Protector

Deployment and Installation Center | Data Security Solutions | Version 7.7.x

Applies to:

In this topic:

Data Security, v7.7.x

When to use the protector

Deploying the protector

Hardware requirements

Required ports

Installing the protector software

Configuring the protector

The protector is an essential component of Websense Data Security, providing monitoring and blocking capabilities, preventing data loss and leaks of sensitive information. Using PreciseID technology, the protector can be configured to accurately monitor sensitive information-in-transit on any port.

When to use the protector

The protector works in tandem with the Data Security server. The Data Security server provides advanced analysis capabilities, while the protector sits on the network, intercepts traffic and can either monitor or block the traffic, as needed. The protector supports analysis of SMTP, HTTP, FTP, plain text, IM traffic (e.g., Yahoo, MSN, chat, and file transfer). The protector is also an integration point for third-party solutions that support ICAP.

The protector fits into your existing network with minimum configuration and necessitates no network infrastructure changes.

If you want to monitor SMTP traffic, the protector is your best choice. You configure a span port to be connected to the protector. This span contains your SMTP traffic.

If you want email blocking capabilities, you can use either the protector's explicit MTA mode or the SMTP agent (see below).

We do not recommend that you use both options for the same traffic, although some companies prefer monitoring one point and enforcing policies on another, due to differences in network traffic content and load.

If you want to monitor or transparently block HTTP traffic, you can use the protector to do so, or you can integrate Data Security with Websense Content Gateway or another Web proxy.

If you want to monitor FTP, plain text, or IM traffic, you should use the protector. Note that the protector cannot block traffic on these channels. You can block FTP using Websense Content Gateway (as a DLP agent) or other Web proxy that buffers FTP and supports ICAP.

The first decision that needs to be made when installing a protector is its location on the network. You can deploy the protector in SPAN/mirror port mode or in inline mode.

Deploying the protector

Most data-loss detection devices can be connected off the network, enabling them to sniff network traffic and monitor breaches. This monitoring method is useful because it does not interfere with traffic; however, it also does not enable the loss-prevention system to prevent (block) data losses—only to note and report them. In addition to monitoring mode, you can connect the Websense Protector to the network directly in the path of the traffic, enabling traffic to be blocked, quarantined and even terminated before it reaches its destination.

The following table depicts the available modes according to the selected topology.


Topology Service	SPAN/Mirror Port	Inline/Bridge
HTTP	Monitoring	Monitoring bridge Active (blocking) bridge
SMTP	Monitoring passive Mail Transfer Agent (MTA)	Monitoring bridge Mail Transfer Agent (MTA)
All Others	Monitoring	Monitoring
ICAP	Monitoring Blocking	Monitoring Blocking


	Note In both inline/bridge and SPAN/mirror port topology, Websense Data Security can be integrated with Web proxies. Blocking and monitoring modes are both available.

Deploying in SPAN/mirror port configuration

In SPAN/mirror port mode, the protector is connected off the network via the SPAN/mirror port of a switch, which enables the protector to sniff traffic and receive a copy for monitoring purposes, or via a SPAN/mirror device. In SPAN/mirror port mode, traffic is monitored and analyzed, but cannot be blocked. Note that the protector can also be connected to a TAP device.

The following diagram depicts the Websense device connected to the network via a mirror port on a switch, transparently monitoring network traffic.

Connect the protector to the mirror port of a switch on your network's path.

Connect the protector to the Data Security server.

Deploying in inline configuration

In inline/bridge mode, configure the protector as a layer-2 switch directly in the path of your organization's traffic. In this configuration, the data security device functions passively, monitoring the traffic (as in monitoring mode), or actively, blocking traffic as necessary.

When using the Websense Protector in inline mode, the hardware and software failsafe mechanism is available only when using the certified bypass-server adapter NIC.

The following Silicom network cards (NIC SKUs) are supported by the Websense Protector:

PEG4BPi - Intel-based Quad-Port Copper Gigabit Ethernet PCI Express Bypass Server Adapter

PEG2BPi - Intel-based Dual-Port Copper Gigabit Ethernet PCI Express Bypass Server Adapter

PXG4BPi - Intel-based Quad-Port Copper Gigabit Ethernet PCI-X Bypass Server Adapter

PXG2BPi - Intel-based Dual-Port Copper Gigabit Ethernet PCI-X Bypass Server Adapter

The inline/bridge network setup is the same, regardless of whether the protector is activated in blocking or monitoring mode.

