Secure Computing SSL Scanner User Manual

USER’S GUIDEWebwasher SSL ScannerVersion 6.5www.securecomputing.com

Introductiondefaultis selected in the line below Policy, which means that the settingsyou are going to configure now will be valid under your default

Common3.6.1Generic Header FilterThe Generic Header Filter tab looks like this:There is one section on this tab:• Header Filter ListIt is described in

CommonHeader Filter ListThe Header Filter List section looks like this:Using this section, you can configure the Generic Header Filter to delete head-

Common3.7Generic Body FilterThe Generic Body Filter options are invoked by clicking on the correspondingbutton under Common:If you want to enable any

Common3.7.1Generic Body FilterThe Generic Body Filter tab looks like this:There is this section on this tab:• Body Filter ListIt is described in the f

CommonBody Filter ListThe Body Filter List section looks like this:Using this section, you can configure the Generic Body Filter blocking andother act

CommonSo, to block, e. g. all HTML pages encoded as UTF-16 you can configure arule like the following:0-128 Contains I"<\00h\00t\00m\00l\00&qu

Common3.8.1SettingsThe Settings tab looks like this:There are six sections on this tab:• Link Filter• Dimension Filter• Popup Filter• Script Filter• A

Common• Advertising Filter SettingsThey are described in the following.Link FilterThe Link Filter section looks like this:Using this section, you can

Common

Common— Text linksEnables or disables the filtering of text links.A text link is the grouping of linked text that, when clicked on, takesyou to anothe

Introduction3. Make settings effectiv eClick on the Apply Changes button:This completes the sample configuration.1.3.3General Features of the Web Inte

CommonTheir meaning is as follows:— ImagesEnables or disables the filtering of images.— AppletsEnables or disables the filtering of Java applets.These

CommonUse the following checkbox to configure the additional setting:• Also disable manually opened windo wsIf this option is enabled, pop-ups will no

Common• Prevent modification of the browser’s status barIf this option is enabled, the filter will prevent the status bar of the browserfrom being mod

CommonAdvertising Filter SettingsThe Advertising Filter Settings section looks like this:Using this section, you can configure settings that will appl

CommonThen check the radio buttons below to further specify the exclusion:— the same pathEnable this option to exclude objects within the s ame place

CommonLink Filter ListThe Link Filter List section looks like this:Using this section, you can add URLs to the Link Filter List and edit them.To do th

Common— do not filterEnable this option to exclude the URL you entered above from filtering.— Add to Li n k Filter ListAfter specifying the informatio

Common3.8.3Dimension Filter ListThe Dimension Filter List tab looks like this:There is this one section on this tab:• Dimension Filter ListIt is descr

CommonDimension Filter ListThe Dimension Filter List section looks like this:Using this section, you can add dimension settings to the Dimension Filte

Common— Add to Dimension Filter ListAfter specifying the dimensions settings in the w ay described above,click on this button to add them to the list.

IntroductionClicking on this arrow will display a button, which you can use to apply changesto all policies.After clicking on this button, your modifi

Common3.9Privacy FiltersThe Privacy Filters options are invoked by clicking on the corresponding but-ton under Common:If you want to enable any of the

Common3.9.1SettingsThe Settings tab looks like this:There are four sections on this tab:• Web Bug Filter• Referer Filter• Prefix Filter• Cookie F ilte

CommonUsing this section, you can configure a filter to eliminate Web bugs.These are also known as clear GIFs or Web beacons. They are are usually1 pi

CommonIt leaves the referer unaffected if you the user moves through the sameor subsequent path.This option may be enabled if user movement should be

CommonCookie FilterThe Cookie Filter section looks like this:Using this section, you can configure a filter to block bad cookies.You can set the life

Common• Neutral cookies expire afterUse the radio buttons and input fields provided here in the following way:— a time period of . . . h . . . minMake

Common3.9.2Cookie Filter ListThe Cookie Filter List tab looks like this:There is one section on the tab:• Cookie Filte r ListIt is described in the fo

CommonCookie Filter ListThe Cookie Filter List section looks like this:Using this section, you can add entries to the Cookie Filter List and edit them

