Websense Confidential Template 2012 4:3

Websense Confidential Template 2012 4:3

ENGINEERING ThreatVision Training Overview for Websense SEs ThreatVision Hotfix April 2013 The information disclosed in this document, including all designs and related materials, is the valuable property of Websense, Inc. and its licensors. Websense, Inc. and its licensors, as appropriate, reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights, except to the extent said rights are expressly granted to others. TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT.

IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 1 Customer Use Case drivers ThreatVision Release Summary

Customers looking for a method to POC WSG / WSGA without deploying proxy Competitive mode of operation Helps to prove the advantages offered by Websense Content Gateway and the Websense ACE analytics Phase I ThreatVision POC Tool Proposed Solution Web Security Gateway (/Anywhere) running off a Span port POC-only tool for 7.7.3 code branch Full Support & SE Readiness program

Minimal GTM Phase II Web Security Gateway ThreatVision (feature) 2013 Websense, Inc. Integration into Web Security Gateway (Anywhere) 7.8 in Production version Full GTM Proprietary and Confidential Page 2 ThreatVision POC Tool Release Goals The Threat Vision POC Tool has three major corporate goals: 1. Turn POCs into larger and broader

evaluations. 2. Provide real world data on the Span mode of operation 3. Provide early access to all Websense teams in readiness for a GA version. The program has accomplished these business goals, to date. We will continue to seek your feedback to measure success. 2013 Websense, Inc. Proprietary and Confidential Page 3 Agenda Objectives for this Overview course: 1. Capabilities: The Big Picture 2. Known limitations

3. Setup steps 4. How to obtain the patches and docs 5. Findings: 1. Performance 2. Known issues 3. Caveats 6. How to provide feedback from the field 2013 Websense, Inc. Proprietary and Confidential Page 4 ThreatVision Capabilities The Big Picture TRITON STOPS STOPS MORE

MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 5 The Big Picture ThreatVision is a POC Hotfix for v7.7.3 WSG/A Hotfix not available to customers. See internal KB article. Requires SE setup Applies to V10000 G2R2 and V10000 G3 only V10000 G2R2 or G3 must be configured to

monitor traffic using a span port. Can be used with one Windows management & reporting server -- but separate SQL Server machine is recommended. Uses standard Websense reporting tools 2013 Websense, Inc. Proprietary and Confidential Page 6 Topology 2013 Websense, Inc. Proprietary and Confidential Page 7 Capabilities

Traffic monitored by the ThreatVision POC tool is analyzed in real time by Content Gateway. Results of the analysis are logged, and appear in Websense standard reports and Real-Time Monitor. No requests are actually blocked. 2013 Websense, Inc. Proprietary and Confidential Page 8 Capabilities If the administrator configures policies that include blocked categories, Web Security reporting tools show requests as blocked.

No actual blocking has occurred. 2013 Websense, Inc. Proprietary and Confidential Page 9 Capabilities Admins can configure Web Security policies to find out (through reports) how the policies would be applied in enforcement mode. Admins can configure suspicious activity alerts and usage alerts. 2013 Websense, Inc. Proprietary and Confidential

Page 10 ENGINEERING Known Limitations ThreatVision POC Tool The information disclosed in this document, including all designs and related materials, is the valuable property of Websense, Inc. and its licensors. Websense, Inc. and its licensors, as appropriate, reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights, except to the extent said rights are expressly granted to others. TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE WE CAN CAN PROVE

PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 11 Known Limitations (part 1 of 4) Websense Content Gateway proxy authentication must not be enabled in ThreatVision POC deployments. Disabling ThreatVision requires reimaging the appliance. Only HTTP traffic is supported (not FTP or HTTPS). SSL decryption is not available in this mode. 2013 Websense, Inc.

Proprietary and Confidential Page 12 Known Limitations (part 2 of 4) A single TRITON console cannot support both ThreatVision and enforcement mode appliances at the same time. Network Agent protocol monitoring is not included at this time. VLAN tagging is not supported. 2013 Websense, Inc. Proprietary and Confidential Page 13

Known Limitations (part 3 of 4) If the admin sets up Web DLP policies that include blocking: Data Security incident reports show blocked requests (even though no actual blocking occurred). Web Security Real-Time Monitor shows the requests as permitted. Web Security investigative reports show the action applied to the requests as Not Available (neither permitted nor blocked). Note that the forensics repository does store files associated with Web DLP incidents. 2013 Websense, Inc. Proprietary and Confidential Page 14

Known Limitations (part 4 of 4) In a standard Web Security Gateway deployment, if Filtering Service blocks a request based on its static (Master Database) category, the request does not go to Content Gateway for analysis. In other words, even with aggressive scanning enabled, URLs are analyzed only if they are permitted by the initial Filtering Service lookup. As a result of this standard behavior, when ThreatVision is enabled, if a policy blocks a request before the request is sent to the analytics, subsequent requests by the user for content internal to that website (for example, clicking through content on the site) may not appear in reports.

This happens because Content Gateway does not know that the block is virtual. It acts as though a block page was sent, and closes its connection to the request. 2013 Websense, Inc. Proprietary and Confidential Page 15 ThreatVision Setup Major Steps for ThreatVision Setup TRITON STOPS STOPS MORE

MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 16 Setup process overview 1. Set Up the Appliance 2. Create a Management Server 3. Configure ThreatVision The Setup Guide walks you through all setup steps in detail.

