Protecting your network investments against

data loss, system threats, and Internet abuse

How Does
iPrism Work?
[1] intended audience
This technote is intended for anyone installing an iPrism system. It will present how iPrism works
and how it handles the traffic that goes through it.

[2] three different modes

iPrism can be set up in three different networking modes. The choice of the mode affects your
networking and your use of the iPrism software.

[2.1] Bridging

This is the easiest way to set up an iPrism. In bridging mode, there is no need to
reconfigure the LAN where you install iPrism. All traffic but HTTP and ports you choose to
filter will pass through the system unaffected. You will not need to create subnets or to
change your routing configuration! Each side (network interface) of iPrism is on the same
IP network (network address and netmask).

Bridging mode can be used if you want to use iPrism in transparent mode. In this
configuration, all HTTP traffic is automatically filtered and/or monitored by iPrism as it goes
through it.

[2.2] Bridging

The routing mode of iPrism can be used in similar networks but requires a different IP
network (base address and netmask) on each side (network interface). It may involve
some changes on your network, like the default route or router configuration. This mode
may be used if you are replacing another router or need to add routing equipment.

[2.3] Bridging or Routing

Once installed, iPrism behaves very similarly in bridging and routing modes. The first
difference is in the way it affects non-IP traffic. Look at [4] to learn more about this.

The second difference is that iPrism is transparent for your network configuration in
bridging mode - should you experience a hardware failure of the system, it can be replaced
by a network cable and not require configuration changes afterwards.

Routing mode can be used if you want to use iPrism in transparent mode. In this
configuration, all HTTP traffic is automatically filtered and/or monitored by iPrism as it goes
through it.

Internet Filtering Appliance

Protecting your network investments against
data loss, system threats, and Internet abuse

[2.4] Standalone

In standalone mode, iPrism is not installed in your network path. In this mode, traffic can
not be intercepted automatically by iPrism itself. Hence the system can be used:

• as a direct proxy (by configuring the browsers on the workstations).

• in conjunction with a router which will redirect the HTTP traffic to iPrism (no need
to configure the workstations).

[3] non-ip traffic

Depending on its configured mode, iPrism affects traffic differently. The Non-IP traffic is all the
Ethernet traffic of types other than IP (TCP,UDP, ICMP are part of IP networking).

It includes the ARP protocol, the DHCP protocol, IPX, Cisco's RDP, and Appletalk.

*In bridging mode, all non-IP traffic is simply forwarded between iPrism's network interfaces without
any changes, i.e. completely transparent.

*In routing mode, non-IP traffic is not forwarded at all because this traffic is non-routable by iPrism.
All non-IP Ethernet frames are ignored by iPrism.

*In standalone mode, iPrism has one interface and does not impact non-IP traffic.

[3.1] Effects on ARP

ARP (and RARP) requests are transmitted unaltered in bridging mode. A system located
on one side of iPrism can ARP for a machine located on the other side and will see and
use the real host Ethernet address, not iPrism's. iPrism is not doing proxy-ARP and does
not replace the MAC (Ethernet) addresses of workstations.

In routing mode, ARP requests are not forwarded from one network to another.

[3.2] DHCP, IPX, RDP...

All these types of traffic are forwarded as in bridging mode and blocked in routing mode.

[4] ip traffic
IP traffic and related protocols (UDP, TCP, ICMP) are subject to iPrism filtering. iPrism can be
configured to filter these protocols. If you set a filter for a protocol, its associated traffic will be
blocked accordingly by iPrism in both bridging and routing mode. IP filters do not make sense in
stand alone modes.

Unfiltered protocols are forwarded normally, passed through without modifications in bridging mode
(no changes in the Ethernet frame) and routed in routing mode.

IMPORTANT: Note that even in bridging mode, iPrism needs to know how to route traffic. If you
have several internal IP networks, you need to configure a route (in the System/Networking Panel
of the configuration tools) on iPrism for each of them.

Internet Filtering Appliance

Protecting your network investments against
data loss, system threats, and Internet abuse

IMPORTANT: Also note that iPrism's default route should always be the next-hop to the Internet (a
router or any type of gateway). It must be on the same IP network as iPrism's external interface.

[5] http traffic

HTTP traffic is the traffic which is the most affected by iPrism. It is affected in the following ways:

[5.1] Proxying

iPrism is a proxy - this means that it is the system actually communicating with the web
servers on the Internet and it relays the request and the data (HTML or others) between
the client workstation and the web servers.

[5.2] Transparent Proxy

iPrism is a transparent proxy - this means that it can be accessed transparently without
requiring any modifications of the client workstations.

It does not mean that the system:

• cannot be seen by the users

• does not affect the HTTP traffic

The most noticeable effect on HTTP traffic is IP address masking. Because iPrism is a
proxy, the web server will only see iPrism's IP address and will not see the original
workstation at all.

iPrism works as follows: it listens to all traffic that goes through it. When it detects HTTP
traffic, it proxies it. The proxy determines (based on your policy configuration and its filter
list) if the request should be blocked, monitored, or simply allowed.

If the request should be blocked, the user is presented with an "accessed denied" page. If
the request should be allowed, iPrism connects to the Web service requested and forwards
the page (and associated data) back to the client workstation.

Internet Filtering Appliance