the solution ineffective. Deepunderstanding of document types and the informationthey contain has also enabled the development of a newtechnology, Adaptive Redaction, which allows documents tobe modified and critical information that could cause a dataleak to be removed.Once the inspection has been carried out, policies can beapplied. The most common policies are those around DataLoss Prevention.
Data Loss PreventionAdaptive RedactionData Loss (or Leak) Prevention (DLP) is built in as standardfor the SECURE Gateways and relies upon the informationbeing passed from the Deep Content Inspection engine inorder to make decisions. DLP is direction agnostic, whichis to say that it can be used to prevent information fromentering an organization as well as leaking out. With theincrease in legislative requirements, DLP is becomingessential for organizations of all sizes. Once thought to beonly the preserve of global organizations, it can now beeasily deployed by even the smallest.The latest generation of Gateways have options for AdaptiveRedaction to be included as part of the DLP actions. StandardDLP relies on detecting business critical information andblocking it at the Gateway. However, Adaptive Redactionprovides the option to automatically remove the datathat violates policy and allow the remaining informationto continue to its destination. There are three commonAdaptive Redaction options:1. Data redactionScanning for textual items within messages and attachmentsallows for the detection and redaction of sensitiveinformation before it leaves your Gateway, including:This is the policy-based removal of words, phrases andtokens. In order to maintain document integrity, these arereplaced with an alternative character, for example ‘X’. Forcredit card tokens, there is an option to replace everythingbut the last four digits. Simple words, phrases and sensitive fragments frompreviously categorised documents2. Document sanitization Sophisticated token handling, such as banking codes,social security numbers, national insurance numbersand credit card detailsToday’s electronic documents contain information other thanthat which can be seen - there is hidden meta-data as wellas revision history information. This can all be automaticallyremoved to prevent accidental data leaks. Personally Identifiable Information (PII) tokens User defined tokens3. Structural sanitization User defined patterns and regular expressionsWith the ever increasing risk of malware in the common fileformats (e.g. Microsoft Office documents, Adobe pdf, etc.),the Gateways can detect and remove Active Content fromfiles. The sanitized document is delivered to the intendeddestination without the associated security risks present. Expressions based around Boolean (AND, OR, XOR,ANDNOT) and positional operators (NEAR, BEFORE, AFTER,and FOLLOWEDBY) Dictionaries containing expressions that can be createdby clients Pre-defined compliance, including for GLBA, HIPAA,SOX, IBAN, NI, Tax File Number, German Identity and PCI Structured data search information which may be heldin databases, e.g. client records Full and partial document fingerprinting using acentralised multi-protocol solutionThe key to an effective DLP solution is ease of policydefinition and flexibility in its use. A simple approach enableseven the smallest IT department to put effective policiestogether quickly and efficiently.While traditional DLP solutions operate with a ‘stop andblock’ action on information which violates policy, the newAdaptive Redaction technology offers further flexibility.Adaptive Redaction, like DLP, is direction agnostic, so itworks in both directions. As well as being used to preventsocial security from leaving the organization, for example,it can also prevent them from being received. Web pageswhich are blocked due to offensive language can now havethe offensive words removed, allowing the sanitized webpage to be displayed. Organizations who use social mediasites can often find employees unable to view a page dueto offensive comments, Adaptive Redaction ensures thatthis problem does not occur.In the case of business proposals, it is not uncommon to basethem on an existing business proposal for a different client.This has caused embarrassment in the past with the clientable to look at revision history or meta-data and see theoriginal information. Document sanitization ensures thatthis won’t happen.www.clearswift.com
