5.1 Configuring Web Content Security

When you run the Configuration Wizard, you can install a default set of policies, rules, and policy elements. Trustwave recommends the default set as a useful starting place and a source of ideas for customization. Unless you have a custom set of rules from another source, you should install the default set.

The default rules are recommended by Trustwave as the minimum for a useful WebMarshal product evaluation.

Many additional options are available and are covered in detail in the other chapters of this Guide.

5.1.1 Users and Groups

Since WebMarshal is an authenticating proxy server, each browser session must supply a logon credential before any browsing is permitted. You must provide account information for each permitted user so that WebMarshal can authenticate requests. Typically, WebMarshal imports user account information from the local network environment. The Configuration Wizard attempts to create a connection to the directory service that is used in your environment. To learn about how to create connections to other services, including Active Directory, legacy Windows NT, Novell, and workstation based authentication, see “User Management”.

The default WebMarshal configuration includes local “WebMarshal groups” and sets of rules that apply to users in these groups.

You can set the permissions for an imported user by adding the user to the appropriate WebMarshal group.

You can adjust permissions by enabling or disabling the rules in the default set that apply to each group.

You can create new rules that apply to any of the groups.

5.1.1.1 Adding User Groups From a Connector

To import User Groups:

1.Within the WebMarshal Console, ensure that User Groups is selected. Click the Import User Group icon icon-newgroup.PNG in the taskpad to open the Import User Groups window.

2.Choose the connector to use. (You can also create a new connector.).

3.Browse for or enter the names of the groups that you want to import into WebMarshal. Ensure that each user who is permitted to browse is included in at least one imported group.

When browsing you can use ctrl-click and shift-click to multi-select.

Information 

Note: WebMarshal can import groups from trusted Active Directory domains, subdomains, and other domains that have an explicit trust relationship with the domain that WebMarshal is a member of. For additional details see Trustwave Knowledge Base article Q11870.

 

4.Click Import to add the User Group(s) and contained users.

To view a list of all users imported into WebMarshal, in the left pane of the Console expand the item Policy Elements > User Groups > All Users. 

5.1.1.2 Adding Imported User Groups to WebMarshal Groups

WebMarshal default configuration includes a number of local WebMarshal groups. To grant permissions to an imported user, you can add the user (or an entire group) to a WebMarshal Group.

To add a group to a WebMarshal group:

1.Within the WebMarshal Console, ensure that User Groups is selected.

2.Drag a group from the right pane over a WebMarshal group in the left pane.

To add individual users, or sub-groups from an imported group:

1.Select the target group in the left pane.

2.At the top of the right pane, click Insert Existing Group.

3.Select items from the list, and then click Insert.

5.1.2 Basic Rule Configuration

The default policies and rules provided with WebMarshal allow you to support the basic Web access policy goals mentioned earlier in this chapter. WebMarshal rules are created and enabled using the WebMarshal Console. In many cases you can simply use or enable the default items. You may need to customize some rules to meet your needs. You can monitor policy compliance by using Marshal Reporting Console to report on triggered rules.

This section describes the steps necessary to enable a basic access policy starting from the default installation of WebMarshal. All of the rules discussed here are found in WebMarshal’s Quota, Standard, and Content Analysis rules. A number of other rules are enabled by default, including several rules, applied to all requests, which classify the files to permit logging.

5.1.3 Ensuring Appropriate Usage

For the purposes of this chapter, “appropriate usage” is defined in terms of the content of web pages and files.

5.1.3.1 TRACEnet

You can help to ensure appropriate usage with the WebMarshal TRACEnet facility. TRACEnet provides protection against spam-linked sites, anonymous proxies, phishing sites, and other malicious sites. For more information about TRACEnet, see “Understanding TRACEnet”. To enable TRACEnet:

1.In the left pane of the WebMarshal Console, expand Access Policy and select TRACEnet.

2.Check the box to enable the feature.

TRACEnet is enabled by default and TRACEnet filtering applies to all users and sites by default. You can adjust these settings using the Settings button on the Access Policy > TRACEnet page.

5.1.3.2 Rules

The WebMarshal default configuration includes a number of rules that apply to specific WebMarshal groups. To allow appropriate use, add imported groups to the WebMarshal groups Power Users, Standard Users, and Restricted Users. Review the policy to see what rules are enabled for each group.

You can check for appropriate textual content of pages with Content Analysis rules such as Block Download - Adult and Nudity Content, Block Download - Offensive Content, and Block Upload - Offensive Text Content. These rules invoke TextCensor scripts to check the text content of files (including HTML documents and productivity files such as Word documents) as well as web form submissions.

You can also control the subject matter of pages using Filtering Lists provided through the external Filtering List function. Within the default rules, you can implement these Lists with the Standard rules Block URL - Adult & Nudity, Block URL - R Rated and Profanity, Block URL - Gambling Sites, and Block URL - Time Wasting Inside Office Hours. When you configure Filtering Lists, WebMarshal uses appropriate categories from each list in each Rule.

Blocking of files by size and by type (executable and/or audiovisual files) can also contribute to checking for appropriate usage. Most organizations will choose to limit user access to these types of content. The rules Block File - Dangerous File Extensions, Block File - Dangerous Files, Block File - Multimedia, and Block File - Documents are included in WebMarshal’s default rules and enabled by default. These rules check the file extension (part of the file name) and the structure of files. You can make exceptions to these rules as described below.