If you prefer, you can follow the same steps in this slide deck. Or, move forward to Slide 98 to see QA testing scope. 2013 Websense, Inc. Proprietary and Confidential Page 17 Topology 2013 Websense, Inc. Proprietary and Confidential Page 18 Setup process overview Set Up the Appliance

Step 1: Set up the appliance hardware Step 2: Run the firstboot script Step 3: Configure basic appliance settings Step 4: Configure network interfaces Step 5: Configure Web Security component interaction Step 6: Enable the ThreatVision hotfix 2013 Websense, Inc. Proprietary and Confidential Page 19 Set up the appliance > Hardware Set Up the Appliance Step 1: Set up the appliance hardware The topology diagram above gives a simple overview of a ThreatVision deployment. In addition to the V10000 G2 or G3 Appliance, a

Windows Server 2008 R2 machine is required, to host management and reporting components. 2013 Websense, Inc. Proprietary and Confidential Page 20 Set up the appliance > Hardware Connect the C and P1 appliance interfaces Only appliance ports C and P1 are used. Network interface C provides communication for appliance modules and handles database downloads. Interface C: Must be able to access a DNS server Has continuous access to the Internet Ensure that interface C is able to access the download servers at download.websense.com. This URL must be permitted by all firewalls, proxy servers, routers, or host files controlling the URLs that the C interface can access.

Network interface P1 connects to a span port on the switch, to allow Websense Content Gateway to monitor client Internet requests. 2013 Websense, Inc. Proprietary and Confidential Page 21 Set up the appliance > firstboot Set Up the Appliance Step 1: Set up the appliance hardware Step 2: Run the firstboot script After hardware setup, connect directly to the appliance through the serial port or the monitor and keyboard ports. 2013 Websense, Inc. Proprietary and Confidential

Page 22 Set up the appliance > firstboot An Activation script, called firstboot, runs when you start the appliance. The firstboot script prompts you to: Select the security mode for the appliance (Web) Supply settings for the network interface labeled C Enter a few other general items, such as hostname and password You are given the opportunity to review and change these settings before you exit the firstboot script. After you approve the settings, the appliance mode is configured. Later, if you want to change settings (except the security mode), you can do so through the Appliance Manager user interface. 2013 Websense, Inc. Proprietary and Confidential

Page 23 Set up the appliance > firstboot To change the security mode, re-image the appliance with the image from the Websense Downloads site, and then run the firstboot script again. Gather the information on the following slide before running the script. 2013 Websense, Inc. Proprietary and Confidential Page 24 Set up the appliance > firstboot 2013 Websense, Inc.

Proprietary and Confidential Page 25 Set up the appliance > firstboot Run the initial command-line configuration script (firstboot) as follows 1. Access the appliance through a USB keyboard and monitor, or a serial port connection. 2. Accept the subscription agreement when prompted. 2013 Websense, Inc. Proprietary and Confidential Page 26

Set up the appliance > firstboot 3. When asked if you want to begin, enter yes to launch the firstboot activation script. To rerun the script manually, enter the following command: firstboot 4. At the first prompt, select Web as the security mode. 5. Follow the on-screen instructions to provide the information collected in the table above. 6. After the script finishes running, continue with the next slide. 2013 Websense, Inc. Proprietary and Confidential Page 27 Set up the appliance > Configure basic settings

Set Up the Appliance Step 1: Set up the appliance hardware Step 2: Run the firstboot script Step 3: Configure basic appliance settings Appliance Manager is a Web-based interface for the appliance. Use it to view system status, configure network and communication settings, and perform general appliance administration. 2013 Websense, Inc. Proprietary and Confidential Page 28 Set up the appliance > Configure basic settings 1. Open a supported browser (Internet Explorer 8 or 9, Firefox 5 and later, or Google Chrome 13 and later),

and enter the following URL in the address bar: https://:9447/appmng 2. Log on with the user name admin and the password set during initial appliance configuration. 3. Use the navigation pane to go to the Configuration > System page. 2013 Websense, Inc. Proprietary and Confidential Page 29 Set up the appliance > Configure basic settings 4. Under Time and Date: Use the Time zone list to select the time zone to be used on this system. GMT (Greenwich Mean Time), the default, is also known as UTC (Universal

Time, Coordinated). Other time zones are calculated by adding or subtracting from GMT. Use the Time and date radio buttons to indicate how you want to set the date. Time is set and displayed using 24-hour notation. 2013 Websense, Inc. Proprietary and Confidential Page 30 Set up the appliance > Configure basic settings To synchronize with an Internet Network Time Protocol (NTP) server (www.ntp.org.), select the Automatically synchronize option and enter the address of a primary NTP server. The secondary and tertiary fields are optional. To set the time yourself, select the Manually set option and change the value in the Date and Time fields. Use

the format indicated below the entry field. 2013 Websense, Inc. Proprietary and Confidential Page 31 Set up the appliance > Configure basic settings 5. Create or edit a unique appliance description to help you identify and manage the system, particularly when there will be multiple appliances deployed. The description is displayed in the appliance list in the TRITON Unified Security Center when the appliance is added there. 6. Click OK to save your changes. 2013 Websense, Inc. Proprietary and Confidential