CommonThe Cookie Filter List is displayed at the bottom of this section.To display only a particular number of list entries at a time, type this numbe

CommonTo do this, select a policy from the drop-down list labeled Policy, which is lo-cated above the Media Type Filters button:The options are arrang

IntroductionThe click history is only recorded for the current session, i. e. until you log out.After logging in for a new session, the recording of t

CommonText CategorizationThe Text Categorization section looks like this:Using the text categorization filter you can specify single keywords and comb

Common3.10.2Categorization ListThe Categorization List tab looks like this:There is one section on this tab:• Text Catego rization ListIt is described

CommonText Categorization ListThe Text Categorization List section looks like this:Using the text categorization filter you can specify single keyword

CommonIn the input fields, enter the words or word combinations you want tofilter, e. g. Bahamas, Maledives, work tosetuparulelikethefol-lowing:Bahama

CommonUse the following items to perform other activities relating to the list:• FilterType a filter expression in this input field and enter it using

Common3.11.1HTTP Method Filter ListThe HTTP Method Filter List tab looks like this:There is one section on this tab:• HTTP Me thod Filter ListIt is de

CommonHTTP Method Filter ListThe HTTP Method Filter List section looks like this:Using this section, you can configure rules for assigning actions to

Common— CategoryFrom this drop-down list, select a URL filtering category you want toassign to the HTTP method. Setting this category is also optional

CommonUse the following items to perform other activities relating to the list:• FilterType a filtering term in the input field of the URL or Descript

CommonThese are policy-dependent options, i. e. they are configured for a particularpolicy. When you are configuring these options, you need to specif

IntroductionSearchA Search input field and button are located in the top right corner of the Webinterface area.Using these, you can start keyword quer

CommonFTP Command Filter ListThe FTP Command Filter List section looks like this:Using this section, you can configure rules for assigning actions to

CommonTo add a rule to the list, use the area labeled:• Add ruleUse the following items to configure the rule:— Command category

CommonThe FTP Command Filter List is displayed at the bottom of the section. Youcan edit list entries, change their order or delete them.To display on

Common3.13Welcome PageThe Welcome Page options are invoked by clicking on the correspondingbutton under Common:If you want to enable any of these opti

Common3.13.1Welcome PageThe Welcome Page tab looks like this:There are three sections on this tab:• Welcome Page Options• Manipulate User History• Upl

CommonUse the following items to configure the Welcome Page options:• Show once a day at . . .To let the Welcome Page appear only once a day, make sur

Common• Show againClick on this button to let the Welcome Page appear again for this user. Thismeans that the page is displayed not only once, but als

CommonUse the following items to handle the upload of a Welcome Page:• FilenameIn this input field, enter the name of the file you want to upload. Typ

Common3.14White ListThe White List options are invoked by clicking on the corresponding buttonunder Common:These are policy-dependent options, i. e. t

Common3.14.1White ListThe White List tab looks like this:There is one section on this tab:• White ListIt is described in the following.3–79

IntroductionAfter modifying the interval specified there, click on Apply Changes to makethe modification effective.When a session has timed out, the f

CommonWhite ListThe White List section l ooks like this:Using this section, you can add an object to the White List and exclude it fromthe application

CommonTo add an object to the white list, use the area labeled:• Add new entrySelect String or International Domain Name from the first of the drop-do

CommonTo sort the list in ascending or descending order, c lick on the symbol next tothe Media Type or Description column heading.To edit an entry, ty

Common3.15User Defined CategoriesThe User Defined Categories options are invoked by clicking on the corre-sponding button under Common:The options are

CommonUser Defined CategoriesThe User Defined Categories section l ooks like this:Using this section, you can configure your own categories for URL cl

Common• Category 1 to Category nIn the input fields provided here, enter the category names you want to useand the abbreviated formats of these names.