The following figure depicts a sample setup for the Websense device in inline/bridge topology.

Connect the eth0 interface of the protector and the Data Security server to the LAN for management purposes, or use the port set while running the installation wizard.

Connect the protector to the outgoing connection and to your organization's internal network.

The 2 most common inline (bridge) topologies include:

HTTP in active (blocking) mode

HTTP and SMTP in monitoring mode

If you are planning to use one of these modes, when executing the Data Security Protector wizard, make sure the time, date and time zone are precise, and map eth0 to verify it is located on the main board. Connect eth0 of the protector to the LAN.

In inline network configuration, the protector can monitor or block traffic. Monitoring bridge mode monitors traffic. SMTP MTA and HTTP Active Bridge modes have both monitoring and blocking options.

Inline monitoring

In inline monitoring mode, the protector actually sits in the data path on the network—however, data is monitored and not blocked. This mode is particularly useful during the setup phase, when testing the protector to make sure configuration is accurate and network-appropriate, before enabling blocking capabilities on the network.

Inline blocking

In inline blocking mode (also known as active bridge mode), the protector sits in the data path on the network. All traffic that traverses the protector is analyzed either locally by the policy engine resident on the protector, or by a Data Security server if load balancing is set up.

The policy engine applies all policies as necessary before determining whether traffic is forwarded to its original destination. If data is detected that is supposed to be blocked, it is quarantined by the protector and does not reach its destinations. All traffic that does not match a policy and is not considered suspicious by the policy engine is forwarded by the protector to its original destination.

The protector communicates with the Data Security server for management purposes as well as for fingerprinting and deployment updates.

Hardware requirements

The protector is a soft appliance. If you are using your own hardware, it must meet the following hardware requirements:


Protector	Minimum requirements	Recommended
CPU	2 Dual-core Intel Xeon processors (2.0 GHz) or AMD equivalent	2 Quad-core Intel Xeon processors (2.0 GHz) or AMD equivalent
Memory	2 GB	4 GB
Hard drives	2 - 72 GB	4 - 146 GB
Disk space	70 GB	292 GB
Hardware RAID	1	1 + 0
NICs	2 (monitoring), 3 (inline)	2 (monitoring), 3 (inline)

The following Silicom network cards are supported by the Data Security appliance. NICs SKUs are:

PEG4BPi - Intel-based Quad-Port Copper Gigabit Ethernet PCI-Express Bypass Server Adapter

PEG2BPi - Intel-based Dual-Port Copper Gigabit Ethernet PCI-Express Bypass Server Adapter

PXG4BPi - Intel-based Quad-Port Copper Gigabit Ethernet PCI-X Bypass Server Adapter

PXG2BPi - Intel-based Dual-Port Copper Gigabit Ethernet PCI-X Bypass Server Adapter

PEG2Fi - Intel-based Dual-Port Fiber (SX) Gigabit Ethernet PCI-Express Server Adapter

PXG2Fi - Intel-based Dual-Port Fiber (SX) Gigabit Ethernet PCI-X Server Adapter


	Note Websense does not support bypass products with -SD drivers. If you are ordering a NIC based on Intel chips 82546 or 82571, be sure to order them in non-SD mode.

Required ports

The following ports must be kept open for the protector:


Outbound
To	Port	Purpose
Data Security Server	17500-17515*	Consecutive ports that allow communication with Websense agents and machines.
Data Security Management Server	17443	Syslog, forensics, incidents, mobile status
Next hop MTA	25**	SMTP
Websense Web Security	56992	Linking Service
Other	UDP 123	Inbound/ outbound NTPD (available on the appliance yet disabled by default)
* This range is necessary for load balancing. ** Explicit MTA
Inbound
From	Port	Purpose
Data Security Management Server	17500-17515*	Consecutive ports that allow communication with Websense agents and machines.
Anywhere (including TRITON - Data Security)	22	SSH access
Data Security Server	17500-17515*	Consecutive ports that allow communication with Websense agents and machines.
Explicit MTA	25**	SMTP
Explicit MTA	10025**	SMTP, mail analysis
* This range is necessary for load balancing. ** Explicit MTA

If you are connecting third-part software such as a Web proxy through ICAP, the ICAP client should keep the following ports open:


Outbound
To	Port	Purpose
Protector	1344	Receiving ICAP traffic
Inbound
None

Installing the protector software

Installing the Data Security protector comprises 3 basic steps:

Configuring the network

Installation steps

Configure the protector in the TRITON Unified Security Center. See Final step: Verification.

