NetsweeperInc.

CorporateHeadquarters 104DawsonRoad Suite100 Guelph,ON,Canada N1H1A7 CANADA T:+1(519)8265222 F:+1(519)8265228 NetsweeperInc.India Apt.No.:9J,Block2 CeebrosShyamalaGardens 136,ArcotRoad,Saligramam Chennai600093 INDIA T:+914442642625 F:+914442642635 NetsweeperInc.Europe 41Marlowes HemelHempstead Hertfordshire HP11EP UNITEDKINGDOM T:+44(0)1442355160 F:+44(0)1442355001 NetsweeperInc. Australia/NewZealand 13BareenaDrive Mt.Eliza,Victoria 3930 AUSTRALIA T:+61(0)397872284 F:+61(0)397870965

NetsweeperWhitepaper
DeployingNetsweeper InternetContentFiltering Solutions DocumentDate:2010

www.netsweeper.com

 19992010NetsweeperInc. Allrightsreserved. Everyefforthasbeenmadetoensuretheaccuracyofthisdocument.However,NetsweeperInc.makesno warrantieswithrespecttothisdocumentationanddisclaimsanyimpliedwarrantiesofmerchantability andfitnessforaparticularpurpose.NetsweeperInc.shallnotbeliableforanyerrororforincidentalor consequentialdamagesinconnectionwiththefurnishing,performance,oruseofthisdocumentorthe examplesherein.Theinformationinthisdocumentationissubjecttochangewithoutnotice. NetsweeperandNetsweeperInc.aretrademarksorregisteredtrademarksofNetsweeperIncorporatedin Canadaand/orinothercountries.Otherproductnamesmentionedinthisdocumentmaybetrademarks orregisteredtrademarksoftheirrespectivecompaniesandarethesolepropertyoftheirrespective manufacturers.

TableofContents
DeployingNetsweeperInternetContentFilteringSolutions.............................................4 HowNetsweeperWorks.....................................................................................................5
UsertoIntegrationLevel............................................................................................................6 IntegrationtoDistributionLevel.................................................................................................7 DistributiontoCategorizationLevel...........................................................................................7 InPractice.................................................................................................................................8

ConsiderationsforDeployingtheNetsweeperEnterpriseFilter.......................................9
EnterpriseFilter...........................................................................................................................9 PolicyServer..............................................................................................................................10 ReportingServer.......................................................................................................................10 WebServerandAdministrator.................................................................................................10

EstimatingServerRequirements......................................................................................11
EnterpriseFilter.........................................................................................................................11 PolicyServers............................................................................................................................11 ReportingServers......................................................................................................................11 FailoverandLoadBalancingRequirements..............................................................................11

DeploymentExamples......................................................................................................13
HighDemandNetwork .............................................................................................................13 . ModestDemandNetwork........................................................................................................14

Conclusion.........................................................................................................................15 AboutNetsweeper............................................................................................................15

DeployingNetsweeperInternetContentFilteringSolutions
Inaveryshortperiodoftime,theInternethasfirmlyestablisheditselfasanessentialresearch andcommunicationtoolinvirtuallyanybusinessorinstitutionaroundtheworld.Every organizationandindividualthatisconnectedtotheInternetisalsoexposedtothethreatsthe Internetbringstodata,productivity,financialsafety,andmoralsensibilities.Byitsglobalreach, theInternetregularlydefieslaws,policies,andregulationsestablishedbygovernmentsand lawmakers. AdoptingfilteringservicesavailableoverInternetprotocol(IP),businesses,organizations,and userscanavoidoffensiveandoftenintrusivewebsitesandthespyware,adware,andmalware thatlurkoutsideeverynetworkInternetconnection. Onconsideringit,noonedoubtsthecaseforfilteringservicesoverIPintheirbusinessor institutiontoprotectthemselvesfromInternetthreats.Thequestionis,whichofthemany filtering(andsecurity)toolswillprovidethenecessarycontrolwithoutrequiringcomplexand/or expensivesolutionsthatcanmakedeploymentanightmare,dailyoperationanexercisein frustration,andmaintenanceseemhopeless?AccordingtoIDC(InternationalDataCorporation), akeychallengeforITmanagersistomaximizetheirreturnoninvestmentbyseamlessly integratingsecuritysolutionsintotheirexistingenvironment. Netsweeper,Inc.offersanadvancedenterprisecalibrefilteringsystemforservicesoverIP.With amethodologythatrespondstoactualInternettrafficandasimpledeploymentmethodology thatscaleseasilywithnetworkexpansion,Netsweepersfilteringsolutionwarrantsserious considerationformaximizinganyorganizationsreturnonitsITsecurityinvestment. ThispaperdescribesthetypicalNetsweeperEnterpriseFilterdeploymentandoperation.