Common3.16.1Media Type CatalogThe Media Type Catalog tab l ooks like this:There is one section on this tab:• Media Type CatalogIt is described in the

CommonMedia Type CatalogThe Media Type Catalog section looks like this:Using this section, you can add a m edia type to the Media Type Catalog.A media

CommonThe media type tells the application that receives the data what kind of appli-cation is needed to process the content, e. g. Real Audio is to p

Common— Magic BytesIn the input fields provided here, enter up to five magic byte sequencesand their offsets to identify a media type:OffsetIn the inp

IntroductionThe following is provided in this section for the Webwasher Web G ateway Se-curity products:• An overview of the documents on the main pro

Chapter 4SSL ScannerThe features that are described in this chapter are accessible over the SSLScanner tab of the Web interface:These features allow y

SSL Scanner4.1OverviewThe following overview shows the sections that are in this chapter:User’s Guide – Webwasher SSL Scan nerIntroductionHomeCommonOv

SSL ScannerBefore this is done, however, the following subsection provides some generalinformation on this quick snapshot feature.Handling the Quick S

SSL Scanner4.2.1Quick SnapshotThe Quick Snapshot tab looks like this:There is one section on this tab:• Certificate Verification OverviewIt is describ

SSL Scanner• Wildcard MatchA wildcard name has been used in a certificate for a host, which matchesthe host name provided by the URL.Whenever a verifi

SSL ScannerTo do this, select a policy from the drop-down list labeled Policy, which is lo-cated above the Certificate Verification button:The options

SSL ScannerFurthermore, there is this section on the tab:• Certificate VerificationIt is described in the following.Certificate VerificationThe Certif

SSL ScannerIf the Common Name in a certificate is, e. g. abcde.com, but the Webserver’sURLisinfactwww.abcde.com, no match is achieved.• Wildcard match

SSL ScannerTo do this, select a policy from the drop-down list labeled Policy, which is lo-cated above the Certificate Verification button:The options

Introduction1.4.2Documentation on Special ProductsThis section introduces the user documentation on the Webwasher Web Gate-way Security products for s

SSL ScannerTunneling by CategoryThe Tunneling by Category section looks like this:Using this section, you c an configure tunneling for particular URL

SSL Scanner— Bypass SSL ScannerThe SSL Scanner is bypassed completely, i. e. no activities whatso-ever are performed.Client Certificate HandlingThe Cl

SSL Scanner• Verify server certificate, but do not decrypt sessionEnable this option, to have the s erver certificate checked by the verificationproce

SSL Scanner4.5Certificate ListThe Certificate L ist options are invoked by clicking on the corresponding but-ton under SSL Scanner:If you want to enab

SSL Scanner4.5.1Certificate ListThe Certificate List tab looks like this:There is one section on this tab:• Certificate ListIt is described in the fol

SSL ScannerTo add an exception to the list, use the area labeled:• Add new exceptionIn the input field provided here, enter the exception you want to

SSL Scanner— by hostEnabling the by host method means that the host is checked without acertificate being included in the verification process. If the

SSL ScannerIf the number of entries is higher than this number, the remaining entries areshown on successive pages. A page indicator is then displayed

SSL Scanner4.6.1Trusted Certificate AuthoritiesThe Trusted Certificate Authorities tab looks like this:At the top of this tab, there is the Known Cert

SSL ScannerUsing this section, you can configure actions for content with certificates issuedby known Certificate Authorities (CAs) that are either tr

Introduction1.5The Webwasher Web Gateway Security P roductsThe Webwasher Web Gateway Security products provide an optimal solutionfor all your needs i

SSL ScannerTrusted Certificate AuthoritiesThe Trusted Certificate Authorities section looks like this:This section provides the list of Trusted Certif

SSL ScannerTo make the addition valid for all policies, mark the checkbox labeled Addto all policies before proceeding any further.Then click on eithe

SSL Scanner4.7Global Certificate ListThe Global Certificate List options are invoked by clicking on the corre-sponding button under SSL Scanner:If you

SSL ScannerThere is one section on this tab:• Global Certificate ListIt is described in the following.Global Certificate ListThe Global Certificate Li

SSL ScannerFor the meaning of these actions, see the following table:by certificate by hostAllow Theexceptionisallowed. not availableBlock The excepti

SSL ScannerFor the meaning of these actions, see the description of the by cer-tificate method above.A message will then be displayed, stating if the

