Configuring Web Content Security

When you run the Configuration Wizard, you can install a default set of policies, rules, and policy elements. Trustwave recommends the default set as a useful starting place and a source of ideas for customization. Unless you have a custom set of rules from another source, you should install the default set.

The default rules are recommended by Trustwave as the minimum for a useful WebMarshal product evaluation.

Many additional options are available and are covered in detail in the other chapters of this Guide.

Since WebMarshal is an authenticating proxy server, each browser session must supply a logon credential before any browsing is permitted. You must provide account information for each permitted user so that WebMarshal can authenticate requests. Typically, WebMarshal imports user account information from the local network environment. The Configuration Wizard attempts to create a connection to the directory service that is used in your environment. To learn about how to create connections to other services, including Active Directory, legacy Windows NT, Novell, and workstation based authentication, see “User Management”.

The default WebMarshal configuration includes local “WebMarshal groups” and sets of rules that apply to users in these groups.

•You can set the permissions for an imported user by adding the user to the appropriate WebMarshal group.

•You can adjust permissions by enabling or disabling the rules in the default set that apply to each group.

1.Within the WebMarshal Console, ensure that User Groups is selected. Click the Import User Group icon

in the taskpad to open the Import User Groups window.

3.Browse for or enter the names of the groups that you want to import into WebMarshal. Ensure that each user who is permitted to browse is included in at least one imported group.

Information

Note: WebMarshal can import groups from trusted Active Directory domains, subdomains, and other domains that have an explicit trust relationship with the domain that WebMarshal is a member of. For additional details see Trustwave Knowledge Base article Q11870.

To view a list of all users imported into WebMarshal, in the left pane of the Console expand the item Policy Elements > User Groups > All Users.

WebMarshal default configuration includes a number of local WebMarshal groups. To grant permissions to an imported user, you can add the user (or an entire group) to a WebMarshal Group.

The default policies and rules provided with WebMarshal allow you to support the basic Web access policy goals mentioned earlier in this chapter. WebMarshal rules are created and enabled using the WebMarshal Console. In many cases you can simply use or enable the default items. You may need to customize some rules to meet your needs. You can monitor policy compliance by using Marshal Reporting Console to report on triggered rules.

This section describes the steps necessary to enable a basic access policy starting from the default installation of WebMarshal. All of the rules discussed here are found in WebMarshal’s Quota, Standard, and Content Analysis rules. A number of other rules are enabled by default, including several rules, applied to all requests, which classify the files to permit logging.

For the purposes of this chapter, “appropriate usage” is defined in terms of the content of web pages and files.

You can help to ensure appropriate usage with the WebMarshal TRACEnet facility. TRACEnet provides protection against spam-linked sites, anonymous proxies, phishing sites, and other malicious sites. For more information about TRACEnet, see “Understanding TRACEnet”. To enable TRACEnet:

1.In the left pane of the WebMarshal Console, expand Access Policy and select TRACEnet.

TRACEnet is enabled by default and TRACEnet filtering applies to all users and sites by default. You can adjust these settings using the Settings button on the Access Policy > TRACEnet page.

The WebMarshal default configuration includes a number of rules that apply to specific WebMarshal groups. To allow appropriate use, add imported groups to the WebMarshal groups Power Users, Standard Users, and Restricted Users. Review the policy to see what rules are enabled for each group.

You can check for appropriate textual content of pages with Content Analysis rules such as Block Download - Adult and Nudity Content, Block Download - Offensive Content, and Block Upload - Offensive Text Content. These rules invoke TextCensor scripts to check the text content of files (including HTML documents and productivity files such as Word documents) as well as web form submissions.

You can also control the subject matter of pages using Filtering Lists provided through the external Filtering List function. Within the default rules, you can implement these Lists with the Standard rules Block URL - Adult & Nudity, Block URL - R Rated and Profanity, Block URL - Gambling Sites, and Block URL - Time Wasting Inside Office Hours. When you configure Filtering Lists, WebMarshal uses appropriate categories from each list in each Rule.

Blocking of files by size and by type (executable and/or audiovisual files) can also contribute to checking for appropriate usage. Most organizations will choose to limit user access to these types of content. The rules Block File - Dangerous File Extensions, Block File - Dangerous Files, Block File - Multimedia, and Block File - Documents are included in WebMarshal’s default rules and enabled by default. These rules check the file extension (part of the file name) and the structure of files. You can make exceptions to these rules as described below.

