2 Installation and Deployment Part 1.ppt

Installation and

Deployment Part 1

Topic 2

Version 6.3.1

www.websense.com

Copyright © 2006-2007. All rights reserved.

http://www.websense.com/

Ins

talla

tion

& D

eplo

ymen

t Par

t 1

2-2Websense Confidential © 2007 Websense, Inc. All Rights Reserved.

Module 2 Topics – Pre-installation

Installation Part 1

Preinstall Questions

Hands-On Lab 2-1

Installing Websense Web Security Suite

Websense Web Security Suite - Installation

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Module 2 Topics – Deployment Part 1

Websense Core Components

Websense Secondary Components

Additional Deployment Notes

Instructor-Led Lab (iLab) 2-2

Websense Help and Documentation

Websense Web Security Suite - Deployment

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Module 2 Topics – Reporting Tools

Installing Websense Reporting Tools and Components

Log Server

Reporter

Enterprise Explorer

Database Administration

Hands-On Lab 2-3

Installing Reporting Components

Websense Web Security Suite - Installation


Installing Websense Web

Security Suite

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Steps for a Successful Deployment

1. Plan the Websense deployment

2. Install Websense filtering and reporting components

3. Perform initial setup tasks

4. Customize filtering policies, configure user and group based filtering, and learn to use more advanced Websense features

Websense Web Security Suite - Standalone

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Our Scenario

Single Machine, Custom Installation, Stand-Alone Edition

Preinstall Questions:

Supported Operating System?

Meet Hardware Recommendations?

Server?

Free Disk Space?

Installed RAM?

Necessary Software Installed?

Installation Preparation and Answers

Verify Before Installing Websense Software

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Our Scenario: Single Machine, Custom Installation, Stand-Alone Edition

Supported Operating Systems

Windows 2000 Server SP3 or higher – or –

Windows Server 2003

Standard or Enterprise

– With or without SP1 – or –

Red Hat Enterprise Linux 3 or 4

AS, ES, or WS – or –

Solaris 9 or 10

Supported Operating System?

Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Machine Recommendations

Pentium 4, 3 GHz processor or greater

UltraSPARC IIIi or greater

Free Disk Space

10 GB of free disk space

Installed RAM

2 GB RAM

Meet Hardware Recommendations?

Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Web Server Installed?

Microsoft Internet Information Server (IIS) – or –

Apache Web Server

And, if Installing Reporting Components

Database Engine Installed? (Must be installed before you install reporting components)

MSDE: Microsoft SQL Server Desktop Engine 2000 –or-

SQL Server: Microsoft SQL Server 2000/2005

– Not SQL Server Express – SQL Server Express does not have SQL Server Agent jobs

Necessary Software Installed?

Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Make sure you have Administrator privileges before installation

If you plan to have multiple NICs, install them before installing the Network Agent

Make sure you are not using DHCP to assign IP addresses

Installation Preparation

Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Typical or Custom Install?

We will install as Custom

Installation Answers

Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Install as Stand-Alone or Integrated?

We will install as Stand-Alone


Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Will Users be filtered immediately after installation?

We will install as ‘Monitor Internet traffic only (configure filtering later)’


Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Install Transparent User Identification Agents?

We will install DC Agent and Logon Agent


Ins

talla

tion

& D

eplo

ymen

t Par

t 1




Download Websense Master Database Now or Later?

We will Download Later


17

Hands-On Lab

Hands-On Lab 2-1

• Hands-on Lab 2-1– Installing Websense Web Security Suite

• Single Machine, Custom Installation, Stand-Alone Edition

Core Components

Websense Enterprise /

Websense Web Security Suite

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Websense Software Core Components

Filtering Service *

Policy Server *

Websense Manager *

Websense Master Database *

User Service

Network Agent

* Required Components

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Core Component: Filtering Service

The Filtering Service is the core of the Websense software and is responsible for most aspects of URL filtering

Filtering Service communications are necessary for the core filtering and policy execution functionality of other Websense Components

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



The Filtering Service performs or initiates four major functions:

1. URL filtering based on defined policies

2. Identifying requestors

3. Block page display

4. Websense Master Database Download

The Filtering Service also interacts heavily with other Websense services and communicates with firewall/router/proxy/caching device (integration)

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Enforces policy defined with Websense Manager

Provides the following filtering services:

Receives configurations executed through Websense Manager

Communicates with integration partner to allow or block URL access

Sends activity data to a Log Server

Sends activity data to Websense Real Time Analyzer

Sends Policy data to and receives protocol information and disposition status from Network Agent

Filtering Service Functions

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Typically installed on same machine as the Policy Server

May be installed on the same machine as Websense Manager

Recommended maximum of 10 Filtering Services for each Policy Server (if they employ quality network connections)

Filtering Service Deployment

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Filtering Service Architecture

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



The Filtering Service can receive Web traffic from a variety of integrations including:

Microsoft ISA Server

Cisco PIX Firewall and Content Engine

Check Point FireWall-1

Network Appliance NetCache

Stand-Alone installation, using the Network Agent component

Filtering Service and Web Traffic

Ins

talla

tion

& D

eplo

ymen

t Par

t 1

26


TechNote

Websense Filtering Service receives traffic, by default, on TCP 15868 and listens on this port for requests coming from the integration partner. If the port is blocked, you will not be able to filter user traffic.

Websense Filtering Service will use this port for communications with Network Agent, if Network Agent is installed.

This can be modified at any time after installation if required.

TechNote on Filtering Service and Web Traffic

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



TechNote

The Filtering Service runs as

A service on Windows or as

A daemon on Solaris or Linux

Filtering Service TechNote

Core Component

Policy Server

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Core Component: Policy Server

Stores all Websense configuration information

Configured from Websense Manager

Communicates configuration data to Filtering Service

All other components must communicate with Policy Server

Automatically identifies all other Websense components

Continually tracks location/status of all Websense services

Definitive source of configuration information

Policy Server Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



One Policy Server can communicate settings to a large number of Websense services, including multiple filtering services when necessary

In most environments, only a single Policy Server is necessary

In large environments (10,000+ nodes), multiple Policy Servers may be necessary

When using multiple Policy Servers, it is possible to configure a single source of policy distribution

Policy Server Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Typically installed on the same machine as the Filtering Service

May be installed on a separate machine

Depends on the configuration of your network

Only one Policy Server installed for each logical installation

An example would be a Policy Server that delivers the same policies and categories to each machine in a subnet

Policy Server Deployment

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Policy Server Architecture

User Service

Core Component

Websense Manager

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Core Component: Websense Manager

The Websense Manager is a Java-based Graphical User Interface (GUI) interface

It serves as the administrative interface and is used to

- Define and customize internet access policies

- Add or remove clients

- Configure the Policy Server

- Add and change other configuration settings

Websense Manager Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Websense Manager

Websense Manager – Before Logon

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Websense Manager

Websense Manager access requires a User Name and Password

You set the Websense administrator password when running the Websense Manger for the first time

Websense Manger: Logon

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Websense Manager – Overview

Navigation Tree

Menu Bar

Content Pane

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



The Websense Manager is also the configuration front-end for the gateway and network as well as Client Policy Manager (CPM)

More information in the [Optional CPM Module]

Websense Manager Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



May be on any Windows XP / 2000 / 2003 machine as well as supported Linux and Solaris machines

Typically installed on the same machine as the Policy Server

May be installed on one or more machines in your network

Machine needs network access to the Policy Server machine on port 55806

Websense Manager Deployment

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



TechNote

A policy server can only have one concurrent session with a Websense Manager

Websense Manager TechNote

Core Component

Websense Master

Database

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Core Component: Master Database

The Websense Master Database provides the basis for filtering internet content

Websense Master Database

Continually Updated

Published in more than 50 Languages

Organized into general categories and subcategories

Category and Protocol Definitions

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



The Websense Master Database has the industry's most accurate and up-to-date classification of:

URLs

More Than 22 Million Websites in 90+ Categories

Protocols

~95 Protocols in 50 Categories

Applications

More Than 2.2 Million Applications and Executables in 50+ Categories

Websense uses a variety of proprietary classification software and human inspection techniques to maintain the Master Database

Websense Master Database Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



For example, the Information Technology category includes the subcategories:

Computer Security

Hacking

Proxy Avoidance

Search Engines and Portals

URL Translation Sites

Web Hosting

NOTE: Without a valid subscription key, category names are not displayed in the Websense Manager

Categories and Subcategories

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



From Websense Security Labs

The Websense ThreatSeeker technology leverages years of experience to provide content-aware web reputation intelligence allowing customers to easily extend their protection by managing suspicious websites

Reputation Filtering

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



New Extended Protection

Websense Web Security Suite v 6.3.1’s parent category contains three categories:

1. Elevated Exposure

2. Emerging Exploits

3. Potentially Damaging Content


Ins

talla

tion

& D

eplo

ymen

t Par

t 1



New Database Categories

1. Potentially Damaging Content

Sites likely to contain little or no useful content, with potentially harmful elements

2. Elevated Exposure

Sites that camouflage their true nature or identity, or that include elements suggesting latent malign intent

3. Emerging Exploits

Sites found to be hosting known and potential exploit code


Ins

talla

tion

& D

eplo

ymen

t Par

t 1



New Category Defaults

The default category dispositions will be as follows:

Potentially Damaging Content: Allow

Elevated Exposure: Block

Emerging Exploits: Block


Ins

talla

tion

& D

eplo

ymen

t Par

t 1


URL Matching

Analyzes Full URL Entered by User

Includes protocol, domain, and path to a specific page

Prevents filtering sites incorrectly if pages in multiple categories

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


URL Matching

Example

Two URLs on the same domain but in different categories

http://www.cnn.com/WORLD (News and Media category)

http://www.cnn.com/SHOWBIZ (Entertainment category)

Pages on the same site may be filtered differently

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


CGI Requests

CGI (Common Gateway Interface) scripts common in interactive web sites

Includes search engine request forms or image maps

CGI script automatically generates new URL request

Example:

By default, disregards CGI-query in requested site

Can be added as Custom Keyword search

http://search.yahoo.com/bin/search?p=CGI query string

CGI StringCGI String

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


URL Pattern Matching

Supports regular expressions in matching URLs

Custom URLs

Yes lists

Keywords

Pattern strings replace absolute character strings

Adds flexibility to site filtering

Allows specific general patterns for matching

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Websense Master Database

TechNote

Using regular expressions as filtering criteria may result in increased CPU usage

Tests have shown that with 100 regular expressions, the average CPU usage on the machine running the Websense Filtering Server increased by 20%

TechNote: URL Pattern Matching

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


IP Address Matching

Exclusive technology recognizing sites with text-based URLs or with the numerical IP addresses of host servers

Analyzes numeric IP address

204.15.67.11 = http://www.websense.com

Ensures accurate filtering however a site is requested

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Click in Black Window to Start Movie

<spacebar> to skip movie

Core Component User Service

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Core Component: User Service

The User Service supports user identification for user-based policy execution

Installation of the User Service is required before any identification can take place

The User Service is responsible for:

Directory browsing

Group membership discovery

Manual authentication

User verification

Communication with transparent identification agents (DC Agent and Logon Agent)

User Service Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



You can use any of the following directory services with Websense User Service:

Windows NTLM-based directories

Windows Active Directory

Novell Directory Services / Novell eDirectory v8.51 and later

Sun Java System Directory Server v4.2 or v5.2

Supported Directory Services

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Installed in networks using a directory service for authentication

User Service is necessary for filtering and logging internet requests even if only IP filtering is being used


Only one User Service per Policy Server

User Service Deployment

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



User Service Interaction with Directory Services

Core Component

Network Agent

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Core Component: Network Agent

Network Agent uses protocol analyzing technology to monitor all of the internet traffic on the network machines assigned to it