Page 32 Setup process overview Set Up the Appliance Step 1: Set up the appliance hardware Step 2: Run the firstboot script Step 3: Configure basic appliance settings Step 4: Configure network interfaces 2013 Websense, Inc. Proprietary and Confidential Page 33 Set up the appliance > Configure network interfaces Still in Appliance Manager:

1. Navigate to the Configuration > Network Interfaces IPv4 and IPv6 pages. 2. Specify the IP address, subnet mask, default gateway, and DNS address for the P1 interface. Correct DNS settings are essential for the Web Security Monitor to function. While entries for the IP address, mask, and default gateway fields are required by the user interface, you can enter any valid settings. Because the NIC is used only for monitoring, the IP address settings are not functionally important. 3. Disable the P2 interface. 2013 Websense, Inc. Proprietary and Confidential Page 34 Set up the appliance > Configure network interfaces

IMPORTANT Do not make configuration changes on the Network Interfaces pages after enabling ThreatVision. After monitoring is enabled, changes to your NIC configuration will prevent the product from functioning correctly. 2013 Websense, Inc. Proprietary and Confidential Page 35 Setup process overview Set Up the Appliance Step 1: Set up the appliance hardware Step 2: Run the firstboot script Step 3: Configure basic appliance settings

Step 4: Configure network interfaces Step 5: Configure Web Security component interaction 2013 Websense, Inc. Proprietary and Confidential Page 36 Set up the appliance > Configure Web Security components Still in Appliance Manager: 1. Navigate to the Configuration > Web Security Components page to specify which Web Security components are active on the appliance, and where the appliance gets Web Security global configuration and Internet access policy information. 2. Under Policy Source, select Full policy source. This means that it hosts Websense Policy Broker, which is responsible for global configuration and policy management information.

3. Click OK to save and apply your changes. 4. Under TRITON - Web Security, specify that the TRITON console is installed Off the appliance (on a separate Windows machine). 5. Click OK to save and apply your changes. 2013 Websense, Inc. Proprietary and Confidential Page 37 Setup process overview Set Up the Appliance Step 1: Set up the appliance hardware Step 2: Run the firstboot script Step 3: Configure basic appliance settings Step 4: Configure network interfaces Step 5: Configure Web Security component interaction Step 6: Enable the ThreatVision hotfix To enable ThreatVision, obtain the hotfix from the

Internal KB article and move it to your local network. 2013 Websense, Inc. Proprietary and Confidential Page 38 Set up the appliance > Apply the hotfix and enable ThreatVision To enable ThreatVision, upload the hotfix to the appliance and enable it with these steps: 1. Open Appliance Manager in a supported browser. The URL is: https://:9447/appmng 2. Navigate to the Administration > Patches / Hotfixes > Hotfixes page. 3. Click Upload Hotfix Manually to retrieve the hotfix file from a network location. 4. Click Install to initiate hotfix installation.

5. Wait until hotfix application is complete. 2013 Websense, Inc. Proprietary and Confidential Page 39 Set up the appliance > Apply the hotfix and enable ThreatVision 6. Connect the appliance P1 interface to a span port on the switch that mirrors the client traffic you want to monitor. 7. Use SSH to connect to the appliance C interface and log on using your Appliance Manager logon credentials when prompted. 8. Enter the following command: monitor enable 9. Close the SSH session, then use SSH to open a new connection to the appliance C interface.

2013 Websense, Inc. Proprietary and Confidential Page 40 Set up the appliance > Apply the hotfix and enable ThreatVision 10. To verify that the appliance has successfully enabled monitor mode, enter the following command: monitor status If the status does not show that monitor mode has been enabled, you may need to restart the appliance and try again. After enabling monitor mode, apply any new hotfixes listed in the ThreatVision KB article. Then, create a TRITON management server.

2013 Websense, Inc. Proprietary and Confidential Page 41 Setup process overview 1. Set Up the Appliance 2. Create a Management Server 3. Configure ThreatVision The Setup Guide walks you through all setup steps in detail. 2013 Websense, Inc. Proprietary and Confidential Page 42

Setup process overview Create a Management Server Step 1: Download the installer and start installation Step 2: Install TRITON Infrastructure Step 3a: Install Web Security management components Step 3b (optional): Install Data Security management components Step 4: Enter a key and download the Master Database 2013 Websense, Inc. Proprietary and Confidential Page 43 Create Management Server > Run the installer Step 1: Download the installer and start installation

1. Download the Websense Web Security Gateway Windows installer from the Downloads tab of mywebsense.com. The file name is WebsenseTRITON773Setup.exe. The version is 7.7.3. When extracted, the installation files occupy about 2 GB of disk space. 2013 Websense, Inc. Proprietary and Confidential Page 44 Create Management Server > Run the installer 2. Double-click the installer executable to launch the Websense TRITON Setup program. A progress dialog box is displayed as files are extracted. This may take a few minutes. 3. On the Welcome screen, click Start.

