Transcription
Installation GuideWebsense Content Gate wayWebsense Web Security Gatewayv 7 .5
Installation Guide for Websense Content Gateway / Websense Web Security GatewayCopyright 1996-2010 Yahoo, Inc., and Websense, Inc. All rights reserved.This document contains proprietary and confidential information of Yahoo, Inc and Websense, Inc. The contents of this document may not bedisclosed to third parties, copied, or duplicated in any form, in whole or in part, without prior written permission of Websense, Inc.Websense, the Websense Logo, Threatseeker and the YES! Logo are registered trademarks of Websense, Inc. in the United States and/or othercountries. Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property oftheir respective owners.Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., and Yahoo, Inc. make no warranties with respect to thisdocumentation and disclaim any implied warranties of merchantability and fitness for a particular purpose. Websense Inc. shall not be liable for anyerror or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. Theinformation in this documentation is subject to change without notice.Traffic Server is a trademark or registered trademark of Yahoo! Inc. in the United States and other countries.Red Hat is a registered trademark of Red Hat Software, Inc.Linux is a registered trademark of Linus Torvalds.Microsoft, Windows, Windows NT, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the UnitedStates and/or other countries.Mozilla and Firefox are registered trademarks of the Mozilla Foundation.Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and in other countries.UNIX is a registered trademark of AT&T.All other trademarks are property of their respective owners.RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure of the technical data contained in this document by the Government is subject to restrictions as set forth in subdivision(c) (1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 52.227-7013 and/or in similar or successor clauses in the FAR,or in the DOD or NASA FAR Supplement. Unpublished rights reserved under the Copyright Laws of the United States. Contractor/manufactureris Websense, Inc, 10240 Sorrento Valley Parkway, San Diego, CA 92121.Portions of Websense Content Gateway include third-party technology used under license. Notices and attribution are included elsewhere in thismanual.
ContentsChapter 1Prerequisites and Preparation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Pre-installation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Upgrading from a previous version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Implementing security through software. . . . . . . . . . . . . . . . . . . . . . . 7IPTables Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Configuring the router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configuring client browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Explicit deployment, single proxy . . . . . . . . . . . . . . . . . . . . . . . . . . 16Explicit deployment, multiple proxies . . . . . . . . . . . . . . . . . . . . . . . 16Transparent deployment, single proxy . . . . . . . . . . . . . . . . . . . . . . . 16Transparent deployment, multiple proxies . . . . . . . . . . . . . . . . . . . . 16System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Cache Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Websense filtering software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Chapter 2Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Operating system information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Information needed when you install Websense Content Gateway . . . .Information needed for proxy deployment. . . . . . . . . . . . . . . . . . . . . . .Hardware checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 325262727Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Downloading Websense Content Gateway . . . . . . . . . . . . . . . . . . . . . . 29Installing Websense Content Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . 30Uninstalling Websense Content Gateway . . . . . . . . . . . . . . . . . . . . . . . 36Installation Guide 3
ContentsChapter 4Post-Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Running with Web Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .TRITON - Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Content Gateway Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enable SSL Manager and WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . .Running with Websense Data Security . . . . . . . . . . . . . . . . . . . . . . . . .3737384040Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 WebsenseContent Gateway and Websense Web Security Gateway