4|P a g e

DeployingtheNetsweeperSolution

HowNetsweeperWorks
Netsweepersuniquearchitectureprovideseffective,flexibleservicesoverIPfilteringthrougha seriesofInternetconnectedserversthataccessoneofthelargestURLdatabasesofanyIP filteringprovider.Netsweeperhousesmostofthefilteringtechnologyinsecureandredundant locations,soanorganizationneedsonlytosetupaNetsweeperPolicyServerandanEnterprise Filtertohandleitsuniquenetworkuseandtrafficflowrequirements.(Netsweeperclientscan nowalsoopttouseNetsweepershostedenvironmentoraNetsweeperNSPROxWebFilter Appliancetoaccomplishthesame.) TheInternetisaconstantlychangingmatrixofwebsitesandservices.Netsweeperwas designedtorespondimmediatelytosurfingpatternsandnewsites.Bydesign,themost commonlyrequestedsitesarealreadycategorizedandavailableinacacheasneartheuseras possible. IfsolittleisrequiredtosuccessfullydeployaNetsweeperfilteringsolutioninanenterprise networkenvironment,howisitthatNetsweeperactuallyaccomplishessuchresponsive, comprehensivefiltering?Figure1:URLFlowthroughNetsweeperArchitectureshowsa simplifiedversionofwhathappenswhenanoutgoingURLrequestismadethrougha NetsweeperEnterpriseFiltersolution.

5|P a g e

DeployingtheNetsweeperSolution

Figure1:URLFlowthroughNetsweeperArchitecture UsertoIntegrationLevel

WhenausermakesanoutgoingrequesttotheInternet,theNetsweeperEnterpriseFilter interceptstherequestandasksthePolicyServerforarulingwhethertoallowordenythe connection.ThePolicyServermustfirstcategorizetheoutgoingrequest:Isitaprotocolrequest oranHTTPrequest?FornonHTTPrequests(suchasmessagingorfilesharing),thePolicy Serverisalwaysabletomakethecategorizationitself.IfitisanHTTPrequest,thePolicyServer checksitsowncachefortheURL.IftheURListhere,thePolicyServercategorizestherequest. Oncecategorized,toprocesstheoutgoingrequestandtorespondtotheEnterpriseFilter,the PolicyServerlooksupthegrouppolicyassociatedwiththeuserwhomadetheoutgoing 6|P a g e

DeployingtheNetsweeperSolution request.Policiescanbedefinedasblanketpoliciescoveringallusers,groupsofusers,oran individual.(Itisalsopossibletodefinedifferentpoliciesfordifferenttimesoftheday.)Ifthe specificpolicyallowstheoutgoingrequest,theEnterpriseFilteristoldtoprocesstherequest.If thespecificpolicydoesnotallowthecategoryoftheoutgoingrequest,theEnterpriseFilteris instructedtoreturnadenypagetotheuser.

