Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CorporateHeadquarters 104DawsonRoad Suite100 Guelph,ON,Canada N1H1A7 CANADA T:+1(519)8265222 F:+1(519)8265228 NetsweeperInc.India Apt.No.:9J,Block2 CeebrosShyamalaGardens 136,ArcotRoad,Saligramam Chennai600093 INDIA T:+914442642625 F:+914442642635 NetsweeperInc.Europe 41Marlowes HemelHempstead Hertfordshire HP11EP UNITEDKINGDOM T:+44(0)1442355160 F:+44(0)1442355001 NetsweeperInc. Australia/NewZealand 13BareenaDrive Mt.Eliza,Victoria 3930 AUSTRALIA T:+61(0)397872284 F:+61(0)397870965
NetsweeperWhitepaper
DeployingNetsweeper InternetContentFiltering Solutions DocumentDate:2010
www.netsweeper.com
19992010NetsweeperInc. Allrightsreserved. Everyefforthasbeenmadetoensuretheaccuracyofthisdocument.However,NetsweeperInc.makesno warrantieswithrespecttothisdocumentationanddisclaimsanyimpliedwarrantiesofmerchantability andfitnessforaparticularpurpose.NetsweeperInc.shallnotbeliableforanyerrororforincidentalor consequentialdamagesinconnectionwiththefurnishing,performance,oruseofthisdocumentorthe examplesherein.Theinformationinthisdocumentationissubjecttochangewithoutnotice. NetsweeperandNetsweeperInc.aretrademarksorregisteredtrademarksofNetsweeperIncorporatedin Canadaand/orinothercountries.Otherproductnamesmentionedinthisdocumentmaybetrademarks orregisteredtrademarksoftheirrespectivecompaniesandarethesolepropertyoftheirrespective manufacturers.
TableofContents
DeployingNetsweeperInternetContentFilteringSolutions.............................................4 HowNetsweeperWorks.....................................................................................................5
UsertoIntegrationLevel............................................................................................................6 IntegrationtoDistributionLevel.................................................................................................7 DistributiontoCategorizationLevel...........................................................................................7 InPractice.................................................................................................................................8
ConsiderationsforDeployingtheNetsweeperEnterpriseFilter.......................................9
EnterpriseFilter...........................................................................................................................9 PolicyServer..............................................................................................................................10 ReportingServer.......................................................................................................................10 WebServerandAdministrator.................................................................................................10
EstimatingServerRequirements......................................................................................11
EnterpriseFilter.........................................................................................................................11 PolicyServers............................................................................................................................11 ReportingServers......................................................................................................................11 FailoverandLoadBalancingRequirements..............................................................................11
DeploymentExamples......................................................................................................13
HighDemandNetwork .............................................................................................................13 . ModestDemandNetwork........................................................................................................14
Conclusion.........................................................................................................................15 AboutNetsweeper............................................................................................................15
DeployingNetsweeperInternetContentFilteringSolutions
Inaveryshortperiodoftime,theInternethasfirmlyestablisheditselfasanessentialresearch andcommunicationtoolinvirtuallyanybusinessorinstitutionaroundtheworld.Every organizationandindividualthatisconnectedtotheInternetisalsoexposedtothethreatsthe Internetbringstodata,productivity,financialsafety,andmoralsensibilities.Byitsglobalreach, theInternetregularlydefieslaws,policies,andregulationsestablishedbygovernmentsand lawmakers. AdoptingfilteringservicesavailableoverInternetprotocol(IP),businesses,organizations,and userscanavoidoffensiveandoftenintrusivewebsitesandthespyware,adware,andmalware thatlurkoutsideeverynetworkInternetconnection. Onconsideringit,noonedoubtsthecaseforfilteringservicesoverIPintheirbusinessor institutiontoprotectthemselvesfromInternetthreats.Thequestionis,whichofthemany filtering(andsecurity)toolswillprovidethenecessarycontrolwithoutrequiringcomplexand/or expensivesolutionsthatcanmakedeploymentanightmare,dailyoperationanexercisein frustration,andmaintenanceseemhopeless?AccordingtoIDC(InternationalDataCorporation), akeychallengeforITmanagersistomaximizetheirreturnoninvestmentbyseamlessly integratingsecuritysolutionsintotheirexistingenvironment. Netsweeper,Inc.offersanadvancedenterprisecalibrefilteringsystemforservicesoverIP.With amethodologythatrespondstoactualInternettrafficandasimpledeploymentmethodology thatscaleseasilywithnetworkexpansion,Netsweepersfilteringsolutionwarrantsserious considerationformaximizinganyorganizationsreturnonitsITsecurityinvestment. ThispaperdescribesthetypicalNetsweeperEnterpriseFilterdeploymentandoperation.