Threat protectionReportingWhile much is made in the press as to the effectiveness ofthreat protection measures such as anti-virus (AV) solutionsin today’s age of Advanced Persistent Threats (APTs) andother advanced threats, AV is still an efficient method ofdealing with the millions of viruses and other malware whichare present in email and on the Internet. Clearswift offersdifferent AV solutions from Sophos or Kaspersky as well asthe ability to use multiple AV engines at the same time. AVdefinitions are updated automatically by the Gateways toensure that the infrastructure is always protected. Manyorganizations prefer the additional layer of protection thatrunning products from different AV vendors at the Gatewayand endpoint offers.Any security solution today needs to be part of anInformation Governance or compliance programme.The SECURE Gateways offer extensive reporting facilitiesin support of these requirements, enabling systemadministrators to rapidly create both management and realtime reports. As reports are often required to be shared,these can be created in different formats, whether that beHTML or PDF as a textual representation, or whether thedata be exported to CSV for import into a spreadsheet.For organizations with a Security Information and EventManagement (SIEM) solution, the Gateways are compatiblewith various platforms, including: RSA EnvisionThe importance of peopleUnderstanding the information that is being sent is only partof the story. Clearswift Gateways integrate with directorysystems such as Active Directory to provide additionalcontext, enabling policies which take both people and rolebased groups into account. This means that the CEO canhave a different policy from an individual based in finance,for example, or a group of engineers. This added dimensionof policy definition ensures that the system remains flexible,easy to deploy and simple to manage.Easy to use policy definition:where policies are being applied and what they are looking for6 HP ArcSight SplunkThey can also create SMTP and SNMP alarms to alertadministrators to issues more quickly. When an issue isdiscovered, easy access to granular log files minimizes thetime to resolution.All changes to system configurations are audited, andwith role based access control it is simple to delegateresponsibilities and detect whether personnel are attemptingto circumvent policy.
Clearswift SECURE Email GatewayThe SECURE Email Gateway (SEG) has its heritagein the Clearswift MIMEsweeper product. Along withthe shared functionality, it is designed to offersecure email-based communications closely alignedto an organization’s business requirements.EncryptionSpam protectionThe SEG offers a wide range of channel and message levelencryption to provide organizations with the security toensure their privacy commitments are honored.These include:The multi-layer spam defense includes both connection andnetwork level checks coupled with monitoring of content.It incorporates the TRUSTmanager IP reputation system,which uses community feedback on good and bad senders,to effectively block spammers and malware at the IPconnection, in conjunction with SpamLogic and a Bayesianfilter. A cloud-assisted spam detection system recognizes newspam runs as they are emerging.As with anti-virus, the definitions are constantly updated toensure comprehensive up-to-the-minute protection againstall the latest threats.The nuisance of spam continuesto be a burden for organizationsand the SEG combines a numberof filtering technologies todeliver 99.9% detection rates.99.9%With the growing need to collaborate securely,organizations need methods of encrypting content that areeasy to use from the senders’ and recipients’ perspective andalso comply with organizational security andregulatory requirements. TLS S/MIME PGP Ad-Hoc password protected Portal (pull and push)These methods can be used in conjunction with each other:for example, ad-hoc password protected files can be sent viathe Portal.With the PKI methods of S/MIME and PGP, key managementgains importance - and the SEG has features to performautomatic key harvesting, Online Certificate Status Protocol(OCSP) and key server lookups to reduce the admin overheadeven more.Personal message managementMultiple Technologies ProvideComprehensive Spam ProtectionConnection/Network Level Bunk)LDAPValidate 90% of spam rejected with these filtersContent Level Checks 99.9% spam detectionwith these filtersImageLogicIn the past, it was just pornographic images which neededto be blocked. While the same is true today, the EmailGateway ImageLogic functionality can also be used toprotect intellectual property contained in images fromleaving the organization.Administrators can also delegate message release to the endusers. It’s common for users to be given access to managespam messages that ‘might’ be legitimate and allow them tobe whitelisted so that they won’t be blocked again. The SEGextends this capability so that end users can be responsiblefor releasing other message violations coming in and leavingthe organization based upon corporate culture and policy.The SEG also provides a number of methods which allowthe end-user to manage their mail via an email digest, webportal or via an app for Apple iPhone and iPad devices.For example, lawyers working on cases where profanitiesappear in court documents could trigger policy violationsand be blocked; Personal Message Management allows themto be granted permission to release the messages withoutadministrator intervention, using a simple hyperlink.Of course every transaction is also audited forcompliance purposes.www.clearswift.com