4. On the Subscription Agreement screen, select I accept this agreement and then click Next. 2013 Websense, Inc. Proprietary and Confidential Page 45 Create Management Server > Run the installer For Web Security Gateway: Mark the Web Security check box. 2013 Websense, Inc. Proprietary and Confidential Page 46 Create Management Server > Run the installer For Web Security Gateway Anywhere: Mark the Web

Security and Data Security check boxes. 2013 Websense, Inc. Proprietary and Confidential Page 47 Create Management Server > Run the installer When you are finished, click Next. 6. On the Summary screen, click Next to continue the installation. The TRITON Infrastructure Setup program launches. Continue with the next slide. 2013 Websense, Inc. Proprietary and Confidential

Page 48 Create Management Server > Infrastructure Create a Management Server Step 1: Download the installer and start installation Step 2: Install TRITON Infrastructure TRITON Infrastructure is the platform on which Websense TRITON management components are built. When the infrastructure components have been installed, the Web Security installer launches automatically to install the Web Security management components. 2013 Websense, Inc. Proprietary and Confidential Page 49 Create Management Server > Infrastructure

1. On the TRITON Infrastructure Setup Welcome screen, click Next. 2. On the Installation Directory screen, specify the location where you want TRITON Infrastructure to be installed and then click Next. 3. On the SQL Server screen, specify the location of your database engine and the type of authentication to use for the connection. Also specify whether to encrypt communication with the database. 2013 Websense, Inc. Proprietary and Confidential Page 50 Create Management Server > Infrastructure Select Use existing SQL Server on this machine if the

Websense installer has already been used to install SQL Server 2008 R2 Express on this machine. Select Install SQL Server Express on this machine to install SQL Server 2008 R2 Express on this machine. When this option is selected, .NET 3.5 SP1, Powershell 1.0, and Windows Installer 4.5 are installed automatically if they are not found on the machine. These are required for SQL Server 2008 R2 Express. 2013 Websense, Inc. Proprietary and Confidential Page 51 Create Management Server > Infrastructure A default database instance named mssqlserver is created, by default. If a database instance with the default name already exists on this machine, an

instance named TRITONSQL2K8R2X is created instead. In some cases, you are prompted to reboot the machine after installing SQL Server Express. If you do, go to Start > All Programs > Websense > Websense TRITON Setup to restart the installer. 2013 Websense, Inc. Proprietary and Confidential Page 52 Create Management Server > Infrastructure Select Use existing SQL Server on another machine to specify the location and connection credentials for a database server located elsewhere in the network. Enter the Hostname or IP address of the SQL Server machine, including the instance name, if any. If you are using a named instance, the instance must

already exist. If you are using SQL Server clustering, enter the virtual IP address of the cluster. Also provide the Port used to connect to the database (1433, by default). 2013 Websense, Inc. Proprietary and Confidential Page 53 Create Management Server > Infrastructure After selecting one of the above options, specify an authentication method and account information: Select the Authentication method to use for database connections: SQL Server Authentication (to use a SQL Server account) or Windows Authentication (to use a Windows trusted connection).

Next, provide the User Name or Account and its Password. This account must be configured to have system administrator rights in SQL Server. If you are using SQL Server Express, sa (the default system administrator account) is automatically specified (this is the default system administrator account). 2013 Websense, Inc. Proprietary and Confidential Page 54 Create Management Server > Infrastructure When you click Next, connection to the database engine is verified. If the connection test is successful, the next installer screen appears. If the test is unsuccessful, the following message appears: Unable to connect to SQL Make sure the SQL Server you specified is

currently running. If it is running, verify the access credentials you supplied. Click OK to dismiss the message, verify the information you entered, and click Next to try again. 2013 Websense, Inc. Proprietary and Confidential Page 55 Create Management Server > Infrastructure 4. On the Server & Credentials screen, select the IP address of this machine and specify network credentials to be used by TRITON Unified Security Center. Select an IP address for this machine. If this machine has a single network interface card (NIC), only one address is listed.

Specify the Server or domain of the user account that you want to use to run the TRITON Infrastructure and TRITON Unified Security Center services. The server/host name cannot exceed 15 characters. 2013 Websense, Inc. Proprietary and Confidential Page 56 Create Management Server > Infrastructure Specify the User name of the account that you want to use to run the TRITON Unified Security Center services. Enter the Password for the specified account. 5. On the Administrator Account screen, enter an email address and password for the default TRITON console administration account: admin. When you are finished,

click Next. System notification and password reset information is sent to the email address specified (once SMTP configuration is done; see next step). Define a strong password as described on the screen. 2013 Websense, Inc. Proprietary and Confidential Page 57 Create Management Server > Infrastructure 6. On the Email Settings screen, enter information about the SMTP server to be used for system notifications and then click Next. You can also configure these settings after installation in the TRITON console. IP address or hostname: IP address or host name of the SMTP server through which email alerts should be sent. In most cases, the default Port (25) should be used. If the

specified SMTP server is configured to use a different port, enter it here. Sender email address: Originator email address appearing in notification email. 2013 Websense, Inc. Proprietary and Confidential Page 58 Setup process overview Sender name: Optional descriptive name that can appear in notification email. This is can help recipients identify this as a notification email from the TRITON Unified Security Center. 7. On the Pre-Installation Summary screen, verify the information and then click Next to begin the

installation. 2013 Websense, Inc. Proprietary and Confidential Page 59 Create Management Server > Infrastructure 8. If you chose to install SQL Server Express, .NET Framework 3.5 SP1, PowerShell 1.0, and Windows Installer 4.5 will be installed if not already present. Wait for Windows to configure components. a) If the following message appears during this process, click OK: Setup could not restart the machine. Possible causes are insufficient privileges, or an application rejected the restart. Please

restart the machine manually and setup will restart. 2013 Websense, Inc. Proprietary and Confidential Page 60 Create Management Server > Infrastructure b) Websense installer starts again. In the TRITON Infrastructure Setup Welcome screen, click Next. c) The Ready to Resume EIP Infra installation screen appears. Click Next. 2013 Websense, Inc. Proprietary and Confidential

