Websense Product Cimponents

The primary Websense components include:
‹ Policy Database
‹ Policy Broker
‹ Policy Server
‹ Filtering Service
‹ Network Agent
‹ Master Database
‹ Websense Manager
‹ Usage Monitor
‹ User Service
‹ Log Server
‹ Log Database


Websense software also includes optional transparent identification agents:
‹ DC Agent
‹ RADIUS Agent
‹ eDirectory Agent
‹ Logon Agent


Additional optional components include:
‹ Remote Filtering Server
‹ Remote Filtering Client
‹ Websense Content Gateway

WCCP Cache Registration

WCCP defines the router as a server and the proxy as a client. The proxy registers
with the WCCP server (configurable between 0-255) and sends a “Here I Am”
message every 10 seconds. The router (WCCP Server) responds with an “I See You”
message. If the “Here I Am” message misses on 3 consecutive tries (30 seconds), the
proxy is marked as failed

WCCP

Web Cache Communication Protocol (WCCP):


WCCP provides for the communication between routers and web
caches as well as load balancing and fault tolerance.WCCP is supported on various models of Cisco routers and Layer 3 switches. WCCPv2 requires the equipment to have at least IOS version 12.0(3).


WCCP v2 can be used for various protocols; HTTP, HTTPS and FTP over HTTP are
all common choices, because they can make use of caching and proxying. WCCP does
not support IPv6, so it should not be used in IPv6 deployments.

WCCP Data Flow:


Client requests get redirected to the proxy. The proxy makes a connection to the
requested server and then sends the results back to the client.
The steps involved are as follows:

1. Client sends traffic via the router to some destination (no proxies are
configured on the client).

2. WCCP v2 router depending on its configuration sends some traffic (such as
HTTP, HTTPS, FTP, and DNS) to appropriate service group, so it may reach
proxy server or cluster of servers in that service group.

3. The Adaptive Redirection Module (ARM) readdresses traffic. For example,
HTTP traffic on port 80 is readdressed to Content Gateway port 8080. The
proxy processes the request as usual, then the traffic hits the router again.

4. Request is sent to the destination.

5. Return traffic reaches the WCCP router and is redirected based on return rules
in the router.

6. The ARM readdresses the proxy port in the response header to port 80
(undoing the readdressing it did on the way to the proxy). As a result, the user
sees the response as if it had been sent directly from the origin server.


The ARM (steps 3 and 6) can make two changes to the address of an incoming packet:
its destination IP address and its destination port. For example, the destination IP
address of an HTTP packet is readdressed to the IP address of the proxy and the
destination HTTP port is readdressed to the Websense Content Gateway HTTP proxy
port (default port 8080). On the way back to the client, the ARM changes the source
IP address to the origin server IP address and the source port to the origin server po

Transparent proxy

The Adaptive Redirection Module (ARM) component of Websense Content Gateway
processes requests from a switch or router and redirects user requests to the proxy
engine. The proxy establishes a connection with the origin server and returns
requested content to the client. ARM readdresses returned content as if it came
directly from the origin server.


The router may use Generic Routing Encapsulation (GRE) to forward IP packets to
the proxy. GRE is a tunneling protocol that allows point-to-point links between
multiple traffic routing hops.A router may also use Layer 2 (L2), which does not use GRE. Websense recommendsthe use of L2 if the router supports it. With L2 redirection, Content Gateway must be
on the same subnet as the WCCP device (that is, Layer 2 adjacent).


****If using L2 the router or switch must be Layer 2-adjacent
(in the same subnet) as Content Gateway.

Reporting

The Log Server Service


The Log Server: Sends records of Internet activity to the Log Database. It also sends
category names, protocol names, and risk class names from the Master Database to the
Log Database.


The Reporting Database

The Websense Log Database can be created and maintained by any of the followin
database engines:
‹ Microsoft SQL Server 2008
‹ Microsoft SQL Server 2005 (Web Security only)
‹ Microsoft SQL 2008 R2 Express
Log Server logs Internet activity information to only one Log Database at a time.

XID_Agents

XID agents transparently identify users without prompting to manually authenticate.


 DC Agent communicates
with User Service to provide up-to-date user logon session information to Websense
software for use in filtering. DC Agent provides this information by polling Domain
Controllers and Computers to verify which users are logged in


Websense Logon Agent may be a better option for transparent user identification
when users frequently change computers


 It detects user logon (and logoff) events as they occur.
This maximizes accuracy in identifying users as they log on to the network


The Websense RADIUS Agent enables Websense
software to transparently identify users who access your network using a dial-up,
Virtual Private Network (VPN), Digital Subscriber Line (DSL), or other remote

Websense eDirectory Agent works together with Novell eDirectory

User_Service

The Websense User Service communicates with the organization’s directory service to
convey user-related information to the Policy Server and Filtering Service, for use in
applying filtering policies.