4|P a g e
DeployingtheNetsweeperSolution
HowNetsweeperWorks
Netsweepersuniquearchitectureprovideseffective,flexibleservicesoverIPfilteringthrougha seriesofInternetconnectedserversthataccessoneofthelargestURLdatabasesofanyIP filteringprovider.Netsweeperhousesmostofthefilteringtechnologyinsecureandredundant locations,soanorganizationneedsonlytosetupaNetsweeperPolicyServerandanEnterprise Filtertohandleitsuniquenetworkuseandtrafficflowrequirements.(Netsweeperclientscan nowalsoopttouseNetsweepershostedenvironmentoraNetsweeperNSPROxWebFilter Appliancetoaccomplishthesame.) TheInternetisaconstantlychangingmatrixofwebsitesandservices.Netsweeperwas designedtorespondimmediatelytosurfingpatternsandnewsites.Bydesign,themost commonlyrequestedsitesarealreadycategorizedandavailableinacacheasneartheuseras possible. IfsolittleisrequiredtosuccessfullydeployaNetsweeperfilteringsolutioninanenterprise networkenvironment,howisitthatNetsweeperactuallyaccomplishessuchresponsive, comprehensivefiltering?Figure1:URLFlowthroughNetsweeperArchitectureshowsa simplifiedversionofwhathappenswhenanoutgoingURLrequestismadethrougha NetsweeperEnterpriseFiltersolution.
5|P a g e
DeployingtheNetsweeperSolution
Figure1:URLFlowthroughNetsweeperArchitecture UsertoIntegrationLevel
IntegrationtoDistributionLevel
IfthePolicyServercannotlocallycategorizeanHTTPrequest,itsendstheURLtothe NetsweeperCategoryNameServer(CNS)askingforacategoryruling.LikethePolicyServer,the CategoryNameServermaintainsalocalcacheofrecentlyrequestedURLsandfirstlookshereto assignacategorytotheURL.IftheURLisinitscache,theCategoryNameServerreturnsthe categoryfortheURLtothePolicyServer.IftheCategoryNameServerdoesnothavethe requestedURLscategoryinitscache,theCategoryNameServerrequestsacategoryrulingfor theURLfromtheNetsweeperMasterCategoryNameServer(MasterCNS)andallowsthe requestfromthePolicyServertotimeout(defaultsettingoftimeoutisonesecond). Normally,theEnterpriseFilterandPolicyServerarelocatedwithintheclientsnetwork.The CategoryNameServerishostedontheInternetbyNetsweeper.Incertaincircumstances,a CategoryNameServercanbededicatedtoaparticularclientorgroupofclientsandmay containitsownlocalURLlistforexample,staticallow/denylists.Ontherequesttimeout,the PolicyServerproceedstoprocesstheinitialrequestfromtheEnterpriseFilterusingNewURL asthecategory.NowhavingacategoryfortheURL,thePolicyServerlooksuptherulingand respondstotheEnterpriseFiltertoallowordeny.ThePolicyServerstorestheURLinitscache withthecategoryofNoCategory.