Page 61 Create Management Server > Infrastructure 9. If you chose to install SQL Server Express on this machine, SQL Server 2008 R2 Setup is launched. Wait for it to complete. The Setup Support Files screen appears, and then an Installation Progress screen appears. Wait for these screens to complete automatically. It is not necessary to click or select anything in these screens. Note that it may take approximately 10-15 minutes for the SQL Server 2008 R2 Express installation to complete. 2013 Websense, Inc. Proprietary and Confidential

Page 62 Create Management Server > Infrastructure 10. Next, the Installation screen appears. Wait until all files have been installed. If the following message appears, check whether port 9443 is already in use on this machine: Error 1920. Server 'Websense TRITON Central Access (EIPManagerProxy) failed to start. Verify that you have sufficient privileges to start system services. If port 9443 is in use, release it and then click Retry to continue installation. 2013 Websense, Inc.

Proprietary and Confidential Page 63 Create Management Server > Infrastructure 11. On the Installation Complete screen, click Finish. The TRITON Infrastructure Setup program closes, and the Web Security component installer launches. Continue with the next slide. 2013 Websense, Inc. Proprietary and Confidential Page 64 Setup process overview

Create a Management Server Step 1: Download the installer and start installation Step 2: Install TRITON Infrastructure Step 3a: Install Web Security management components 1. On the Select Components screen, select the following components to install, and then click Next. TRITON - Web Security Web Security Log Server Web Security Gateway Anywhere only (optional): Sync Service 2013 Websense, Inc. Proprietary and Confidential Page 65 Create management server > Web components Web Security Gateway Anywhere only: Linking Service Real-Time Monitor

2. On Policy Server Connection screen, enter the IP address and port used by Policy Server (the IP address of the appliance C interface and 55806, by default). When you are finished, click Next. 3. If you selected Sync Service for installation, use the Policy Broker Connection screen to enter the IP address and port used by Policy Broker (the IP address of the appliance C interface and 55880, by default). When you are finished, click Next. 2013 Websense, Inc. Proprietary and Confidential Page 66 Create management server > Web components 4. Use the Log Database Location screen to specify the IP address or hostname of the SQL Server instance that will host the Log (reporting) Database (if necessary),

and provide a path for the database files. When finished, click Next. 5. On the Optimize Log Database Size screen, select Log Web page visits. This results in fewer log records for each URL by combining information for secondary elements on a website (like graphics) into a single record. This results in smaller databases, allowing for potentially faster report generation and longer storage capacities. When finished, click Next. 2013 Websense, Inc. Proprietary and Confidential Page 67 Create Management server > Web components 6. If you selected Linking Service for installation, on the Filtering Service Communication screen, provide the IP

address and port used by Filtering Service (the IP address of the appliance C interface and 15868, by default). When finished, click Next. 7. On the Pre-Installation Summary screen, verify the information shown. The summary shows the installation path and size, and the components to be installed. 2013 Websense, Inc. Proprietary and Confidential Page 68 Create Management server > Web components 8. Click Next to start the installation. The Installing Websense progress screen is displayed. Wait for

installation to complete. 9. On the Installation Complete screen, click Next. For Web Security Gateway, installation of off-appliance components is complete. Continue with Step 4: Enter a key and download the Master Database. For Web Security Gateway Anywhere, continue with the Step 3b, Install Data Security management components. 2013 Websense, Inc. Proprietary and Confidential Page 69 Setup process overview Create a Management Server Step 1: Download the installer and start installation Step 2: Install TRITON Infrastructure Step 3a: Install Web Security management components

Step 3b (optional): Install Data Security management components 1. When the Data Security component installer launches, and the Welcome screen is displayed click Next. 2013 Websense, Inc. Proprietary and Confidential Page 70 Create Management server > Data components 2. On the Select Components screen, accept the defaults and click Next. 3. If prompted, click OK to accept that services such as ASP.NET and SMTP will be enabled. 4. On the Fingerprinting Database screen, accept the default location or click Browse to specify a different location (local path only).

5. If your SQL Server database is on a remote machine, use the Temporary Folder Location Screen to provide the name of a folder to use for temporary files created during archive processing and system backup and restore. Also indicate: 2013 Websense, Inc. Proprietary and Confidential Page 71 Create Management server > Data components Whether to Enable incident archiving and system backup to archive old or aging incidents and perform system backup or restore. Use the From SQL Server field to enter the UNC path that the SQL Server should use to access the temporary folder. Make sure the account used to run SQL has write access to this folder.