1Prerequisites andPreparationWebsense Content Gateway runs with either Websense Web Security or WebsenseWeb Filter to provide the advantages of a proxy cache, improving bandwidth usageand network performance by storing requested Web pages and, while a stored page isconsidered fresh, serving that Web page to the requesting client.In addition, Websense Content Gateway can scan for content categorization. Thisfeature examines the content on Web pages that are not included in the WebsenseMaster Database and on pages that Websense has determined to have rapidly changingcontent. After this examination, Websense Content Gateway returns a recommendedcategory to Websense filtering software, which then permits or blocks the Web pagedepending on the policy in effect.Websense Web Security Gateway and Web Security Gateway Anywhere subscribersget the following features, in addition to the standard Websense filtering and proxyfeatures: Security scanning, which inspects incoming Web pages to immediately blockmalicious code, such as phishing, malware, and viruses. Advanced file scanning, which offers both traditional antivirus scanning andadvanced detection techniques for discovering and blocking infected andmalicious files users are attempting to download. Content stripping, which removes active content (code written in selectedscripting languages) from incoming Web pages.See the TRITON - Web Security Help for information on the scanning options.When installed as part of Websense Web Security Gateway Anywhere, WebsenseContent Gateway also works with Websense Data Security Management Server toprevent data loss over Web channels. For more information, see the Websense WebSecurity Gateway Anywhere Getting Started Guide.Websense Content Gateway can behave as an explicit or transparent proxy. In an explicit proxy deployment, client browsers must be configured to point toWebsense Content Gateway. In a transparent proxy deployment, client requests are intercepted and redirectedto Websense Content Gateway by an external network device (required).Installation Guide 5
Prerequisites and PreparationIf you enable SSL Manager, in addition to filtering HTTPS URLs, the content onthose pages is decrypted, examined for security issues, and, if appropriate, reencrypted and forwarded to the destination.When you run Websense Content Gateway with Websense Data Security, whichinspects HTTPS and FTP traffic, you must enable the SSL Manager feature. See theContent Gateway Manager Help for information on SSL Manager.Pre-installation considerationsBefore you install Websense Content Gateway, consider: System security. Your network can carry sensitive data. SSL Manager lets youhave data decrypted and then re-encrypted on the way to its destination. Considerlocking down your system as much as possible to prevent others from seeing yourdata. See Security, page 7. Network configuration. Websense Content Gateway can run as an explicit proxy(where browsers point to Websense Content Gateway), or a transparent proxy(where traffic is redirected through a WCCP-enabled router or a Layer 4 switch inyour network and the ARM, Adaptive Redirection Module, feature of WebsenseContent Gateway). See Network configuration, page 16 and see the ContentGateway Manager Help for information on the ARM.Websense Content Gateway can proxy HTTP, HTTPS, FTP, and other protocols.To transparently proxy protocols other than HTTP through a WCCP-enabledrouter, the router must use WCCP v2, which supports redirection of multipleprotocols. System requirements. Ensure that your system meets the minimum requirementslisted in System requirements, page 17.Upgrading from a previous versionWebsense Content Gateway version 7.5 is certified on Red Hat Enterprise Linux 5,update 3 and update 4. These Red Hat versions were not supported by any priorversion of Websense Content Gateway. A direct upgrade from a prior version ofWebsense Content Gateway to version 7.5 is not possible.To migrate to Websense Content Gateway 7.5, update your operating system to therequired version (see System requirements, page 17) or obtain a machine running therequired operating system. Then install Websense Content Gateway 7.5 as a newinstallation.6 Websense Content Gateway and Websense Web Security Gateway