DistributiontoCategorizationLevel
Continuingupstream,iftheMasterCategoryNameServerdoesnothavetheURLinitsown cache,itallowstheCategoryNameServerrequesttotimeout,whichresultsinNewURLbeing storedintheCategoryNameServercache.TheMasterCategoryNameServerthenrequestsa categoryrulingfortheURLfromtheCategorizationDatabase.IftheURLisnotinthe CategorizationDatabase,theCategorizationServicesendstheURLtotheCategorizationEngine forcategorizationandsetsthecategoryfortheURLinitsowncachetoNewURL. TheCategorizationEngineismadeupofanumberofdaemons/serversrunningover800 processes;eachprocessingURLcategorizationrequests.Throughthisdedicatedcategorization process,theCategorizationEnginereviewstheWebpagecontentfromarequest,andwithin milliseconds,assignsacategorytoit. WhentheCategorizationEnginereceivesarequest,itretrievestheURL,parsesthedata,reports anyfoundlinkstotheMasterCategoryNameServerfortheirowncategoryruling,andproceeds todetermineacategoryfortheoriginalURLrequest.OnceitdeterminesacategoryfortheURL, itpassesthedatatotheMasterCategoryNameServerwhichupdatestheCategorization Database. TheCategorizationDatabaseismadeupofseveralSQLdatabaseserversthatbalancetheURL requestload.
7|P a g e
DeployingtheNetsweeperSolution
InPractice
NewURLisoneofseveralspecialsystemcategories.Theadministratorcansetthefiltering policytoallowordenyURLswiththeNewURLcategory(orothersystemcategories)totailor theoverallresponse.ForNewURLcategorizations,theservers(Policy,CategorizationName, MasterCategorizationName)knowtorequestarefreshthecategoryfortheURL(sincethe CategorizationEnginewillhaveproperlycategorizedtheURLatthispointandupdatedthe CategorizationDatabase). TheentireNetsweepercategorizationprocessfrominitialoutgoingInternetrequestforaURL neverseenbythesystembefore(worldwide)toCategorizationEnginecategorizationand storageinthedatabasetakesaslittleasonesecondandatmostaboutfiveseconds, dependingonthegloballocationofthenetworkuserandthespeedofconnectiontothe requestedURLwebserver. UsersandadministratorsareabletorequestahumanreviewofURLseithertoaddaURLtoa category,removeaURLfromacategory,oraddaURLtomultiplecategories.Allsitesreviewed manuallyareimmediatelyupdatedintheCategorizationDatabaseandareavailabletothe MasterCategoryNameServer.Thesesites/updatesarealsodownloadednightlytothe CategoryNameServerandPolicyServercaches.
8|P a g e
DeployingtheNetsweeperSolution
ConsiderationsforDeployingtheNetsweeperEnterpriseFilter
TheNetsweeperEnterpriseFiltersolutionconsistsofseveralcomponents,mostofwhichcanbe runconcurrentlyonthesameserverhardwareor,asscalingrequires,separatelyon independent/loadbalancedserverhardware. ThetwomajorcomponentsaretheEnterpriseFilter(whichinterceptsoutboundInternettraffic andultimatelyallowsordeniesthattraffic)andthePolicyServer(whichmakesthe categorizationdecisionand,basedonthecategorizationdecision,makestheallowordeny decision).OthercomponentsaretheReporterServerandtheWebServerandAdministrator.
EnterpriseFilter
DeployingtheNetsweeperEnterpriseFiltercanbedoneinthreedifferentways: 1. DefaultGatewayRouter(inlinesolution)Followingthisdeploymentmethod,the EnterpriseFilterwillmonitorandfiltertrafficasittravelsfromonesubnettoanother withinalocalnetwork. 2. TransparentNetworkBridge(inlinesolution)InstallingtheEnterpriseFilterusingthis methodwillrequireallworkstationsonanetworktohavetheirdefaultgateway configuredtosendalltraffictotheNetsweeperEnterpriseFiltersoftware.Policy decisionswillbemadeforeachrequestandifallowed,forwardtherequestontoits defaultgateway. 3. Passbyfiltering(notaninlinesolution)Usingaswitchtothatiscapableofcopying andforwardingpackets(alsoknownasanIDSorPortMirroringswitch),packetswillbe copiedandsenttotheEnterpriseFiltersimultaneouslyforidentification.Shouldthe PolicyServerdeterminethattherequestistobeblocked,theEnterpriseFilterwill informtheswitchtocanceltherequestandserveupadenyscreen. Regardlessofthedeploymentmethoddeployed,thefollowingtypesofoutgoingInternet requestsarerecognizedandprocessed: HTTP FTP Textmessaging(alsoknownasinstantmessaging,orIM) Peertopeerfilesharing(P2P) Mail OtherUDPandTCPbasedprotocols.