Use the From TRITON Management Server field to enter the UNC path the management server should use to access the temporary folder. Enter a user name and password for a user who is authorized to access this location 2013 Websense, Inc. Proprietary and Confidential Page 72 Create Management server > Data components 6. In the Installation Confirmation screen, click Install to begin installing Data Security components. 7. If the following message appears, click Yes to continue the installation: Data Security needs port 80 free. In order to proceed with this installation, DSS will

free up this port. Click Yes to proceed OR click No to preserve your settings. A similar message for port 443 may appear. Click Yes to continue. 2013 Websense, Inc. Proprietary and Confidential Page 73 Create Management server > Data components 8. The Installation progress screen appears. Wait for the installation to complete. When the Installation Complete screen appears, click Finish to close the Data Security installer. You have completed installation of the TRITON management server. Continue with the next slide to enter

a subscription key and activate your Web Security software. 2013 Websense, Inc. Proprietary and Confidential Page 74 Setup process overview Create a Management Server Step 1: Download the installer and start installation Step 2: Install TRITON Infrastructure Step 3a: Install Web Security management components Step 3b (optional): Install Data Security management components Step 4: Enter a key and download the Master Database After the management server installation is complete, log on to the TRITON console and enter your Web

Security Gateway subscription key. 2013 Websense, Inc. Proprietary and Confidential Page 75 Create management server > Enter subscription key 1. Open a supported browser (Internet Explorer 8 or 9, Firefox 5 and later, or Google Chrome 13 and later), and enter the following URL in the address bar: https://:9443/triton/ 2. Enter the user name admin and the password set during installation, then click Log On. You are logged on to the TRITON console and automatically connected to the Web Security management module. 2013 Websense, Inc.

Proprietary and Confidential Page 76 Create management server > Enter subscription key 3. A pop-up window prompts you to enter your subscription key. If Internet requests originating from the appliance C interface must go through a proxy to reach the Internet, provide the proxy details at the same time you enter the key, and before clicking OK. 4. Go to the System tab of the Status > Dashboard page to monitor the progress of the Master Database download. 5. When the download is complete, log off of the TRITON console and continue with the next step. 2013 Websense, Inc.

Proprietary and Confidential Page 77 Setup process overview Configure ThreatVision Step 1: Configure Content Gateway analysis Step 2a: Customize Internet access policies Step 2b(optional): Configure Web DLP policies Step 3: Configure reporting behavior Step 4(optional): Configure the monitor port 2013 Websense, Inc. Proprietary and Confidential Page 78 Configure ThreatVision > Content Gateway analysis

Step 1: Configure Content Gateway analysis This section describes which analysis options to enable to best demonstrate the capabilities offered by Content Gateway and its analytics. Note, however, that even in this configuration, not all traffic may be sent to the proxy for analysis. If any policies that you configure (including the Default policy) use only the Monitor Only filters, all traffic will go to the proxy, but reports will not show any blocked requests. This means that you will not be able to see the blocking capabilities of the full (enforcement mode) solution. 2013 Websense, Inc. Proprietary and Confidential Page 79 Configure ThreatVision > Content Gateway analysis

If your policies enforce filters that block categories (as instructed in the nextsection), any requests blocked before analysis (that is, any requests for URLs assigned to Master Database categories blocked by the filter) are not forwarded to the proxy (just as in enforcement mode). In other words, even though no actual block occurs, the request is treated as if it had been blocked based on Master Database categorization, and no further analysis is performed. This mirrors the way that Web Security Gateway (Anywhere) functions in enforcement mode. 2013 Websense, Inc. Proprietary and Confidential Page 80 Configure ThreatVision > Content Gateway analysis

To configure how Content Gateway analyzes traffic: 1. Log on to the TRITON console as admin, using the password created during installation and select the Web Security module (if needed). 2. Select the Settings tab of the left navigation page, then navigate to the Scanning > Scanning Options page. 3. Under Content Categorization, make sure that the On radio button is selected, and that the Analyze links embedded in Web content... check box is marked. 2013 Websense, Inc. Proprietary and Confidential Page 81 Configure ThreatVision > Content Gateway analysis 4. Under Tunneled Protocol Detection, make sure that the On radio button is selected.

5. Under Security Threats: Content Security, make sure that the On radio button is selected, and the Aggressive analysis... check box is marked. 2013 Websense, Inc. Proprietary and Confidential Page 82 Configure ThreatVision > Content Gateway analysis 6. Under Security Threats: File Analysis: Under Advanced Detection, make sure that the On radio button is checked, and the Aggressive analysis... check box is marked. Under Antivirus Scanning, make sure that the On radio button is checked, and the Aggressive analysis... check box is marked.

2013 Websense, Inc. Proprietary and Confidential Page 83 Configure ThreatVision > Content Gateway analysis Expand the File Type Options button, then mark all of the file type check boxes. 2013 Websense, Inc. Proprietary and Confidential Page 84 Configure ThreatVision > Content Gateway analysis 7. Under Outbound Scanning, make sure that both the

