New in Websense Web Security v7.8.4

Topic 50701 | Release Notes | Web Security Solutions | Updated 26-Aug-2014


Applies to:	Websense Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.8.4

The Web Security Help is available in both English and Japanese. Select your Help system language on the TRITON Settings > My Account page in the TRITON console.

Security

Some previous versions of Websense Web Security included an OpenSSL version that includes the man-in-the-middle (MITM) vulnerabilities (CVE-2014-0224). Exploiting this vulnerability, an attacker that is capable of intercepting communications between a vulnerable client and server can exploit an MITM attack, allowing the attacker to transparently decrypt and modify traffic to and from both client and server. In version 7.8.4 of Websense Web Security, the vulnerable version of the OpenSSL libraries has been replaced with a fixed version.

IPv6 Support

Support for IPv6 has been enhanced to include Web Security reporting tools.

IPv6 information is now included in standard logging data. Log Server will receive log records from Filtering Service or Websense Multiplexer and then store destination IPv6 addresses and source IPv6 addresses in the Log Database for use in reporting. A user's IPv6 address is shown in the user name field when user name information is not available for a client.

IPv6 addresses:

Will display on presentation reports and charts and investigative reports that include source IP addresses, destination IP addresses, or user information.

When these reports are scheduled, they will process and send data that include IPv6 addresses.

Reports containing IPv6 addresses can also be exported to PDF, Excel, or HTML.

Can also be used on the Clients tab of the Presentation Reports > Edit Report Filter page. They can also be used in the Search features of investigative reports.

Display on application reports and charts.

Display on the Status > Dashboard charts, including Threats > Event Details page, that include source IP addresses, destination IP addresses, or user information.

Are used in the calculation of Internet browse time for websites with IPv6 addresses.

Will be included in the uncategorized and security URLs collected by WebCatcher.

Will display in Real-Time Monitor information.

IPv6 addresses can be used as a filter.

Columns that include IPv6 addresses will be sorted effectively.

Are included in the records forwarded to any Security Information and Event Management (SIEM) integration you have enabled.

To support the IPv6 feature, a new Log Database logging partition will be added to your database when you upgrade to v7.8.4. The Log Database is upgraded when Log Server is upgraded. Reports can still be run against existing logging partitions.

Please refer to the list of supported versions of SQL Server in Requirements overview.

Incremental Upgrades

Beginning with v7.8.4, the upgrade process for Websense Web Security solutions no longer requires all machines and components to be upgraded simultaneously. Your deployment will continue to function normally as it is upgraded over a period of time. Policy enforcement, logging, and reporting will continue as the incremental upgrade progresses.

The incremental upgrade process is based on the ability to upgrade one "logical deployment unit" at a time. Each logical deployment unit is made up of a Policy Server instance and all components that rely on it.

See the new Incremental Upgrade guide for details, including requirements that must be met prior to upgrading, steps to complete an incremental upgrade, and the limitations and restrictions associated with it.

Single sign-on using PingFederate (hybrid)

A single sign-on feature has been added to provide authentication using a third-party identity provider that communicates with your directory service. Designed to work for hybrid configurations, this version of single sign-on supports only PingFederate as the identity provider.

Single sign-on provides clientless transparent authentication via a gateway hosted on your network. Clients connecting to the hybrid proxy from a filtered location are redirected to PingFederate. Once users are authenticated against your directory service, they are directed back to the proxy and the appropriate policy is applied. Clients who have authenticated once do not have to authenticate again for subsequent browsing sessions.

PingFederate supports only the Proxy Auto-Configuration (PAC) file assigned to port 8082. It will not use the PAC file assigned to port 80.

When Ping Federate is used as the identity provider, single sign-on cannot fall back to secured form authentication.

Single sign-on using PingFederate has been certified on:

Red Hat Enterprise Linux 6.5

Microsoft Windows Server 2012 R2

V-Series appliances

Client browsers on Microsoft Windows 7 (64-bit), 8.1 (64-bit), and 8.0 (64-bit)

Internet Explorer 11

Firefox 30

Chrome 35

In addition, single sign-on using PingFederate is supported on:

Red Hat Enterprise Linux 5 and 6

Microsoft Windows Server 2008, 2008 R2, and 2012

Client browsers

Internet Explorer 8, 9, and 10

Firefox 4.4 or higher

Chrome 13 or higher

See Integrating a single sign-on identity provider in Web Security Help for details on how to set up single sign-on. See also Configuring single sign-on in TRITON Cloud Security Help for additional information.

Logon application support

Logon Agent communicates with the logon application (LogonApp) on client machines to identify users as they log onto or off of Windows domains.

The logon application supports the following operating systems:

Mac OS X 10.9.2 (64-bit)

Microsoft Windows 8.1 Update 1 (32-bit and 64-bit; Windows 8.1 RT is not supported)

For more information about Logon Agent and the logon application, see the Using Logon Agent for Transparent User Identification white paper.

Third-party platform and product support

This version introduces support for:

Internet Explorer 10, standards mode

Internet Explorer 11, standards mode

Firefox 30

Chrome 35

Note that installing Web Security components on Windows Server 2012 or 2012 R2 requires Microsoft .NET Framework v3.5. Install .NET Framework v3.5 before running the TRITON Unified installer.