Prerequisites and PreparationSecurityAs noted in Pre-installation considerations, Websense Content Gateway can run ineither an explicit or transparent deployment. In explicit deployments, client browsersare pointed to Websense Content Gateway. You accomplish this with a PAC file, withWPAD, or by having the user edit browser settings to point to Websense ContentGateway. See the Content Gateway Manager Help for information on PAC files andWPAD.In transparent deployments, client requests are intercepted and redirected to WebsenseContent Gateway without client involvement. See the Content Gateway Manager Helpfor additional information on configuring a WCCP-enabled router or a Layer 4 switch,and about the ARM (Adaptive Redirection Module).One issue to consider with explicit deployment is that a user can point his or herbrowser to another destination to bypass Websense Content Gateway. You can addressthis concern by setting and propagating browser configuration in your organizationthrough Group Policy. For more information about Group Policy, search the MicrosoftTechNet Web site at http://technet.microsoft.com.This section covers: Physical security, page 7 Implementing security through software, page 7 IPTables Firewall, page 9 Configuring the router, page 14 Configuring client browsers, page 15Physical securityPhysical access to the system can be a security risk. Unauthorized users could gainaccess to the file system, and under more extreme circumstances, examine trafficpassing through Websense Content Gateway. It is strongly recommended that theWebsense Content Gateway server be locked in an IT closet and that a BIOS passwordbe enabled.Implementing security through softwareImplement the following recommendations, as appropriate, to ensure the tightestsecurity possible: Root permissions, page 8 Ports, page 8Installation Guide 7
Prerequisites and PreparationRoot permissionsEnsure that root permissions are restricted to a select few persons. This importantrestriction helps preclude unauthorized access to the Websense Content Gateway filesystem.PortsWebsense Content Gateway uses the following ports. They must be open to supportthe full set of Websense Web Security Gateway features. These are all TCP ports,unless otherwise noted.NoteIf you customized any ports that Websense software usesfor communication, replace the default port shown belowwith the custom port you implemented.Restrict inbound traffic to as many other ports as possible on the Websense ContentGateway server. In addition, if your subscription does not include certain features, youcan restrict inbound traffic to the unneeded ports. For example, if your subscriptiondoes not include Websense Data Security, you may choose to restrict inbound traffic tothose ports related to Websense Data Security (e.g., 5819, 5820, 5821, and so forth).PortFunction21FTP22SSH for command-line access53DNS80HTTP443Inbound for transparent HTTPS proxy2121FTP2048WCCP for transparent proxy (if used)3130(UDP) ICP for ICP Cache Hierarchy5819Websense Data Security fingerprint detection5820Websense Data Security fingerprint synchronization5821Websense Data Security fingerprint configuration5822Websense Data Security fingerprint configuration5823Websense Data Security fingerprint configuration8071SSL Manager interface8080Inbound for explicit HTTP and HTTPS proxy8081Websense Content Gateway management interface8082Overseer for clustering8 Websense Content Gateway and Websense Web Security Gateway
Prerequisites and PreparationPortFunction8083Autoconfiguration for clustering8084Process Manager for clustering8085Logging server for clustering8086Clustering8087Reliable service for clustering8088(UDP) Multicast for clustering8089(UDP) SNMP encapsulation8090HTTPS outbound (between Websense Content Gatewayand the SSL outbound proxy)8880Websense Data Security configuration8888Websense Data Security configuration deployment andsystem health information8889Websense Data Security configuration deployment andsystem health information8892Websense Data Security system logging9080Websense Data Security statistics and system healthinformation9081Websense Data Security statistics and system healthinformation9090Websense Data Security diagnostics9091Websense Data Security diagnostics18303Websense Data Security local analysis18404Websense Data Security remote analysisIPTables FirewallIf your server is running the Linux IPTables firewall, you must configure the rules in away that enables Websense Content Gateway to operate effectively.The following list of rules is organized into groups that address different deployments.Be sure the /etc/sysconfig/iptables file contains all the rules from each section thatapply to your network: All deployments, page 10 Local Policy Server, page 11 Remote Policy Server, page 12 Local Filtering Service, page 12 Remote Filtering Service, page 12 Websense Data Security, page 13 Cluster, page 13Installation Guide 9