Protector installations include:

A policy engine

ICAP client - for integration with third-party solutions that support ICAP, such as some Web proxies.

Secondary fingerprint repository (the primary is on the management server)

Configuring the network

The following preparatory steps must be taken for the protector to be integrated into your network.

Make sure that firewalls or other access control devices on your network do not block ports used by the protector to communicate with the Data Security server (see Protector).

When installing the protector device in the network, both incoming and outgoing traffic (in the monitored segment) must be visible.

In some cases, incoming traffic from the Internet and outgoing traffic to the Internet are on separate links. In this case, the mirror port must be configured to send traffic from both links to the protector. The protector needs to have access to the Data Security Management Server and vice versa.

Installation steps

You access the installation wizard for your protector through a command line interpreter (CLI). (See Data Security Protector CLI for a reference guide.)

To install the protector, do the following:

If you have purchased the Websense V5000 G2 Data Security Appliance, follow the instructions on its quick start poster to rack, cable, and power on the appliance.

If you are using your own hardware:

Use either a direct terminal or connect via serial port to access the command line. For serial port connection, configure your terminal application, such as HyperTerminal or TeraTerm, as follows:

The protector software is provided on an ISO image. Download the image, WebsenseDataSecurityProtector77x.iso, from MyWebsense and burn it to a CD.

Place the CD in the protector's CD drive and restart the machine.

An installer page appears. If you are using a regular keyboard and screen, type kvm and press Enter. If you are using a serial console, press Enter. The machine is automatically restarted.

You're prompted to enter a user name and password. Enter admin for both.

When the protector CLI opens for the first time, logging in as admin automatically opens the installation wizard. On subsequent attempts, type "wizard" at the command prompt to access the wizard.

You have the option to install the Websense protector software or mobile agent software. Type P for Protector. Choose this mode whether you are deploying the protector inline or in a SPAN/mirror port configuration. For more information on deploying the protector inline, see Deploying in inline configuration. For more information on deploying the protector in a SPAN/mirror port configuration, see Deploying in SPAN/mirror port configuration.

Follow the instructions given by the wizard to configure basic settings.

When the wizard requires data entry, it prompts you. In some cases, a default setting is provided (shown within brackets [ ]). If the default setting is acceptable, press <Enter> to keep the default value.

STEP 1: Accept license agreement

Each time the installation wizard opens, the end-user license agreement appears. Use the page-down/ scroll /space keys to read/scroll to the end of the agreement. Carefully read the license agreement, and when prompted, type yes to accept the license agreement.

STEP 2: Select the hardware to install and confirm hardware requirements

Data Security checks to see if your hardware meets the following requirements:

2 GB RAM

4 CPU

CPU with more than 2MB of cache

CPU speed of 8000 bogomips

Partition "/opt/websense/data" should have at least 45 GB

If your requirements are substandard, you're asked if you want to continue.

STEP 3: Set administrator password

Type in and confirm a new password for the "admin" account. For security reasons, it is best practice to change the default password.

Type in and confirm a new Root ("root") Password (mandatory). The root account provides full access to the device and should be used carefully.

STEP 4: Set the NIC for management server and SSH connections

A list of available network interfaces (NICs) appears. In this step, choose the NIC for use by the Data Security Management Server, SSH connections, and logging onto the protector (eth0 by default). All other NICs will be used for intercepting traffic.

To help you identify which NIC to use, the wizard can simulate traffic for 0-60 seconds and cause LEDs to blink on that port. This does not work for all hardware and drivers.

Enter a number 0-60 to indicate how long (in seconds) you'd like traffic simulated or press Enter to skip this step.

When prompted, choose the NIC index number of the management NIC or accept the default interface.

Type the IP address of the NIC you've chosen. The default is 192.168.1.1.