Clearswift SECURE Web GatewayThe SECURE Web Gateway (SWG) contains thecommon functionality, but is designed specificallyfor dealing with web based communication throughHTTP and HTTP/S.DeploymentEase of deployment enables organizations to be able todeploy the product quickly into their infrastructure. TheSWG can be deployed either as a forward (explicit) proxy,Transparent (WCCP) proxy or in conjunction with Firewallsthat support policy based routing.HTTP/S scanningMore and more organizations are now securing their sitesusing HTTP/S to prevent eavesdropping on browser sessions.This technology can render some content scanning solutionsunusable, but the SWG has an integrated SSL decryptionengine so that these sessions are automatically decryptedand passed to the content scanning engine to ensure nopolicy violation can take place.Flexible policiesThe Internet can now be considered an extension of your owninfrastructure with more and more companies adopting cloudbased services such as Salesforce for CRM, Office365 formessaging structure and sites like Dropbox for file sharing.Remote client optionThe SWG supports remote clients, meaning that even if theuser is not connected to the organization’s network, thedevice will be subject to corporate security policies. Thisoption can also be deployed on BYOD platforms ensuring thatcorporate information is kept safe no matter where it is beingaccessed from.Website categorizationEmbedded into the SWG is a URL filtering engine withover 50 million URLs which are updated daily and sortedinto more than 80 different categories, including Phishing,Malware and Security Risk. Malware definitions are refreshedhourly to supplement the integrated anti-virus scanning ofany downloads.Along with the URL database, there is a real time categorizerwhich detects page content as it is being downloaded. Thisallows the SWG to determine whether pages contain contentthat might be pornographic, use remote proxies or includehate or violence, amongst other content.With the increase in the amount of personalized contentdelivered through social networking pages, this featureensures that employees are kept safe from pages which areon reputable sites but have been hijacked or abused.With such diverse business requirements, it’s necessary toprovide security profiles to ensure that users both in theoffice and working remotely are presented with policies thatenable them to work effectively and securely.As well as required access to business sites, a number oforganizations will permit their staff to use social networkingsites in a controlled manner.Organizations need to be able to define who is usingthese services based upon their authenticated ID orOrganization Grouping, when they are using the sites andalso for how long.This enables rules to be created, such as: HR department can use LinkedIn and Facebook all day All other users can view LinkedIn between 12:00 and14:00 for 1 hour maximum All other users can view Facebook between 12:00 and14:00 for 1 hour maximum and can update their status,but not perform any file uploadsOf course any content posted will still be subject to thecorporate security policies for that individual.8Easy to use policies:how granular policies can be applied to categorizedwebsite as well as social networks
Clearswift SECURE Exchange GatewayThe SECURE Exchange Gateway (SXG) is designedspecifically for securing internal communicationin a Microsoft Exchange environmentDeploymentEase of deployment enables organizations to be able todeploy the product quickly into their Exchange 2007/2010 or2013 environment. The SXG can be deployed to filter trafficor in monitor mode to allow the product to identify policyviolations without interrupting message flow.Integration with the SECURE Email Gateway permits policy,message management reporting to be performed at a singlemanagement console.To mirror the resilient and high availability configurationsimplemented for Exchange Servers, the SXG preferreddeployment configuration is for 2 x SXG instances that executein an Active-Active mode, balancing the workload automatically.Messaging policiesEmail will continue to be the dominant communicationsmedium for many years to come and every company isdifferent so having flexibility to create policies that areappropriate to deal with business problems is essential.Most organizations apply controls to messages to and fromthe internet, but seldom consider risks of internal messaging.The SXG platform is designed to deal with the concerns ofinternal messages and focuses on Data Loss Prevention andthe prevention of unacceptable messages and attachmentsinside the business.Policies can be granular, created for individuals or usergroups obtained from Active Directory, policy rules canbe created and applied to the appropriate senders andrecipients.Data Loss PreventionWith so much sensitive information available, organizationsmust take the risks of corporate confidentiality at everypoint in their infrastructure, not just at the egress points.Internal scanningWith a growing need to ensure that internal communicationsare acceptable to the business and that confidential contentis not sent to recipients who should not receive that content.Rules can be created based on senders, recipients,file types, sizes and of course the content of the messagesand their attachments.The SECURE Exchange Gateway features all the standardcontent filtering and Data Leakage prevention includingintegration with the Clearswift IG server to provide full andpartial document fingerprinting.This technology uses client-server architecture to ensurethat although additional security is being applied there isno noticeable difference to the performance of theExchange system.SECURE ExchangeGatewayExchange 2007,2010 or 2013SecureconnectionOutlook orOWA Clientwww.clearswift.com