SSL Scanner4.8Global Trusted Certificate AuthoritiesThe Global Trusted Certificate Authorities options are invoked by clickingon the corresponding but

SSL ScannerTrusted Certificate AuthoritiesThe Trusted Certificate Authorities section looks like this:This section provides the global list of Trusted

SSL ScannerIf the number of entries is higher than this number, the remaining entries areshown on successive pages. A page indicator is then displayed

SSL ScannerThey are described in the upcoming section:• Incident Manager, see 4.9.14.9.1Incident ManagerThe Incident Manager tablookslikethis:There is

IntroductionThese two products have their own user interfaces, which are described in thecorresponding documents:Webwasher®ContentReporterFeatures a l

SSL ScannerUsing this section, you can inspect and manage incidents relating to SSL-en-crypted communication.The Incident Manager enables you to retri

SSL ScannerA list entry consists of the following fields:• Host - URL that caused the incident.Incidents can be added to the certificate lists either

Part Number: 86-0946643-AAll Rights Reserved, Published and Printed in G erma ny©2007 Secure Computing Corporation. This document may not, in whole or

Chapter 2HomeThe features that are described in this chapter are accessible over the Hometab of the Web interface:These are basic features that are co

Home2.1OverviewThe following overview shows the sections that are in this chapter:User’s Guide – Webwasher SSL Scan nerIntroductionHome Overview –this

HomeThe dashboard provides the following tabs:They are described in the upcoming sections:• Executive Summary, see 2.2.1• Traffic Volume, see 2.2.2• S

HomeOn the right side of a section, parameter values are shown as they developedin time, using either a line or a stacked mode, see also further below

HomeNote that the color of a category in the selection list is also used when thecategory is displayed in proportion to other categories by means of a

HomeSince only the categories are shown that yielded the top six values or thecategories you selected on your own, values that may have occurred inoth

Home• Selecting stacked or line modeYou can have parameter values displayed in stacked or line mode:— In line mode, lines are displayed to represent t

Home2.2.1Executive SummaryThe Executive Summary tab looks like this:There are three sections on this tab:• URL Executive Summary• Mail Executive Summa

HomeURL Executive SummaryThe URL Executive Summary section displays the number of URLs thatwere processed by the Webwasher filters within a given time

ContentsChapter 1 Introduction ... 1– 11.1 About This Guide...

Home• Spam level lowThis category is for e-mails that were classified as low-level spam.Number of Feedbacks SentThe Number of Feedbacks Sent section d

Home2.2.2Traffic VolumeThe Traffic Volume tab looks like this:There are two sections on this tab:• Traffic Volum e per Policy• Traffic Volume per Prot

Home• EmergencyPrefix ListThe list below shows the prefixes that are used for multiples of bytes, with bytevalues calculated in binary mode, to measur

Home2.2.3SystemThe System tab is shown here in two parts because of its size. The upperpart of the tab looks like this:2–13

HomeThe lower part looks like this:There are seven sections on this tab:• Update Status• Open Ports• CPU Utilization• Memory Usage• Swap Utilization•

HomeUpdate StatusThe Update Status section d isplays the status of several Webwasher filteringfeatures, e. g. SmartFilter, Secure Anti Malware, etc.,

HomeCPU UtilizationThe CPU Utilization (All CPUs) section shows to what extent the CPUs ofthe system Webwasher is running on have been used. within a

Home• UsedAmount of swap memory that was usedFilesystem Utilization (Used Capacity)The Filesystem (Used Capacity) section displays the percentages of

Home2.3Overview (Feature)The Overview options are invoked by clicking on the corresponding buttonunder Home:The options are arranged under the followi

Home2.3.1Overview (Feature)The Overview tab looks like this:There are four sections on this tab:• System Alerts• System Summary• One-Click Lockdown• V

User’s Guide3.4 Document Inspector ... 3–193.4.1 Document Inspector...