Analyze for and block outbound security threats... and Data theft protection check boxes are marked. 8. Click OK to cache your changes, then click Save and Deploy to implement them. Next, optionally customize your Web Security policies. 2013 Websense, Inc. Proprietary and Confidential Page 85 Setup process overview Configure ThreatVision Step 1: Configure Content Gateway analysis Step 2a: Customize Internet access policies With ThreatVision, creating custom policies enables reporting tools to show how requests would be handled by Websense Web Security Gateway (Anywhere) in

enforcement mode. Regardless of how strict the policies are that you create, no requests are blocked while the deployment is in monitor mode. 2013 Websense, Inc. Proprietary and Confidential Page 86 Configure ThreatVision > Customize Internet policies Web Security Gateway includes a Default policy, in effect 24 hours a day, 7 days a week. This policy is applied to all requests from clients that do not have any other policy assigned. Initially, this policy is configured to use the Monitor Only category filter, which permits all Internet requests. As a best practice, configure the Default policy to enforce the Basic category filter, then update the filter to block 4

additional categories, as described below: 1. In the Web Security module of the TRITON console, navigate to the Policy Management > Policies page. 2013 Websense, Inc. Proprietary and Confidential Page 87 Configure ThreatVision > Customize Internet policies 2. Click the Default link to open the Default policy for editing. 3. Expand the Category / Limited Access Filter list and select Basic. The Category Filter box (under the Policy Definition box) updates to show which categories the Basic category filter blocks and permits. 4. Scroll down to the Extended Protection parent category in the category list and expand it to see its child categories. 5. Select Dynamic DNS, then click Block.

6. Scroll down to the Productivity parent category and expand it, then select Freeware and Software Download and click Block. 2013 Websense, Inc. Proprietary and Confidential Page 88 Configure ThreatVision > Customize Internet policies 7. Scroll down to the Security parent category and expand it, then: Select Malicious Embedded Link and click Block. Select Suspicious Embedded Link and click Block. 8. Click OK to cache your changes, then click Save and Deploy to implement them. In addition to modifying the Default policy, you can: Create additional, custom policies.

Define specific clients (IP addresses or IP address ranges) and apply different policies to different clients or groups of clients. 2013 Websense, Inc. Proprietary and Confidential Page 89 Setup process overview Configure Monitor Mode Step 1: Configure Content Gateway analysis Step 2a: Customize Internet access policies Step 2b (optional): Configure Web DLP policies If you have installed Websense Web Security Gateway Anywhere, configure Web DLP policies in the Data Security manager to compliment your Web Security policies. 1. Select the Data Security module of the TRITON

console. 2013 Websense, Inc. Proprietary and Confidential Page 90 Configure ThreatVision > Configure Web DLP policies 2. On the Main tab, navigate to the Policy Management > DLP Policies > Web DLP Policy page. A quick-start Web DLP policy is provided. 3. On the Attributes tab, select and enable the attributes to monitorfor example uploaded file type. Configure properties for those attributes. When the settings you configure are matched, the policy is triggered. See the Data Security Help for instructions. 2013 Websense, Inc.

Proprietary and Confidential Page 91 Configure ThreatVision > Configure Web DLP policies 4. Select the Destination tab, then specify the websites where you do not want your data sent. See the Data Security Help for instructions. 5. Select the Policy Owners tab, then identify an owner for the policy. See the Data Security Help for instructions. 6. Click OK. 2013 Websense, Inc. Proprietary and Confidential Page 92

Setup process overview Configure ThreatVision Step 1: Configure Content Gateway analysis Step 2a: Customize Internet access policies Step 2b (optional): Configure Web DLP policies Step 3: Configure reporting behavior To record detailed information about the URLs that users request, enable full URL logging. 2013 Websense, Inc. Proprietary and Confidential Page 93 Configure ThreatVision > Configure reporting 1. In the Web Security module of the TRITON console, navigate to the Settings > Reporting > Log Database

page. 2. Scroll down to the Full URL Logging section. 3. Select the Record domain and full URL of each site requested radio button. 4. Click OK to cache your changes, then click Save and Deploy to implement them. 2013 Websense, Inc. Proprietary and Confidential Page 94 Setup process overview Configure ThreatVision Step 1: Configure Content Gateway analysis Step 2a: Customize Internet access policies Step 2b (optional): Configure Web DLP policies Step 3: Configure reporting behavior

Step 4 (optional): Configure the monitor port If you want to monitor traffic on a port other than the default (port 80), configure the custom port in Content Gateway Manager: 2013 Websense, Inc. Proprietary and Confidential Page 95 Configure ThreatVision > Configure monitor port 1. Log on to Content Gateway Manager. 2. Select the Configure tab and navigate to the Networking > ARM page. 3. Click Edit File. 4. In the selection box at the top of the page, select the connection that you want to change (the rule using port 80).

5. Change the Destination Port value to the port you want to use. 6. Click Apply, then click Close to return to the ARM page. 7. Click Apply again to implement the change. 2013 Websense, Inc. Proprietary and Confidential Page 96 Configure ThreatVision This completes the setup and configuration steps. 2013 Websense, Inc. Proprietary and Confidential Page 97

QA Testing scope TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 98 QA Testing Boundaries

The following were not tested by QA for v7.7.3: Co-existence with another proxy Network tap Monitor mode with Network Agent Tagged VLAN support (not officially supported, script available in Merlin build, tested by DEV in-house & on EAP customer deployment to be used as last resort) 2013 Websense, Inc. Proprietary and Confidential Page 99 ENGINEERING Performance and Stability Findings Performance Engineering The information disclosed in this document, including all designs and

related materials, is the valuable property of Websense, Inc. and its licensors. Websense, Inc. and its licensors, as appropriate, reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights, except to the extent said rights are expressly granted to others. TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 100