Clearswift SECURE ICAP GatewayThe Clearswift SECURE ICAP Gateway works withBlueCoat Proxy SG series products to provideinformation security of the browser traffic usingan off-proxy scanning engine.DeploymentThe BlueCoat proxy servers are well known to networkadministrators to provide both proxy and network bandwidthmanagement capabilities. They also provide an interface toallow 3rd party solutions such as Anti-virus and Data LossPrevention solutions to connect via the ICAP. Connectingthe SECURE ICAP Gateway to the Proxy SG devices allowsthe network security features of the BlueCoat device tobe complimented by the Clearswift information protectionfunctionality.For organizations who already have a ICAP AV solutionfor their BlueCoat system they can consolidate devicesand use the SECURE ICAP Gateway to provide bothAnti-malware and Clearswifts’ Advanced Data LossPrevention in a single system.Enabling policiesWe actively increase, rather than hamper, employeeproductivity by facilitating employee engagement withcollaborative online technologies through our flexible web2.0 policy rules.User identities are authenticated by the BlueCoat proxy andpassed to the SECURE ICAP Gateway so that granular userpolicies can be applied to the content coming in and out ofthe organization.The SECURE ICAP Gateway goes beyond simply keeping yournetworks free of viruses, inappropriate content and harmfulexecutable. It enables complete, granular control overthe information that you access or share online, whetherit’s limiting recreational browsing, or preventing sensitivedata from leaking into status updates using the ClearswiftAdaptive Redaction functionality.The Clearswift SECURE ICAP Gateway enables organizationsto reap all the benefits that collaborative web 2.0technologies have to offer, safe in the knowledge that yoursensitive data, IP and brand reputations are protected.10Managing data securelyThe SECURE ICAP Gateway provides all the standardcontent filtering and Data Loss prevention featuressuch as Adaptive Data Redaction, Structural and DocumentSanitization. The SIG can also support integrationwith the Clearswift IG server to provide full andpartial document fingerprinting.SECURE ICAPGatewayBlueCoatProxy SGICAPBrowser
Clearswift Information Governance ServerDeploymentThe Clearswift Information Governance Server (IGS) isdeployed centrally in an organisation. Running on a Linuxplatform, this integrates with your own environment forenterprise single sign on and support for for current SECUREEmail, Web, Exchange and ICAP gateways; our architecturalstrategy provides future Gateway integration.Document managementBusinesses have to be more dynamic when it comes tosecurity. The IG server permits users to register sensitivedocuments through a simple to use web interface. Users canmanage the registration of content as well as deregistrationwhen the information’s sensitivity status has changed.Document track ‘n’ traceThe IG server is not just a repository of documentfingerprints; it is also used to store transactions from all ofthe connected Gateways. This data store can then be minedto show information flows and relationships. The informationanalytics provided will allow the ability to follow a pieceof data across multiple protocols providing the CISO withunique insights to how and where their information is going.SECURE WebGatewaySECURE EmailGatewayInternet TrafficThey are also notified of any violations if that document oreven a fragment of that document is uploaded to a website,sent internally or emailed to an external recipient.Check and TrackCheck and TrackSECURE ICAPGatewayCheck and TrackIG SERVERRegisterSensitiveContentInternet TrafficCheck and TrackFILE SERVERSECURE ExchangeGatewaywww.clearswift.com
Clearswift SECURE File GatewayMore than just emailYour business may already understand email as apotential risk, but what about files that are too large toattach to a message? The Clearswift SECURE File Gatewaycan scan large files of up to 16GB as they are transferredinternally between departments or externally to partnersthrough FTP or other non-email transfer protocols, ensuringtotal data security.Content recognitionThe File Gateway’s content inspection engine recognizesover 150 different file or format types, using strong signatureand data parsing techniques that ignore unreliable externalindicators like file extensions. The engine performs recursivedecomposition and systematically opens and searches withinarchive files like ZIP and TAR to locate all embedded objectssuch as images