You can use the WebMarshal HTTPS Content Inspection functionality to apply Content Analysis rules to secure web pages that could not otherwise be scanned. For instance, many Webmail sites now use HTTPS. For more information, see “Configuring HTTPS Content Inspection”.

When a rule is triggered, WebMarshal can take any of several actions:

Block the file, and display an information page to the user.

Send a notification message to the WebMarshal Administrator.

Write a log record that includes information about the user, request, rule triggered, and classification.

5.1.3.3 Enabling rules

To enable a WebMarshal rule (such as Block URL - Adult & Nudity):

1.In the left pane of the WebMarshal Console, expand Access Policy.

2.Expand the appropriate rule type (in this case, Content Analysis rules.) A list of rules displays in the right pane. A disabled rule (such as Block URL - Adult & Nudity) will display with a dimmed icon and the notation Disabled. 

3.In the right pane, right-click the rule name.

4.From the context menu choose Enable Rule. The rule will be enabled. This change will take effect when you commit the configuration.

5.To commit configuration, click the Commit Configuration button in the toolbar.

Information 

Note: When you have made changes but not committed them, the Commit Configuration button shows a red icon.

 

You can enable additional rules using the same procedure. You can also enable multiple rules by selecting them using ctrl-click and shift-click.

5.1.3.4 Exceptions to rules

You may want to allow a few users to use sites or files that are blocked for most users including the default Power Users group. The WebMarshal default rules allow full access to all sites for members of the WebMarshal Group Unrestricted Site Access. You could also create additional groups and additional rules to permit specific exceptions.

To implement the exceptions, add the appropriate Users or User Groups to Unrestricted Site Access (or another exception group you create)

1.Select a User Group in the left pane of the Console.

2.Right click and select Insert Existing.

3.In the Insert Users and Groups window, select one or more users or groups you want to add. You can find a specific User or Group by typing a few characters in the bottom text field.

Information 

Note: WebMarshal supports nested User Groups. A WebMarshal Group can contain other WebMarshal or remote directory Groups.

 

For further information on working with users and groups, see “User Management”.

5.1.4 Protecting Against Malware

WebMarshal protects against virus infection, other malware, and exploits for all downloads and uploads in a number of ways: by TRACEnet filtering, by passing messages to third-party scanners, and by file name and file type rules.

5.1.4.1 Malware Scanning

WebMarshal can scan for viruses, malware, and other malicious content using the Malware Scan condition in Content Analysis rules. Before you can enable rules that use this action, you must install and configure at least one scanner. For details of these processes, see “Using Malware Scanning”.

Information 

Note: WebMarshal can apply malware scanning to all types of files. However, some file types are “safe” (they are not currently known to contain malware payloads). Scanning all files provides added assurance but has a significant impact on performance.

The WebMarshal default Access Policy includes two types of Malware scanning rules:

The standard scanning rules exclude common image types and text from scanning.

The “Extensive” rules scan all files. These rules can cause users to experience page loading times 2 to 4 times slower than when using standard rules.

 

5.1.4.2 File Type and File Name rules

Other types of rules also help to protect against malware downloads. The Standard rules Block File - Dangerous File Extensions and Block File - Dangerous Files are pre-configured to apply to Standard and Restricted users.

The file is blocked and an appropriate information web page is presented to the user.

A log record is written with the appropriate rule and classification information.

5.1.5 Conserving Network Resources

WebMarshal helps to achieve the goal of conserving network resources by proxy caching, Connection rules, Quota rules, and Content Analysis rules.

5.1.5.1 Proxy caching

You can reduce bandwidth usage by enabling WebMarshal proxy caching. Caching is enabled by default on new installations. For more information about caching, see “Configuring Proxy Caching”.

5.1.5.2 Connection rules

You can manage connections from many popular Instant Messaging and Streaming Media applications, as well as the WebSocket protocol. Sample blocking rules are provided in the default configuration. To quickly apply these rules to a user, add the user to the pre-defined WebMarshal Group Restricted Users. For more information about how to enable and use connection rules, see “Connection Rules”.

5.1.5.3 Quota rules

You can limit each user to a quota of browsing time and/or bandwidth. Sample quotas are configured in the default rules, but all quota rules are disabled by default. Enable the pre-configured rules “Enabling rules”. If quota rules are enabled, Trustwave recommends you also enable the Standard rule Global Policy > Display Quota Limits Policy.

You can apply quotas to specific users, specific file types, URL Categories, applications, and/or specific times of day. For complete information, see “Quota Rules”.

5.1.5.4 Standard rules

WebMarshal can stop the download of oversized files by a Standard rule. The rule Block Download - Files Larger than 20MB stops large files from being accessed.

WebMarshal can also stop uploading of oversized files by a Standard rule. The rule Block Upload - Files Larger than 5MB stops large files from being uploaded.

These file size rules are enabled by default for the Restricted Users group. When triggered, these rules take similar actions to the rules described earlier.

To allow certain users to use large files or a larger quota, you can move them to a group with greater default permissions. You can also apply limits for specific users, file types, or other custom criteria. For complete information, see Chapter 6, “Understanding Web Access Policy, Rule Containers, and Rules.”

Blocking of multimedia files also helps save network resources.

WebMarshal User Guide October 2023
< Previous Section   |   Next Section >
Full document: see WebMarshal Documentation.