[Top] [Prev] [Next] [Bottom]




WEBsweeper deployment


WEBsweeper is deployed between your internal network and the Internet, on a WEBsweeper host. It acts as a caching proxy Web server and is designed to protect your internal network from possible security threats that can arrive via the Internet.

All Web browsers on your network are configured to have their requests sent to the WEBsweeper host. This means that security can be managed at a single point, that is, the WEBsweeper host, rather than at every Web browser. This is illustrated in the following diagram.

A firewall should be deployed in conjunction with WEBsweeper, to deny users access to the Internet unless it is via the WEBsweeper host. This will stop users from compromising your security policy.

Following the diagram shown on the previous page:

1. When a user requests a resource, the request is first forwarded to WEBsweeper.
2. WEBsweeper searches its cache for the resource. If successful the cached resource is downloaded to the Web browser. A cached WEBsweeper message may be downloaded instead, if a recent request for the same resource failed validation.
3. If the resource is not cached WEBsweeper sends a request to the origin Web server, somewhere on the Internet. This is the server specified in the URL.If the resource is not cached WEBsweeper will also call any URL blockers that are configured.
4. The requested data is returned to WEBsweeper, where it is disassembled and validated, according to the configured rules.
5. If the validation is successful the data is entered into the cache. If the validation is not successful a message is prepared, to notify the user that they will not receive the data. The data is then discarded.
6. The requested data, if validation was successful, or the WEBsweeper message, if validation failed, is downloaded to the Web browser.

When deploying WEBsweeper in conjunction with a firewall, a decision has to be made regarding where to place it on the network. There are several possibilities, two of which are indicated below:

1. On the Clean network.
2. On the Dirty network.

WEBsweeper can also be configured to co-exist on the same network as a MIMEsweeper for FireWall-1 installation, see page 3-8 for details.

Without firewall filters it is possible for users to bypass WEBsweeper by reconfiguring their Web browsers. For this reason, it is recommended that WEBsweeper is always deployed in conjunction with a firewall.

On the clean network

If WEBsweeper is deployed on the clean network, the firewall should be configured to only allow Web traffic if:

This will ensure that any user attempting to access the Internet, without going via WEBsweeper, will be blocked by the firewall.

If the firewall is proxy based, WEBsweeper must be configured to chain to it. For more details, see the Chained proxy servers section on page 3-9.

To deploy WEBsweeper on the clean network follow the steps outlined below:

1. Install a Windows NT machine on the clean network, to act as the WEBsweeper host.

The machine should meet the technical specification outlined. See page 3-12 for a full list of pre-requisites the WEBsweeper host should be configured with.

2. Load any anti-virus tools that you wish to use with WEBsweeper and note their locations. You will be asked for this information later, during the installation.

Check the release notes to ensure compatibility between this release of WEBsweeper and the anti-virus tools you wish to use.

There are several evaluation copies of anti-virus tools supplied on the installation CD-ROM. Note that the set-up software does not automatically install these anti-virus tools.
3. Install WEBsweeper.

See the Installation section on page 3-13 for details.

4. Configure the Web browsers to forward all outgoing requests to the WEBsweeper machine.

See the Web browser configuration section on page 3-26 for details.

5. Configure WEBsweeper to chain to the firewall proxy server, if one is present.

See the Chained proxy servers section on page 3-9 for details.

6. Secure the firewall.

The firewall should be secured such that:

- Outgoing requests can only come from the WEBsweeper host.

- Incoming resources can only go to the WEBsweeper host.

Refer to your firewall documentation for more information.
7. Secure the WEBsweeper machine.

See page 3-23 for details on how to secure the WEBsweeper machine.

On the dirty network

If WEBsweeper is deployed on the dirty network, the firewall should be configured to only allow Web traffic if:

If the firewall is proxy based it must be configured to chain to WEBsweeper. Refer to your firewall documentation for more information.

