[Top] [Prev] [Next] [Bottom]
WEBsweeper is deployed between your internal
network and the Internet, on a WEBsweeper host. It acts as a
caching proxy Web server and is designed to protect your internal
network from possible security threats that can arrive via the
Internet.
All Web browsers on
your network are configured to have their requests sent to the
WEBsweeper host. This means that security can be managed at a
single point, that is, the WEBsweeper host, rather than at every
Web browser. This is illustrated in the following diagram.
Following the diagram shown on the previous
page:
- 1. When a user requests a resource, the
request is first forwarded to WEBsweeper.
- 2. WEBsweeper searches its cache for
the resource. If successful the cached resource is
downloaded to the Web browser. A cached WEBsweeper
message may be downloaded instead, if a recent request
for the same resource failed validation.
- 3. If the resource is not cached
WEBsweeper sends a request to the origin Web server,
somewhere on the Internet. This is the server specified
in the URL.If the resource is not cached WEBsweeper will
also call any URL blockers that are configured.
- 4. The requested data is returned to
WEBsweeper, where it is disassembled and validated,
according to the configured rules.
- 5. If the validation is successful the
data is entered into the cache. If the validation is not
successful a message is prepared, to notify the user that
they will not receive the data. The data is then
discarded.
- 6. The requested data, if validation
was successful, or the WEBsweeper message, if validation
failed, is downloaded to the Web browser.
When deploying
WEBsweeper in conjunction with a firewall, a decision has to be
made regarding where to place it on the network. There are
several possibilities, two of which are indicated below:
- 1. On the Clean network.
- 2. On the Dirty network.
WEBsweeper can also be configured to co-exist on the same
network as a MIMEsweeper for FireWall-1 installation, see page 3-8 for details.
If WEBsweeper is deployed on the clean
network, the firewall should be configured to only allow Web
traffic if:
This will ensure that
any user attempting to access the Internet, without going via
WEBsweeper, will be blocked by the firewall.
To deploy WEBsweeper
on the clean network follow the steps outlined below:
- 1. Install a Windows NT machine on the
clean network, to act as the WEBsweeper host.
The machine should meet the
technical specification outlined. See page 3-12 for a
full list of pre-requisites the WEBsweeper host
should be configured with.
- 2. Load any anti-virus tools that you
wish to use with WEBsweeper and note their locations. You
will be asked for this information later, during the
installation.
Check the release notes to
ensure compatibility between this release of
WEBsweeper and the anti-virus tools you wish to use.
-
- 3. Install WEBsweeper.
See the Installation section on page 3-13 for
details.
- 4. Configure the Web browsers to
forward all outgoing requests to the WEBsweeper machine.
See the Web browser
configuration section on page 3-26 for
details.
- 5. Configure WEBsweeper to chain to the
firewall proxy server, if one is present.
See the Chained proxy servers
section on page
3-9 for details.
- 6. Secure the firewall.
The firewall should be secured
such that:
- Outgoing requests can only
come from the WEBsweeper host.
- Incoming resources can only go
to the WEBsweeper host.
-
- 7. Secure the WEBsweeper machine.
See page 3-23 for
details on how to secure the WEBsweeper machine.
If WEBsweeper is deployed on the dirty
network, the firewall should be configured to only allow Web
traffic if:
To deploy WEBsweeper
on the dirty network follow the steps outlined below:
- 1. Install a Windows NT machine on the
dirty network, to act as the WEBsweeper host.
The machine should meet the
technical specification outlined. See page 3-12 for a
full list of pre-requisites that the WEBsweeper host
should be configured with.
- 2. Load any anti-virus tools that you
wish to use with WEBsweeper and note their locations. You
will be asked for this information later, during the
installation.
Check the release notes to
ensure compatibility between this release of
WEBsweeper and the anti-virus tools you wish to use.
-
- 3. Install WEBsweeper.
See the Installation section on page 3-13 for
details.
- 4. Configure the Web browsers to
forward all outgoing requests to the firewall proxy
server, if one is present.
See the Web browser
configuration section on page 3-26 for
details.
- 5. Configure the firewall proxy server,
if one is present, to chain to WEBsweeper.
-
- 6. Secure the firewall.
The firewall should be secured
such that:
- Outgoing requests can only go
to the WEBsweeper host.
- Incoming resources can only
come from the WEBsweeper host.
- 7. Secure the WEBsweeper machine.
See page 3-23 for
details on how to secure the WEBsweeper machine.
You may already have a MIMEsweeper for
FireWall-1 deployed but may wish to also deploy a WEBsweeper, for
the enhanced functionality that it can offer.
With some
modifications to your existing firewall configuration your
MIMEsweeper for FireWall-1 installation and WEBsweeper
installation can coexist on the same network.
To deploy WEBsweeper
to coexist with MIMEsweeper for FireWall-1 follow the steps
outlined below.
- 1. Disable HTTP checking in MIMEsweeper
for FireWall-1.
-
- 2. Reconfigure the firewall by
modifying the security policy so that it does not forward
HTTP data to MIMEsweeper for FireWall-1 for validation.
This is because HTTP data can now be validated by the
WEBsweeper installed during step 3.
-
- 3. Deploy WEBsweeper on the network.
See the diagram on page 3-3 and the
relevant deployment section for details on how to
achieve this.
On the Clean network -
see page 3-4.
On the Dirty network -
see page 3-6.
Your company may employ Web proxy servers
for several reasons. Two of the most common are:
If your company already uses a Web proxy
server it can usually be configured to chain to WEBsweeper (note
that not all proxies offer this facility). All requests are
then forwarded to WEBsweeper which can validate the downloads
before returning them to your proxy server.
Alternatively, WEBsweeper can be configured
to chain to a Web proxy server, as illustrated in the diagram
below. WEBsweeper's ability to chain to other proxy servers
allows you to implement a configurable security policy and
decrease the time it takes to download and a validate a file. For
example, departmental WEBsweepers, with validation configured for
the needs of the department, can be arranged to chain to a single
proxy server. This proxy server can act as a huge store of Web
resources.
If WEBsweeper is to chain to a proxy server,
you can specify this proxy server via the WEBsweeper
icon, found in the Control Panel.
To specify the proxy
server WEBsweeper is to chain to:
- 1. Double-click on the WEBsweeper
icon. This will display the main Content Technologies
WEBsweeper dialog box, as shown below.
- 2. Click on the Advanced features
button of the Content Technologies WEBsweeper dialog box,
to display the Advanced Features dialog box
(this dialog box is shown on page 6-62).
- 3. Click on the Proxy server
button of the Advanced Features dialog box, to
display the Proxy Configuration dialog box.
- 4. Enable the proxy server by checking
the Enable proxy server box.
- 5. In the Chained proxy field,
type in the IP address or the host name of the proxy
server WEBsweeper is to chain to. If the proxy server
uses a port other than 80, for example, port 8080
then the entry should reflect this, for example, 193.112.243.1:8080.
[Top] [Prev] [Next] [Bottom]
msw.support@mimesweeper.com
Copyright © 1998, Content Technologies Limited. All rights
reserved.