There must be one instance of the User Service for each Policy Server in your
network.  There must also be an instance of the User Service for each directory type
(e.g. two would be required for an organization using both Active Directory and
eDirectory).

Policy_Server

The port Policy Server uses to communicate with other Websense components (default is 55806)

When Policy Server is installed, if the installation program finds the default port to be in use, it is automatically incremented until a free port is found. To determine what port is used by Policy Server, check the websense.ini file—located in C:\Program Files\Websense\bin (Windows) or
/opt/Websense/bin (Linux)—on the Policy Server machine. In this file, look for thePolicyServerPort value.


 Policy Server identifies and tracks the location and status of other Websense Web
security components in a deployment. It also:
a. Logs event messages for Websense components.
b. Stores configuration information specific to a single Policy Server instance.
c. Communicates configuration data to Filtering Service for use in filtering
Internet requests.
d. Policy and most configuration settings are shared between Policy Servers that
share a Policy Database.

Filtering_Service

Filtering Service
To install Filtering Service, Policy Server must already be installed either on this machine or another machine in the network. If Policy Server is not installed already, you can select it to be installed at the same time as Filtering Service. Typically, Policy Server is installed on the same machine as Filtering Service.


Note
The following three components must be installed in this order (and before any other components):
1.Policy Broker
2.Policy Server
3.Filtering Service

If you select all three to be installed at the same time, they are installed in the correct order. After these three components, all other Websense components can be installed in any order.
Depending on the size of the network or volume of Internet traffic, multiple Filtering Service instances may be needed. It is a best practice to have a maximum of ten Filtering Services per Policy Server.
Filtering Service must be installed before Network Agent, filtering plug-in, and Linking Service.


The Filtering Service performs or initiates four major functions:

‹1. URL filtering based on defined policies. Policy settings are retrieved by
connecting to the Policy Broker and loaded into memory. The Filtering Service
receives category lookup requests from Integrations (such as the Websense
Content Gateway or Network Agent) and responds with dispositions determined
by the policy currently in force

‹2. Identifying requestors - the Filtering Service will try to resolve the IP address of
the requestor to their user identity

‹3. Block page display - If the disposition calls for a block page, the browser is
redirected to a block page web server embedded in the Filtering Service, which
returns a block page with suitable content


4.Websense Master Database Download - each Filtering Service must contact the
Websense Download Service and load a copy of the Master Database into
memory

**The Filtering Service is typically installed on the same machine as Policy Server,
however, in large or distributed environments there may be multiple Filtering Service
instances (up to a maximum of 10 per Policy Server).


The Filtering Service caches the username locally for 3 hours

Policy Broker

Policy Broker manages policy and configuration information required by other
Websense Web security components. The Policy Database is installed with Policy
Broker to store this information

WCG

The Websense Content Gateway provides visibility into SSL encrypted Web traffic, to ensure that malicious content cannot enter the network. It also enables real-time categorization of dynamic Web 2.0 content, as
well as identifying previously unvisited sites that might only exist for a very short period of time such as those used for phishing attacks and proxy avoidance Web sites

Appliance

The G1 version of the Websense Web Security Appliance does not
support release 7.6. The V5000-G2 and V10000-G2 support the 7.6 release.
The V5000 can support either WSGA or DSS/ESG, but not both at the same time.
 The V10000-G2 can support one or all of the Websense modules.


The following new components are available on the appliance:
‹ Investigative reports scheduler has been renamed from Websense Explorer Report
Scheduler
‹ Reports information service has been renamed from Websense Information
Service for Explorer
‹ Manager Web Server  / Reporting Web Server – replace ApacheTomcatWebsense
and Apache2Websense



There can be only one instance of TRITON - Web Security that generates and
schedules reports. Typically, only one instance is needed in a deployment.  It is
possible to install additional instances of TRITON - Web Security in a deployment.
However, these must be used as configuration- and administration-only instances
(referred to as administration-only instances). They cannot be used to generate
reports.

Each administration-only instance of TRITON - Web Security must be associated with
a separate Policy Server instance that is not associated with a Log Server.


 Web Security Gateway and Email Security
Gateway Anywhere solutions can be run simultaneously on a single V10000.


Web and email security are not supported
simultaneously on a single V5000.


Both interface C and P1 (or P2) need to access the internet.  This is for WCG to
download analytic databases via P1 or P2 and WWS downloads the URL database
through C.

169.254.254.1 wcg

169.254.254.3 wse
169.254.254.5 na
169.254.254.7 esg
169.254.254.2 wcg.0
169.254.254.4 wse.0
169.254.254.6 na1.0
169.254.254.8 esg.0

This mapping is included in each domain’s host file. This enables the administrator to
onnect via SSH by typing a command such as ssh esg to get into the domain with
without knowing the IP address.


Teamed NICs share the load under one common identity, with multiple adapters load-
balancing under a single IP address. This is also known as link aggregation or
trunking.


Note that the full backup file may be smaller than the module backup files, because it
is compressed.