HomeSystem AlertsThe System Alerts section looks like this:This section displays alerts to make you aware of any problems concerning thesystem s tatus

HomeSystem SummaryThe System Summary section looks like this:This section d isplays information on the system status.Information is provided on the us

HomeTo enable the emergency mode:• Click on the Activate emergency mode button.This button is a toggle s witch. After enabling the emergency mode, the

Home2.4SupportThe Support options are invoked by clicking on the corresponding button un-der Home:The options are arranged under the following tab:The

HomeAssistanceThe Assistance section provides a link to contact the Secure Computing tech-nical support team.A click on this link takes you to the Wel

Home2.5.1TrustedSourceThe TrustedSource tab looks like this:There are four sections on this tab:• Spam False Positives Feedback Queue• Spam False Nega

HomeE-mails that were released from a queue after receiving a digest e-mail will becopied to the false positives queue and sent from there to Secure C

HomeSpam False Negatives Feedback QueueThe Spam False Neg atives Feedback Queue section looks like this:Using this section, you can configure the send

HomeE-mails can be sent manually, however, using the Queue Managementpage, which is launched after clicking on the See Content of Queue linknext to th

HomeThe queue should be used for no other purpose than that of collectingmalware since it will be cleared after e-mails and downloads have beensent of

Chapter 1IntroductionWelcome to the User ’s Guide Webwasher® SSL Scanner. It provides youwith the information needed to configure and use the Webwashe

HomeUse the following item to configure the URL feedback:• Send interval in . . . minute sIn the input field provided here, enter a time interval (in

HomeMalware Feedback Media Type Black ListThe Malware Feedback Media Type Black List section looks like this:Using this section, you can add a media t

HomeTo sort the list in ascending or descending order, c lick on the symbol next tothe Media Type or Description column heading.To edit an entry, type

Home2.5.3FeedbackThe Feedback tab looks like this:There are two sections on this tab:• Feedback E-Mail Address• URL Filter Database FeedbackThey are d

HomeURL Filter Database FeedbackThe URL Filter Database Feedba ck section looks like this:Using this section, you can submit uncategorized or incorrec

Home2.6.1Documentation on Main ProductsThe DocumentationonMainProductstab looks like this:There are three sections on this tab:• General Documents• Pr

HomeTo view any of the documents listed here, click on the PDF link in the sameline. This will open a .pdf format version of the document.Product Docu

Home2.6.2Documentation on Special ProductsThe Documentation on Special Products tab looks like this:There are four sections on this tab:• Content Repo

HomeInstant Message Filter DocumentsThe Instant Message Filter Documents section looks like this:This section allows you to v iew user documentation o

HomeTo view any of the documents listed here, click on the PDF link in the sameline. This will open a .pdf format version of the document.2.6.3Additio

Introduction1.1About This GuideThe following overview lists the chapters of this guide and explains briefly whatthey are about:User’s Guide – Webwashe

Home2.7PreferencesThe Preferences options are invoked by clicking on the corresponding buttonunder Home:The options are arranged under the following t

HomeThey are described in the following.Change PasswordThe Change Password section looks like this:Using this section, you can change the password you

HomeIf you are only interested in viewing and configuring settings for Web traffic,you can hide the e-mail related settings and vice versa.Furthermore

HomeTo what extent you are allowed to configure access permissions for other ad-ministrators, depends on your seniority level. This is measured by a v

Home— Allow read o nly accessCheck this radio button to allow read only access.• Deny simultaneous accessCheck this radio button to deny simultaneous

Home2.8.1InformationThe Information tablookslikethis:There are four sections on this tab:• License Information• Webwasher End User License Agreement•

HomeLicense InformationThe License Information section looks like this:This section displays information regarding the license of the Webwasher soft-w

HomeTo import a license, proceed as follows:1. Click on the Browse button provided here and browse for the license fileyou want to import.Before you c

Home2.8.2NotificationThe Notification tab looks like this:There are two sections on this tab:• System Notifications• Too Many ClientsThey are describe

HomeAfter specifying the appropriate information, click on Apply Changes to makeyour settings effective.Use the following items to configure the syste

Introduction1.3Using WebwasherA user-friendly, task-oriented Web interface has been designed for handlingthe Webwasher features. It looks like this:Th