You can use the WebMarshal HTTPS Content Inspection functionality to apply Content Analysis rules to secure web pages that could not otherwise be scanned. For instance, many Webmail sites now use HTTPS. For more information, see “Configuring HTTPS Content Inspection”.

•Write a log record that includes information about the user, request, rule triggered, and classification.

2.Expand the appropriate rule type (in this case, Content Analysis rules.) A list of rules displays in the right pane. A disabled rule (such as Block URL - Adult & Nudity) will display with a dimmed icon and the notation Disabled.

4.From the context menu choose Enable Rule. The rule will be enabled. This change will take effect when you commit the configuration.

5.To commit configuration, click the Commit Configuration button in the toolbar.

Information

Note: When you have made changes but not committed them, the Commit Configuration button shows a red icon.

You can enable additional rules using the same procedure. You can also enable multiple rules by selecting them using ctrl-click and shift-click.

You may want to allow a few users to use sites or files that are blocked for most users including the default Power Users group. The WebMarshal default rules allow full access to all sites for members of the WebMarshal Group Unrestricted Site Access. You could also create additional groups and additional rules to permit specific exceptions.

To implement the exceptions, add the appropriate Users or User Groups to Unrestricted Site Access (or another exception group you create)

3.In the Insert Users and Groups window, select one or more users or groups you want to add. You can find a specific User or Group by typing a few characters in the bottom text field.

Information

Note: WebMarshal supports nested User Groups. A WebMarshal Group can contain other WebMarshal or remote directory Groups.

WebMarshal protects against virus infection, other malware, and exploits for all downloads and uploads in a number of ways: by TRACEnet filtering, by passing messages to third-party scanners, and by file name and file type rules.

WebMarshal can scan for viruses, malware, and other malicious content using the Malware Scan condition in Content Analysis rules. Before you can enable rules that use this action, you must install and configure at least one scanner. For details of these processes, see “Using Malware Scanning”.

Information

Note: WebMarshal can apply malware scanning to all types of files. However, some file types are “safe” (they are not currently known to contain malware payloads). Scanning all files provides added assurance but has a significant impact on performance.

The WebMarshal default Access Policy includes two types of Malware scanning rules:

•The standard scanning rules exclude common image types and text from scanning.

•The “Extensive” rules scan all files. These rules can cause users to experience page loading times 2 to 4 times slower than when using standard rules.

Other types of rules also help to protect against malware downloads. The Standard rules Block File - Dangerous File Extensions and Block File - Dangerous Files are pre-configured to apply to Standard and Restricted users.

•The file is blocked and an appropriate information web page is presented to the user.

•A log record is written with the appropriate rule and classification information.

WebMarshal helps to achieve the goal of conserving network resources by proxy caching, Connection rules, Quota rules, and Content Analysis rules.

You can reduce bandwidth usage by enabling WebMarshal proxy caching. Caching is enabled by default on new installations. For more information about caching, see “Configuring Proxy Caching”.

You can manage connections from many popular Instant Messaging and Streaming Media applications, as well as the WebSocket protocol. Sample blocking rules are provided in the default configuration. To quickly apply these rules to a user, add the user to the pre-defined WebMarshal Group Restricted Users. For more information about how to enable and use connection rules, see “Connection Rules”.

You can limit each user to a quota of browsing time and/or bandwidth. Sample quotas are configured in the default rules, but all quota rules are disabled by default. Enable the pre-configured rules “Enabling rules”. If quota rules are enabled, Trustwave recommends you also enable the Standard rule Global Policy > Display Quota Limits Policy.

You can apply quotas to specific users, specific file types, URL Categories, applications, and/or specific times of day. For complete information, see “Quota Rules”.

WebMarshal can stop the download of oversized files by a Standard rule. The rule Block Download - Files Larger than 20MB stops large files from being accessed.

WebMarshal can also stop uploading of oversized files by a Standard rule. The rule Block Upload - Files Larger than 5MB stops large files from being uploaded.

These file size rules are enabled by default for the Restricted Users group. When triggered, these rules take similar actions to the rules described earlier.

To allow certain users to use large files or a larger quota, you can move them to a group with greater default permissions. You can also apply limits for specific users, file types, or other custom criteria. For complete information, see Chapter 6, “Understanding Web Access Policy, Rule Containers, and Rules.”

WebMarshal User Guide October 2023
< Previous Section | Next Section >
Full document: see WebMarshal Documentation.