A maximum of 20 backup files can be saved, and the backup file directory cannot be renamed, moved, or deleted.


 When restoring the full appliance configuration, at the end of the restore process, the appliance restarts.
The appliance is not restarted after restoring a module.

To restore an appliance or module to a saved configuration:

1. Stop all Websense software components running off the appliance (Sync Service,
Log Server, etc.)

a. On a Windows machine, go to the Services manager and stop all the
Websense services.

b. On Linux, navigate to the /opt/Websense/ directory and enter the
./WebsenseAdmin stop command.

2. From the Appliance Manager, go to the Administration > Backup Utility and
click on the Restore tab.

3. Select the restore mode from the list. When you perform a full appliance restore:

a. The current appliance version must match the version associated with the
backup file. (The appliance version is displayed on the Restore tab.) Thus, a
version 7.6 backup can be restored only to an appliance that is at version 7.6.


b.  The current appliance policy source mode (full policy source, user directory
and filtering, or filtering only) must match the policy source mode in effect
when the backup file was created.

c. In most circumstances, the current appliance mode (Email Security, Web
Security, Web and Email Security) must match that of the backup file. (For
example, a backup from an Email Security-only appliance must be used to
restore an Email Security-only appliance.)

d. There is one exception. If you are running in Web and Email Security mode
on a V10000 G2 appliance, you can restore a Web Security Gateway full
backup.

e. The hardware model of the current appliance must be the same as the model
that was backed up. (For example, a backup from model V10000 G2 must be
used to restore a model V10000 G2 appliance.)

f. The original appliance that was backed up cannot also be running elsewhere
in the network. Restoring a full configuration re-creates the original appliance
and makes use of unique ID numbers from that appliance.


4. Run the Restore Wizard and choose the location (local or remote) and the name of
the file you wish to restore from. Click on Restore Now. If you are performing a
full appliance configuration restore, the appliance will restart during the process.

5. Start the offbox Websense services that you stopped earlier.

a. On Windows, go to the Services manager and start all the Websense services.

b. In Linux, navigate to the /opt/Websense/ directory and enter the
./WebsenseAdmin start command.



Upgrades


The following appliance versions can be directly upgraded to version 7.6:
‹ 7.5
‹ 7.5.1
‹ 7.5.2
‹ 7.5.3
Prior versions must be upgraded to one of the above versions prior to upgrading to
version 7.6.

SSH access is only available after firstboot has been completed and then it must
be enabled either via the CLI or the Appliance Manager.

DSS

PreciseID fingerprinting technology allows Websense Data Security to
identify not only entire documents, but poritons of those docuements
that may try to leave the network through channels like email and
posting to web pages

Network Agent

Network Agent monitors all Internet requests and sends them to Websense Filtering Service. Network Agent also sends block messages to users attempting to access filtered content


Network agent acts as a packet sniffer – using promiscuous mode to capture and
analyse packets.

Must be deployed where it can see all internal Internet traffic


Network Agent can typically monitor 50 Mbits of traffic per second, or about
800 requests per second. The number of users that Network Agent can monitor

Up to 4 Network Agents can be deployed per Filtering Service


In Integrated mode – its function is to cover non-HTTP protocols and tunnelled
protocols


Change a port mode to spanning, mirroring, or monitoring mode).
Websense strongly recommends using a switch that supports bidirectional spanning.
This allows Network Agent to use a single network card (NIC) to both monitor traffic
and send block pages.

Network Agent Functionality:
1. Network agent is deployed with a connection to the core switch providing full
visibility of all network traffic originating from the corporate LAN
2. Network Agent captures protocol (and web traffic in standalone mode) and
determines policy disposition by contacting the filtering service
3. If the communication is not permitted, Network Agent uses a TCP reset
(RST) to terminate the session.

RTSU

Real-Time Security Updates™

In addition to receiving the standard real-time database updates, users of Websense Web Security can enable Real-Time Security Updates to receive security-related updates to the Master Database as soon as they are published by Websense, Inc.
Real-Time Security Updates provide an added layer of protection against Internet-based security threats. Installing these updates as soon as they are published reduces vulnerability to new phishing (identify fraud) scams, rogue applications, and malicious code infecting mainstream Web sites or applications.
Filtering Service checks for security updates every 5 minutes, but because the updates are much smaller than full database updates, they tend not to disrupt normal network activity.
Use the Settings > Database Download page to enable Real-Time Security Updates (see Configuring database downloads).

Filters

Filters – Limited Access Filters
Limited access filters provide a very precise method of filtering Internet access. Each limited access filter
is a list of individual Web sites. Like category filters, limited access filters are added to policies and
enforced during a specified time period. When a limited access filter is active in a policy, users assigned
that policy can visit only sites in the list. All other sites are blocked.

For example, if a school to policies and enforced during a specified time period. When a limited access
filter is active in a policy, users assigned that policy can visit only sites in the list. All other sites are no
others. When a limited access filter is active, a block page is returned for any requested URL not included
in that filter.