Performance results at a glance The ratio of ThreatVision observed concurrent connections to actual concurrent connections should not exceed 7. These values represent the outermost boundary of the Performance Trade-Off Curve : Packet loss will exceed 10% if TPS exceeds 1100 and concurrent connections exceeds 2300. Packet loss will exceed 10% if concurrent connections exceeds 19500 and TPS exceeds 50. Packet loss will exceed 10% if TPS exceeds 1050 and concurrent connections exceeds 5300. Packet loss will exceed 10% if concurrent connections exceeds 13000 and TPS exceeds 575. 2013 Websense, Inc. Proprietary and Confidential Page 101

Performance results at a glance Avoid the following settings, or risk significant loss of traffic: Max_nat_entries less than 10000 Max_nat_entries more than 10000 (for V10000 G2R2) due to WCG crashing 850 TPS or more when Aggressive Analysis is used Our results show 120 hours of uninterrupted runtime at 850 TPS. We pad payloads when missed packets happen. You would see this padding in /var/log/messages in this way: [281067.836797] PADDED SESSION 17198019: 72.167.18.237(80) <= 172.18.200.100(35159), transaction id 1, text GET /gds1-36.crl HTTP/1.1 2013 Websense, Inc.

Proprietary and Confidential Page 102 Performance results at a glance Performance Trade-off Curve With less than 10% missed transactions 1200 1000 TPS 800 600 400 200 0 0 2000

4000 6000 8000 10000 12000 14000 16000 18000 20000 Connections

Baseline AA More Likely to Miss Transactions with: Bursts of transactions or small packet delays (near 0ms) due to absence of flow control More transactions per connection (aka keep-alives) (easier to miss transactions by ASM) 2013 Websense, Inc. Proprietary and Confidential Page 103 800

700 600 500 400 300 200 100 0 500 1000 1500 2000 2500 3000

3500 100 90 80 70 60 50 40 30 20 10 0 4000 Percent TPS Performance results at a glance

Time 1000 1500 Merlin TPS TPS Diff% 2000 2500 10% TPS Diff Threshold 3000 3500

18000 16000 14000 12000 10000 8000 6000 4000 2000 0 4000 ns_inuse Connections Avalanche TPS 10000 9000

8000 7000 6000 5000 4000 3000 2000 1000 0 500 Time Avalanche Connections Merlin Connections Merlin ns_inuse Optimal TPS with high conns: 575 TPS with 11200 connections 2013 Websense, Inc.

Proprietary and Confidential Page 104 ENGINEERING Beta Program Summary The information disclosed in this document, including all designs and related materials, is the valuable property of Websense, Inc. and its licensors. Websense, Inc. and its licensors, as appropriate, reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights, except to the extent said rights are expressly granted to others. TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE

WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 105 Beta Summary 4 Beta Sites were deployed + Internal Deployment External customers:

PDLC (Hong Kong) DataWorld (Hong Kong) Judicial Yuan (Taiwan) ShinKong Bank (Taiwan) 5 CRs logged from Beta (2 Bs, 3 Cs) 2013 Websense, Inc. Proprietary and Confidential 106 Page 106 Beta Summary 4 Beta Sites were deployed + Internal Deployment External customers:

PDLC (Hong Kong) DataWorld (Hong Kong) Judicial Yuan (Taiwan) ShinKong Bank (Taiwan) 5 CRs logged from Beta (2 Bs, 3 Cs) 2013 Websense, Inc. Proprietary and Confidential 107 Page 107 Threat Dashboards from Beta Sites (DataWorld)

2013 Websense, Inc. Proprietary and Confidential Page 108 Threat Dashboards from Beta Sites (PDCL) 2013 Websense, Inc. Proprietary and Confidential Page 109 ENGINEERING Support The information disclosed in this document, including all designs and

related materials, is the valuable property of Websense, Inc. and its licensors. Websense, Inc. and its licensors, as appropriate, reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights, except to the extent said rights are expressly granted to others. TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 110

Support Readiness Technical Support will be prepared in late April to open cases in SFDC for ThreatVision. In the meantime, contact Support and request an EI for escalation to Engineering, if an SFDC case cannot be opened at the time of your call. 2013 Websense, Inc. Proprietary and Confidential Page 111 ENGINEERING Release Overview The information disclosed in this document, including all designs and

related materials, is the valuable property of Websense, Inc. and its licensors. Websense, Inc. and its licensors, as appropriate, reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights, except to the extent said rights are expressly granted to others. TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential Page 112

SE - User Assistance ThreatVision Setup Guide created for v7.7.3 The hotfix and setup guide are available via an internal KB article. KB Article will be updated as new information or field issues arise. A separate internal KB article (linked) hosts the fix that addresses a potential logging issue. 2013 Websense, Inc. Proprietary and Confidential Page 113 ENGINEERING Go to Market

The information disclosed in this document, including all designs and related materials, is the valuable property of Websense, Inc. and its licensors. Websense, Inc. and its licensors, as appropriate, reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights, except to the extent said rights are expressly granted to others. TRITON STOPS STOPS MORE MORE THREATS. THREATS. WE WE CAN CAN PROVE PROVE IT. IT. TRITON 2013 Websense, Inc. Proprietary and Confidential

Page 114 Released in April 2013 Internal SE and Partner Training slides Tech Alert (Internal) announcement Links to separate internal KB article with any related hotfixes Provided to TS, SEs, PM by TS Operations PMM has alerted Sales and Marketing managers 2013 Websense, Inc. Proprietary and Confidential Page 115

Recently Viewed Presentations