or active content within Office documents.Inspection continues until there is nothing left to process.By recognizing particular file types it is possible to set apolicy to decide which file types are acceptable and whichshould be blocked. The inspection also extends to textualcontent, covering the words and phrases contained withinthe files.Two person integrityAs this content can be extremely sensitive the SFGsupports a more military style of two-person integrity onpolicy modifications. Any changes can only be appliedonce a second administrator has approved the firstadministrator’s changes.Software Developer Kit (SDK)The technology at the heart of every Clearswift product,a high-performance deep content inspection engine thatprovides comprehensive data recognition and thoroughcontent processing is also available for System Integratorsas a Software Developer Kit (SDK). The SDK gives accessto all key functionality including: Data recognition using true-file typing, not simplyextension-based recognition Recognition of over 150 common formats Active content detection recognizing macros and scripts inOffice and PDF formats Malware detection including interfaces to 3rd party AVenginesThe SDK is used by companies who have clients across allvertical markets operating around the world to ensureregulatory compliance, prevent leakage of sensitiveor classified information and detect inappropriatecommunication. Data integrity checking and verification Data decomposition of nested and compressed files(including large files up to 16GB) and the subsequentanalysis of extracted files Text extraction from standard office files (including MSOffice, OpenOffice, PDF and HTML) with pattern matching,programmatic operators and more12PackagingWith interfaces, documentation and sample code in C,C and Java, deployable on x32 and x64 Windows 2003/2008and RHEL 5/6 platforms, this SDK allows software developersto build client/server applications that can be more‘content aware’.
Gateway deployment optionsVirtualization deployment optionsThe Clearswift security solutions are available witha range of deployment options to fit your existingIT infrastructure and reduce the time and costsassociated with deployment.The Clearswift SECURE solutions also support virtualizationusing VMware and Hyper-V for email filtering, allowingthe creation of private cloud security systems for greaternetwork management flexibility. Your deployments canthen be assembled from a combination of physical andvirtualization servers according to your specific businessneeds and environment.For the quickest return on investment, and to reap efficiencysavings, simple deployment is essential. Clearswift’s optionsgive you total web and email security that works how you do.Hardware deployment optionsThe Clearswift SECURE Web and Email Gateways areavailable as pre-configured appliances ready for immediatehardware deployment at your network perimeter. A rangeof hardware performance profiles allow you to select thecorrect unit for your filtering needs and provide scope forfuture growth. Hardware deployment options from Clearswiftare also backed by ‘Next Business Day’ or ‘Four-hour’ onsiteservice options.Peered GatewaysIf more than one Clearswift Gateway is deployed, or morethan one type of Gateway (e.g. Web and Email) is deployed,then integration occurs at all points. Peered Gateways sharecommon policy and system settings, ensuring that, shouldone Gateway fail, the remaining Gateway will be able topick up the load. With more than one Gateway deployed,administrators can use a single interface to enforce aconsistent policy across multiple communication protocols.Software deployment optionsThe Clearswift SECURE solutions are also available fordeployment on your own server hardware, allowing you tomaintain consistency in your environment using systems fromyour preferred vendor. The SECURE Gateways operate on ahardened Linux distribution, offering ultimate flexibility foryour own hardware deployment choices.Peered Email and Web Gatewayspermit policy changes froma single consolewww.clearswift.com
”Support andProfessional ServicesThe development of world class productsis complemented with a 24/7 support andprofessional services organization.World classproducts, 24/7support andprofessionalservicesorganization”Standard SupportPremium SupportThe Standard Support offering gives a highly reactiveand responsive 24/7 service, enabling Clearswift to takeimmediate ownership of reported issues, providing fullvisibility of progress and status through the end-to-endmanagement of incidents.The Premium Support offering is a highly personalizedservice, delivering additional services through a dedicatedSupport Account Manager, inclusive of best practiceconsultation, on
of the story. Clearswift Gateways integrate with directory systems such as Active Directory to provide additional context, enabling policies which take both people and role based groups into account. This means that the CEO can have a different policy from an individual based in finance, for example, or a group of engineers. This added dimension