Prerequisites and Preparation Cache hierarchy, page 13 Transparent proxy, page 14 FTP, page 14 Optional features, page 14If Websense Content Gateway is configured to use multiple NICs, for each rule thatapplies to an interface, specify the appropriate NIC with the “-i” option (“-i” meansonly match if the incoming packet is on the specified interface). Typically, multipleinterfaces are divided into these roles: Management interface (MGMT NIC) - The physical interface used by the systemadministrator to manage the computer. Internet-facing interface (WAN NIC) - The physical interface used to requestpages from the Internet (usually the most secure interface). Client-facing interface (CLIENT NIC) - The physical interface used by theclients to request data from Websense Content Gateway. Cluster interface (CLUSTER NIC) - The physical interface used by WebsenseContent Gateway to communicate with members of the cluster.In the list of rules, the associated interface is shown with the “-i” option. In one rule“lo” is specified; “lo” is the local loopback interface.All the rules in the following sections must be preceded by iptables in the file. Forexample:iptables -i eth0 -I INPUT -p tcp --dport 22 -j ACCEPTFor a list of rules that shows each complete command, go to the Websense KnowledgeBase, log in to the Web Security Gateway area, and search for the article titledConfiguring IPTables for Websense Content Gateway. The article also links to anexample iptables script.NoteIf you customized any ports that Websense software usesfor communication, replace the default port shown in thefollowing rules with the custom port you implemented.All deploymentsThese rules are required to enable Content Gateway communications, regardless ofthe deployment.The following rules should be first.Disable tracking of internalconnections-I OUTPUT -o lo -t raw -j NOTRACKNote:This rule must be the first output rule invoked.Block ALL inbound--policy INPUT DROP10 Websense Content Gateway and Websense Web Security Gateway
Prerequisites and PreparationThe following rules are important for general system security, and should be enteredimmediately after the first rule:Allow ALL outbound--policy OUTPUT ACCEPTBlock ALL forward requests--policy FORWARD DROPAllow ALL traffic on the local(loopback) interface-I INPUT -i lo -j ACCEPTAllow ALL responses onestablished connections-I INPUT -m state --stateRELATED,ESTABLISHED -j ACCEPTAllow ALL inbound port 22-i MGMT NIC -I INPUT -p tcp --dport 22-j ACCEPTAllow ALL inbound ICMP-i MGMT NIC -I INPUT -p ICMP -j ACCEPTThe next group is required for Websense Content Gateway to receive and proxytraffic.Allow ALL inbound port 8070-i CLIENT NIC -I INPUT -p tcp --dport8070 -j ACCEPTAllow ALL inbound port 8071-i MGMT NIC -I INPUT -p tcp --dport8071 -j ACCEPTAllow ALL inbound port 8080-i CLIENT NIC -I INPUT -p tcp --dport8080 -j ACCEPTAllow ALL inbound port 8081-i MGMT NIC -I INPUT -p tcp --dport8081 -j ACCEPTip conntrack maxIn addition to the above rules, it is a best practice to increase the size ofip conntrack max to 100000 to improve performance. Typically, this can be doneusing the following command:/sbin/sysctl net.ipv4.ip conntrack max 100000Note that this should be done after iptables is invoked. Also, this change in value willnot be preserved after reboot unless you configure your system to set this value uponstartup. To do so, add the following line to /etc/sysctl.conf:net.ipv4.ip conntrack max 100000Local Policy ServerInclude these rules in your IPTables firewall if the Websense Policy Server runs on theContent Gateway machine.Allow ALL inbound port 40000-i MGMT NIC -I INPUT -p tcp --dport40000 -j ACCEPTAllow ALL inbound port 55806-i MGMT NIC -I INPUT -p tcp --dport55806 -j ACCEPTInstallation Guide 11
Prerequisites and PreparationAllow ALL inbound port 55880-i MGMT NIC -I INPUT -p tcp --dport55880 -j ACCEPTAllow ALL inbound port 55905-i MGMT NIC -I INPUT -p udp --dport55905 -j ACCEPTRemote Policy ServerInclude this rule in your IPTables firewall if the Websense Policy Server does not runon the Content Gateway machine. This is required because Websense ContentGateway has bidirectional communication over ephemeral ports.Be sure to replace Policy Server IP in the command with the actual IP address ofthe Policy Server machine.Allow ALL from Policy Server IP po
Websense Content Gateway version 7.5 is certified on Red Hat Enterprise Linux 5, update 3 and update 4. These Red Hat versions were not supported by any prior version of Websense Content Gateway. A direct upgrade from a prior version of Websense