9|P a g e
DeployingtheNetsweeperSolution
PolicyServer
TheNetsweeperPolicyServeristhecoreNetsweepercomponent.Itreceivesrequests regardingoutgoingInternetrequestsfromtheNetsweeperEnterpriseFilter,categorizesthe request,mapstherequeststoapolicy,anddetermineswhethertherequestshouldbeallowed orblocked. IfthePolicyServerisunabletomakeacategorizationdecisionlocally(usingitsowncacheand rules),itcommunicateswithupstreamNetsweeperdevicestoassignacategoryforthe requestedURL. ThePolicyServerisnotinlinewiththeInternettraffic.Itcanbehostedlocally,withinthe enterpriseorremotelyatacentrallocationthatisaccessible. ItisthePolicyServerthatrecordstherequestresultinthereportlog,nottheEnterpriseFilter. Initssmallestdeployment,theNetsweeperPolicyServerisasinglehardwareserverthatis runningthewebserverfortheadministrativefunctionsandthePolicyandtheReporter services.Inanultrasmalldeployment,theEnterpriseFiltercanalsoberunonthesame hardwareserverasthePolicyServer. Initslargestdeployment,theNetsweeperPolicyServerconsistsofmultiplepolicyservers,a separatewebserver,andaseparatereporterserver,plusloadbalancingappliances.
ReportingServer
TheReportingServerreceivesandstoreslogfilesthataretransferredfromthePolicyServerin realtimeasoutgoingrequestsarebeingprocessed.ThroughawebinterfaceonthePolicy Server,networkadministratorscanusethelogfilesontheReportingServerasasourcefor generatingInternetactivityreportsforallnetworkclientsandforeachnetworkworkstation. TheReportingServercanexportreportstostandardprograms,includingCrystalReportsand MicrosoftExcel.
WebServerandAdministrator
ThePolicyServeriscontrolledandadministeredthroughawebinterface.Thewebserverand systemadministratorallowscompleteremoteadministrationofthefiltering,reporting,and configuration.
10|P a g e
DeployingtheNetsweeperSolution
EstimatingServerRequirements
TodefineacustomNetsweeperdeploymentstrategy,thefollowingnetworkvariablescanhelp determinetheestimatedserverrequirementsforanorganizationsuniquenetworkneeds: ForNetsweeperEnterpriseFilters,theaveragenumberofMbpsofnetworktraffic. ForNetsweeperPolicyServers,theaveragenumberofconcurrentnetworkconnections. ForReportingServers: Thetotalnumberofconnectednetworks Thelengthoftimeforstoringlogsandreports.
EnterpriseFilter
ThenumberoffiltersrequiredforaNetsweeperdeploymentisdirectlyrelatedtotheaverage numberofMbpsofnetworktraffic.Ingeneral,thefollowingformuladetermineshowmany filtersarerequired: 30Mbpsoftraffic=1EnterpriseFilterand/or 100,000ofconcurrentTCP/UDPconnections=1EnterpriseFilter Note:SomeISPsmaychoosetouseatransparentorexplicitproxyserverwitha NetsweeperPolicyServerinsteadofoptingforaNetsweeperEnterpriseFilter.Although theseproxyserverscancacherequestedURLsandDNSqueries,theygenerallycanonly handle15MbpsofInternettrafficanddonotofferfilteringfortextmessaging(IM), peertopeerfilesharing(P2P),Mail,andotherUDPandTCPbasedprotocols.
PolicyServers
ThenumberofPolicyServersrequiredforaNetsweeperdeploymentisdirectlyrelatedtothe averagenumberofconcurrentconnectionsthatanetworkneedstosupport.Ingeneral,the followingformuladetermineshowmanyPolicyServersarerequired: 8,000concurrentconnections=1PolicyServer Ifnecessary,organizationscansplitthePolicyServerfunctionsintosubcomponentsover multipleserverstoaccommodateInternettrafficloadbalancingandsystemfailover.
ReportingServers
ForReportingServerstoragerequirements,consider: Thetotalnumberofconnectednetworkstodeterminetheeffectsonprocessingpower Thelengthoftimethatyouwanttoarchivelogsandreportstodetermineharddisk space(100GBminimumisrecommended) Ingeneral,havingaseparateserverforreportingcansaveprocessingpowerfortheNetsweeper EnterpriseFiltersandPolicyServers.However,onasimplenetwork,theReportingServercan belocatedonaPolicyServer.