Can filter HTTP traffic

Filters ~90 other popular internet protocols

Captures data about bandwidth usage

The Network Agent is typically used as a means for evaluating Websense software

Must have bi-directional visibility into the network in order to function properly

Network Agent Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Network Agent integrates well with proxy servers, network caches, and firewalls

The Network Agent is the component that is responsible for the filtering of non-HTTP protocols

Since most integrations (firewalls, proxies, etc.) can't send information about these protocols to the Filtering Service, Network Agent acts as a protocol analyzer in order to inform the Filtering Service of this traffic

Network Agent detects malicious peer-to-peer applications and spyware, even when tunneled over well-known ports such as 80, 8080 etc.

Network Agent Overview

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



The Network Agent is also responsible for monitoring bandwidth usage for use with Bandwidth Optimizer (BWO) component

It is also used for enhanced logging with integrations

NOTE: Websense software can filter and log HTTP traffic without using Network Agent

– Depending on the integration (such as Cisco PIX) bandwidth information may not be available without the Network Agent

Network Agent

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Secondary Components

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Components

Real Time Analyzer

Transparent ID Agents

DC Agent / RADIUS Agent / eDirectory Agent / Logon Agent

Usage Monitor

Websense Reporting Components

Covered later in this module

Remote Filtering

Covered in a later module

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Websense Secondary Components

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: Real-Time Analyzer (RTA)

A web-based reporting tool for IT administrators which provides a real-time view of network activity

RTA is usually installed on the same machine as the reporting components

RTA can be memory and CPU demanding, depending on system settings and network load conditions

RTA should not be installed on real-time critical machines

Real-Time Analyzer (RTA)

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: Real-Time Analyzer (RTA)

Supported only on Windows

Installation of the RTA requires a machine with web server software installed:

Apache Web Server

Microsoft IIS

If no installed web server is detected, the Websense software installer will offer to install the included Apache Web Server

NOTE: Only one installation of RTA per Policy Server

Real-Time Analyzer (RTA)

Secondary Component Transparent

ID (XID) Agents

DC AgentLogon Agent

eDirectory Agent

RADIUS Agent

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: (XID) Agents

Enable Websense software to filter based on policies assigned to users or groups housed in a directory service

Optional components

Can be used alone, or combined, with certain limitations, covered in the User Identification and Authentication module

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: DC Agent

Installed in networks using a Windows directory service (NTLM-based or Active Directory)

Can be installed on the same machine as Websense Web Security Suite or installed on a separate machine

DC Agent

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: DC Agent

TechNote

Installing DC Agent on the domain controller machine or firewall DMZ is not recommended

DC Agent can be installed on any network segment as long as NetBIOS is allowed between the DC Agent and the domain controllers

TechNote

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: Logon Agent

Installed in networks using a Windows directory service (NTLM-based or Active Directory)

Can be installed on the same machine as Websense Web Security Suite or on a separate machine

May be installed with DC Agent to improve accuracy of user authentication

Logon Agent

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: eDirectory Agent

Installed in networks using a Novell eDirectory directory structure

Can be installed on the same machine as Websense Web Security Suite or installed on a separate machine

eDirectory Agent

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: eDirectory Agent

TechNote

eDirectory Agent can be installed in the same network as DC Agent or Logon Agent, but cannot be active at the same time.

Websense does not support communication with Windows and Novell directory services simultaneously

Tech Note

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: RADIUS Agent

Installed in networks using a RADIUS authentication server

Can be installed on the same machine as Websense Web Security Suite or a separate machine

RADIUS Agent

Secondary Component

Usage Monitor

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Secondary Component: Usage Monitor

A “behind-the-scenes” service enabling alerting based on internet usage

Tracks URL category and protocol visits made by clients

Generates alert messages according to behaviour configured

Email / Onscreen / SNMP


Only one installation of Usage Monitor per Policy Server

Usage Monitor

Additional Deployment

Notes

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Web Browser and Web Server

Web Browser and Web Server

Microsoft Internet Explorer v5.5 or higher

Microsoft IIS (Internet Information Services) v5.0 or v6.0, or Apache HTTP Server v2.0.50