To deploy WEBsweeper on the dirty network follow the steps outlined below:

1. Install a Windows NT machine on the dirty network, to act as the WEBsweeper host.

The machine should meet the technical specification outlined. See page 3-12 for a full list of pre-requisites that the WEBsweeper host should be configured with.

2. Load any anti-virus tools that you wish to use with WEBsweeper and note their locations. You will be asked for this information later, during the installation.

Check the release notes to ensure compatibility between this release of WEBsweeper and the anti-virus tools you wish to use.

There are several evaluation copies of anti-virus tools supplied on the installation CD-ROM. The set-up software does not automatically install these anti-virus tools.
3. Install WEBsweeper.

See the Installation section on page 3-13 for details.

4. Configure the Web browsers to forward all outgoing requests to the firewall proxy server, if one is present.

See the Web browser configuration section on page 3-26 for details.

5. Configure the firewall proxy server, if one is present, to chain to WEBsweeper.
Refer to your firewall documentation for more information.
6. Secure the firewall.

The firewall should be secured such that:

- Outgoing requests can only go to the WEBsweeper host.

- Incoming resources can only come from the WEBsweeper host.

Refer to your firewall documentation for more information.

7. Secure the WEBsweeper machine.

See page 3-23 for details on how to secure the WEBsweeper machine.

With MIMEsweeper for FireWall-1

You may already have a MIMEsweeper for FireWall-1 deployed but may wish to also deploy a WEBsweeper, for the enhanced functionality that it can offer.

With some modifications to your existing firewall configuration your MIMEsweeper for FireWall-1 installation and WEBsweeper installation can coexist on the same network.

To deploy WEBsweeper to coexist with MIMEsweeper for FireWall-1 follow the steps outlined below.

1. Disable HTTP checking in MIMEsweeper for FireWall-1.
See the MIMEsweeper for FireWall-1 manual for details on how to disable the HTTP protocol.
2. Reconfigure the firewall by modifying the security policy so that it does not forward HTTP data to MIMEsweeper for FireWall-1 for validation. This is because HTTP data can now be validated by the WEBsweeper installed during step 3.

Refer to the FireWall-1 manual for more information.

3. Deploy WEBsweeper on the network.

See the diagram on page 3-3 and the relevant deployment section for details on how to achieve this.

On the Clean network - see page 3-4.

On the Dirty network - see page 3-6.

Chained proxy servers

Your company may employ Web proxy servers for several reasons. Two of the most common are:

If your company already uses a Web proxy server it can usually be configured to chain to WEBsweeper (note that not all proxies offer this facility). All requests are then forwarded to WEBsweeper which can validate the downloads before returning them to your proxy server.

Alternatively, WEBsweeper can be configured to chain to a Web proxy server, as illustrated in the diagram below. WEBsweeper's ability to chain to other proxy servers allows you to implement a configurable security policy and decrease the time it takes to download and a validate a file. For example, departmental WEBsweepers, with validation configured for the needs of the department, can be arranged to chain to a single proxy server. This proxy server can act as a huge store of Web resources.

If WEBsweeper is to chain to a proxy server, you can specify this proxy server via the WEBsweeper icon, found in the Control Panel.

To specify the proxy server WEBsweeper is to chain to:

1. Double-click on the WEBsweeper icon. This will display the main Content Technologies WEBsweeper dialog box, as shown below.

2. Click on the Advanced features button of the Content Technologies WEBsweeper dialog box, to display the Advanced Features dialog box (this dialog box is shown on page 6-62).

3. Click on the Proxy server button of the Advanced Features dialog box, to display the Proxy Configuration dialog box.

4. Enable the proxy server by checking the Enable proxy server box.
5. In the Chained proxy field, type in the IP address or the host name of the proxy server WEBsweeper is to chain to. If the proxy server uses a port other than 80, for example, port 8080 then the entry should reflect this, for example, 193.112.243.1:8080.
You can enter a list of URLs or URL masks for which the chained proxy won't be called. Type this list into the Don't chain URL's area, separating each item with a space or a new line. See page 6-36 for more details.
 


[Top] [Prev] [Next] [Bottom]



msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.