FailoverandLoadBalancingRequirements
Anorganizationsservicelevelagreementmaydictatefurtherenvironmentmodificationsto allowforfailoverandloadbalancing.Tocomply,theNetsweeperdeploymentcaninclude 11|P a g e
12|P a g e
DeployingtheNetsweeperSolution
DeploymentExamples
ThefollowingexamplesrepresentonlytwoofthemanypossibilitiesofNetsweeperEnterprise Filterdeploymentstrategiesthataddresstheuniqueneedsoftwosamplenetwork environments.
HighDemandNetwork
Inatypical,highdemandnetworkNetsweeperdeployment,multiplePolicyServersand EnterpriseFiltersareinstalledtoaccommodateahighvolumeofconcurrentconnectionsand outgoingInternettraffic,andtoprovidefailoversupport.Inboundtrafficdoesnottravel throughtheEnterpriseFilter. TheOSILayer4switchmanagesloadbalancingbyroutingorforwardingURLrequeststo availablePolicyServersandEnterpriseFilters.Inaddition,astandaloneReportingServerisset uptoprovidemaximumprocessingpowerforrequestreviewsandfilteringonthePolicyServers andEnterpriseFilters.TheadministratorwebserverisgenerallyputononeofthePolicy Servers.
Figure2:Large,highdemandnetworkdeployment
13|P a g e
DeployingtheNetsweeperSolution
ModestDemandNetwork
InamodestdemandnetworkNetsweeperdeployment,withalowvolumeofconcurrent connectionsandoutgoingInternettraffic,itspossibletohavethePolicyServer(andallofits components)andtheEnterpriseFilteralllocatedononehardwareserver.Ifnofailoverorload balancingsupportisneeded,aOSILayer4/7switchisnotneeded.
Figure3:Small,modestdemandnetworkdeployment
14|P a g e
DeployingtheNetsweeperSolution
Conclusion
TheresnodoubtthatservicesoverIPfilteringhasbecomeessentialinanInternetconnected world.WitheverynetworkconnectedthroughtheInternet,itsatwowaystreetwithabundant accesstoinformation,communication,andproductsandservicesoffsetbyavulnerabilityto performanceloss,networkcomplexity,andethical,andevencriminalintrusion.Thebestway foranorganizationtorealisethebenefitsoftheInternet,andmaximizeproductivityand networkmanagementistodeployaneffective,tailormadeIPservicesfilteringsystem. Netsweeperoffersmaximumfilteringalongwithscalability,robustfunctionality,andbestofall, asimpledeploymentthatconformstoeachorganizationsuniqueITinfrastructure.Froma singleserverthathousesthecompletefiltering,caching,andreportingsolutiontomultiple serversthatmanage,filter,balance,andreportonhighvolumesofoutgoingInternetrequests, NetsweeperprovidestheflexibilitytomeetanyorganizationsIPservicesfilteringneeds.
AboutNetsweeper
Netsweeper,Inc.specialisesincontentfilteringsoftwaresolutionsandholdspossiblythe industrysmostadvancedproprietaryglobalfilteringsystemforcorporations,Internetservice providers,educationalinstitutionsandgovernmentorganizations. Netsweeperscontentfilteringproductsoperateonamodelthatcategorizesnewsiteson demand,makesthatcategorizationavailabletoallNetsweeperusersworldwide,storesthe categorizationforfastretrievalandperiodicreclassification,andeffectivelyuseslocalcachesto reflectthenatureofthelocalInternetusers.Withover1billionpagescurrentlyloggedand constantupdatesoccurringdaily,Netsweepersfilteringmatrixsystemevolvestoofferthe organizationsandindividualsthatdeployitssoftwarethemostprotectedandsecureInternet experienceavailableonthemarket. Netsweepersflexibleandcustomizabletechnologyenablesdeploymentonawidevarietyof networks.Netsweeperclientsarelocatedoneverycontinentandineveryindustryvertical. ThecompanyisheadquarteredinGuelph,Ontario,CanadawithofficesinIndiaandtheUKand distributionchannelssituatedaroundtheworld.
15|P a g e