Type the IP prefix of this NIC. This is the subnet mask in abbreviated format (number of bits in the subnet mask). The default is 24 (255.255.255.0).

Type a broadcast address for the NIC. The installation wizard will provide a calculated value, which is normally the desired one.

Type the IP address of the default gateway to be used to access the network. If the IP address of the Data Security server is not on the same subnet as the protector, a default gateway is required to tell the protector how to communicate with the Data Security server.

STEP 5: Define the host name and domain name

Type the host name to be used to identify this protector. The host name should be unique.

Optionally, type the domain name of the network into which the protector was added. The domain name set here will be used by the Data Security server when defining the protector's parameters.

STEP 6: Define the domain name server

Optionally, type the IP address of the domain name server (DNS) that will service this protector. A DNS will allow access to other network resources using their names instead of their IP addresses.

STEP 7: Set the date, time and time zone

Type the current time zone (to view a list of all timezones, type list).

Type the current date in the following format: dd-mmm-yyyy.

Type the current time in the following format: HH:MM:SS. Note that this is a 24-hour clock.

STEP 8: Register with a Data Security Server

In this step, a secure channel will be created connecting the protector to a Data Security Server. This can be the Data Security Management Server or a supplemental server, depending on your set up.

Type the IP address or FQDN of the Data Security Server. Note that this must be the IP address identified when you installed the server machine. It cannot be a secondary IP address.

Type the user name and password for a TRITON - Data Security administrator that has privileges to manage system modules.

Final step: Verification

In the Data Security module of TRITON Unified Security Center, verify that the Websense Protector is no longer pending and that the icon displays its active status. Refresh the browser.

Click Deploy.

In the protector command-line interface, the following appears:

The protector is now ready to be configured. See Initial Configuration for All Websense Modules for instructions.

Configuring the protector

To begin monitoring the network for sensitive information loss, you must perform some configuration in the TRITON - Data Security user interface. See the TRITON Unified Security Center Help system for instructions on logging on.

Once logged on, navigate to Settings > Deployment > System Modules and double-click the installed protector.

Define the channels that the Websense Protector will monitor.

Supply additional configuration parameters needed by the Websense Data Security Server to define policies for unauthorized traffic.

When you are done, make sure the protector does not have the status Disabled or Pending. You can view its status by looking at the System Modules page.

For more configuration information, see "Configuring the protector" in the TRITON - Data Security Help system.

For instructions on configuring the protector for SMTP in monitoring bridge mode or MTA mode, see Using the protector.

Setting up Bypass mode

Bypass can be used in the event that the Bypass Server Adapter NIC was ordered with the protector; it enables transparent failover in the event of protector failure. When Bypass is enabled, if the protector malfunctions or is powered off, traffic will transparently pass through the protector to the external network. (Bypass mode is relevant only to the inline/bridge network topology.)


	Important Only certified Bypass Server Adapter NIC cards are tested and guaranteed to properly bypass the protector in the unlikely event of product failure.

When a certified Bypass Server Adapter NIC dual or quad network card is available on the protector, it's possible to enable the protector's bypass mode. Bypass is a failsafe mechanism that shorts the protector in the unlikely event of device failure, enabling all network traffic to pass transparently through the protector to the network.

You configure bypass mode in the TRITON - Data Security user interface. Select Settings > Configuration > System Modules. Select the protector, then navigate to the Networking tab and select Enable bypass mode. Refer to the TRITON - Data Security Help system for more details.

By default, Bypass Mode is enabled. This means that when either a software or hardware problem occurs that causes the protector to malfunction, the protector will automatically be bypassed and the (unanalyzed) traffic will continue to pass to the outside network. If Bypass is disabled, when a malfunction occurs all traffic will be blocked and won't reach its intended destination.

Manual bypass

To force the protector into bypass mode, causing all traffic to pass transparently through the protector, do the following:

Log onto TRITON - Data Security.

Select Settings > Deployment > System Modules.

Select the protector to bypass.

In the Edit Protector dialog, select the Networking tab.

Under Network Interfaces, click Edit.

Select the check box labeled, Enable bypass mode.

Select Force bypass.

Click OK twice.

Click Deploy.

If you are experiencing network problems, you can verify that problems are not within the Data Security software, by setting Manual Bypass to On and noting if problems persist.