HomeUsing this section, you can configure messages to be written to the system logif connections were refused due to heavy work load or license exhaus

Chapter 3CommonThe features that are described in this chapter are accessible over the Com-mon tab of the Web interface:These are filtering features t

Common3.1OverviewThe following overview shows the sections that are in this chapter:User’s Guide – Webwasher SSL Scan nerIntroductionHomeCommon Overvi

Common3.2Quick SnapshotThe Quick Snapshot for the common filtering functions is invoked by clickingon the corresponding button under Common:The follow

Common3.2.1Quick SnapshotThe Quick Snapshot tab looks like this:There are four sections on this tab:• Frequent Media Types by Hits• Frequent Media Typ

CommonThey are described in the following.Before this is done, however, the following subsection provides some generalinformation on the quick snapsho

CommonThere is, however, a property of the quick snapshot features that is not presenton the dashboard tabs. It is described in the following:• Resett

CommonMedia Types by HitsThe Media Types by Hits section displays a list of the top media types, i.e. the media types that were most often processsed

Common3.3MediaTypeFiltersThe Media Type Filters options are invoked by clicking on the correspondingbutton under Common:If you want to enable any of t

Common3.3.1ActionsThe Actions tablookslikethis:There are two sections on this tab:• Media Type Filter• Web Upload FilterThey are described in the foll

Introduction1.3.1First Level TabsThe Web interface displays a number of tabs and sections for configuring theWebwasher features. On the topmost level,

CommonMedia Type FilterThe Media Type Filter section looks like this:Using this section, you can configure actions, e. g. Block, Block, log andnotify,

Common• Non-rectifiable media types with magic bytes mismatchThe actions configured here will be executed when content types do notmatch their magic b

CommonFurthermore, you need to enable an option on the REQMOD Settings tab touse this filter. To do this, click on the REQMOD Settings link provided a

Common3.3.2Media Type Black ListThe Media Type Black List tablookslikethis:There is one section on this tab:• Media Type Black ListIt is described in

CommonMedia Type Black ListThe Media Type Black List section looks like this:Using this section, you can add a media type to the Media Type Black List

Common— Add to Media Type Black ListAfter s electing a media type, click on this button to add it to the list.This addition will be valid only under t

Common3.3.3Media Type White ListThe Media Typ e White List tab looks like this:There is one section on this tab:• Media Type White ListIt is described

CommonMedia Type White ListThe Media Type White List section l ooks like this:Using this section, you can add a media type to the Media Type White Lis

Common— Add to Media Type White ListAfter s electing a media type, click on this button to add it to the list.This addition will be valid only under t

Common3.4Document InspectorThe Document Inspector options are invoked by clicking on the correspond-ing button under Common:If you want to enable any

Introduction1.3.2Configuring a Sample SettingThis section explains how to configure a s ample setting of a Webwasher fea-ture. The feature chosen here

Common3.4.1Document InspectorThe Document Inspector tab looks like this:There are five sections on this tab:• Document Download Filter• Document Uploa

CommonDocument Download FilterThe Document Download Filter section looks like this:Using this section, you can configure actions for inbound office do

CommonTo view or modify the actions that are currently configured for these actions,click on the Text Categorization link in the checkbox inscription.

CommonDocument Mail FilterThe Document Mail Filter section looks like this:Using this section, you can configure actions for office documents that are

CommonDocument TypesThe Document Types section looks like this:Using this section, you can configure which of the filters that are accessibleover the

CommonUse the following checkboxes to modify the assignment of filters to documentformats:• Download FilterMark or clear the checkboxes in this line t

Common• Structured Storage document, like Visio or MSI, not readableFrom the drop-down lists provided here, select actions for documents inWeb and e-m

CommonThe options are arranged under the following tab:They are described in the upcoming section:• Archive Handler, see 3.5.13.5.1Archive HandlerThe

CommonArchive HandlingThe Archive Handling section looks like this:Using this section, you can configure blocking and other actions for encrypted,corr

CommonAfter specifying the appropriate settings click on Apply Changes to makethem effective.Use the following input fields to configure limits for ar