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Basic Deployment: <1,000 Users

Internet

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Deployment Dependencies

One Log Server per Policy Server

One User Service per Policy Server

One Real-Time Analyzer (RTA) per Policy Server

One Usage Monitor per Policy Server

Recommended: Up to 10 (ten) Filtering Services per Policy Server

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Additional Deployment Considerations


For additional stand-alone deployment considerations, refer to the documentation:

Relevant Documentation

86

Instructor Led Lab

(iLab) Instructor-Led Lab 2-2

• In this iLab, the instructor will take you on an electronic field trip to the Websense website to find KnowledgeBase Articles, Support Tutorials and Documentation!

– iLab 2-2: Websense Help and Documentation

• http://www.websense.com/global/en/SupportAndKB/ • http://www.websense.com/global/en/SupportAndKB/

VideoTutorials/

• http://www.websense.com/global/en/SupportAndKB/ProductDocumentation/

http://www.websense.com/global/en/SupportAndKB/

http://www.websense.com/global/en/SupportAndKB/VideoTutorials/

http://www.websense.com/global/en/SupportAndKB/VideoTutorials/

http://www.websense.com/global/en/SupportAndKB/ProductDocumentation/

http://www.websense.com/global/en/SupportAndKB/ProductDocumentation/

Installing Websense Reporting

Components

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Reporting Components

Log Server

WebCatcher

Enterprise Explorer

Database Administration Tool

Reporter

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Reporting Components Dependencies

All Reporting Tools rely on the Websense Software

Reporting Components are installed after Websense Enterprise or the Websense Web Security Suite

Websense Reporting Tools must be installed with the same version as Websense Web Security Suite

Reporting Tools require an installed database engine

Microsoft SQL Server 2000 / 2005 or MSDE 2000

Not SQL Server Express – SQL Server Express does not have SQL Server Agent jobs

For Linux/Solaris, MySQL 5.0 is the supported database engine

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Websense Reporting Component

Log Server

Required for all Websense Reporting Tools

The installation of the Log Server creates the Log Database

The Log Server sends the following to the Log Database:

Internet activity

Categories and protocols

Risk class names

Log Server

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Websense obtains WebCatcher data from customers to analyze

Unrecognized URLs

Security URLs

for

Categorization

Tracking potential for security and liability risks

NOTE: Subsequent downloads of the Websense Master Database may include URL revisions from data sent to Websense

WebCatcher

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


It’s about quantity and relevance

WebCatcher

– Culls uncategorized web sites and network protocols from our customer sites

Global Benefit

– Newly categorized web sites and network protocols are distributed to all Websense customers

“Digital fingerprint” assists in categorizing a site

found using WebCatcher

WebCatcher


Ins

talla

tion

& D

eplo

ymen

t Par

t 1



A web-based tool which allows an administrator to report from the log database quickly and easily without waiting for canned report generation

Simple

Intuitive

Ability to focus reports using drill down capabilities

Produces reports…

Generated automatically

Sent via email

Exported to PDF / XLS

Enterprise Explorer

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Runs via HTTP / HTTPS

The web server can be installed on any machine that can connect to the Log Database via ODBC

Enterprise Explorer

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



Manage the Log Database by choosing rollover, database partition and maintenance options

Database Administration

Ins

talla

tion

& D

eplo

ymen

t Par

t 1



A Client-based application

Can be installed on any machine that can connect to the Log Database via ODBC

Produces reports…

Generated automatically

Sent via email

Printed

Websense Reporter

97

Hands-on Lab

Hands-On Lab 2-3

• Re-start the Websense Web Security Suite Install Process to install the Websense Reporting Components

– Lab 2-3: Installing Reporting Components

Ins

talla

tion

& D

eplo

ymen

t Par

t 1


Any Questions

Documents

2 Installation and Deployment Part 1.ppt