IntegrationtoDistributionLevel
IfthePolicyServercannotlocallycategorizeanHTTPrequest,itsendstheURLtothe NetsweeperCategoryNameServer(CNS)askingforacategoryruling.LikethePolicyServer,the CategoryNameServermaintainsalocalcacheofrecentlyrequestedURLsandfirstlookshereto assignacategorytotheURL.IftheURLisinitscache,theCategoryNameServerreturnsthe categoryfortheURLtothePolicyServer.IftheCategoryNameServerdoesnothavethe requestedURLscategoryinitscache,theCategoryNameServerrequestsacategoryrulingfor theURLfromtheNetsweeperMasterCategoryNameServer(MasterCNS)andallowsthe requestfromthePolicyServertotimeout(defaultsettingoftimeoutisonesecond). Normally,theEnterpriseFilterandPolicyServerarelocatedwithintheclientsnetwork.The CategoryNameServerishostedontheInternetbyNetsweeper.Incertaincircumstances,a CategoryNameServercanbededicatedtoaparticularclientorgroupofclientsandmay containitsownlocalURLlistforexample,staticallow/denylists.Ontherequesttimeout,the PolicyServerproceedstoprocesstheinitialrequestfromtheEnterpriseFilterusingNewURL asthecategory.NowhavingacategoryfortheURL,thePolicyServerlooksuptherulingand respondstotheEnterpriseFiltertoallowordeny.ThePolicyServerstorestheURLinitscache withthecategoryofNoCategory.

DistributiontoCategorizationLevel
Continuingupstream,iftheMasterCategoryNameServerdoesnothavetheURLinitsown cache,itallowstheCategoryNameServerrequesttotimeout,whichresultsinNewURLbeing storedintheCategoryNameServercache.TheMasterCategoryNameServerthenrequestsa categoryrulingfortheURLfromtheCategorizationDatabase.IftheURLisnotinthe CategorizationDatabase,theCategorizationServicesendstheURLtotheCategorizationEngine forcategorizationandsetsthecategoryfortheURLinitsowncachetoNewURL. TheCategorizationEngineismadeupofanumberofdaemons/serversrunningover800 processes;eachprocessingURLcategorizationrequests.Throughthisdedicatedcategorization process,theCategorizationEnginereviewstheWebpagecontentfromarequest,andwithin milliseconds,assignsacategorytoit. WhentheCategorizationEnginereceivesarequest,itretrievestheURL,parsesthedata,reports anyfoundlinkstotheMasterCategoryNameServerfortheirowncategoryruling,andproceeds todetermineacategoryfortheoriginalURLrequest.OnceitdeterminesacategoryfortheURL, itpassesthedatatotheMasterCategoryNameServerwhichupdatestheCategorization Database. TheCategorizationDatabaseismadeupofseveralSQLdatabaseserversthatbalancetheURL requestload.

7|P a g e

DeployingtheNetsweeperSolution

InPractice
NewURLisoneofseveralspecialsystemcategories.Theadministratorcansetthefiltering policytoallowordenyURLswiththeNewURLcategory(orothersystemcategories)totailor theoverallresponse.ForNewURLcategorizations,theservers(Policy,CategorizationName, MasterCategorizationName)knowtorequestarefreshthecategoryfortheURL(sincethe CategorizationEnginewillhaveproperlycategorizedtheURLatthispointandupdatedthe CategorizationDatabase). TheentireNetsweepercategorizationprocessfrominitialoutgoingInternetrequestforaURL neverseenbythesystembefore(worldwide)toCategorizationEnginecategorizationand storageinthedatabasetakesaslittleasonesecondandatmostaboutfiveseconds, dependingonthegloballocationofthenetworkuserandthespeedofconnectiontothe requestedURLwebserver. UsersandadministratorsareabletorequestahumanreviewofURLseithertoaddaURLtoa category,removeaURLfromacategory,oraddaURLtomultiplecategories.Allsitesreviewed manuallyareimmediatelyupdatedintheCategorizationDatabaseandareavailabletothe MasterCategoryNameServer.Thesesites/updatesarealsodownloadednightlytothe CategoryNameServerandPolicyServercaches.

8|P a g e

DeployingtheNetsweeperSolution

ConsiderationsforDeployingtheNetsweeperEnterpriseFilter
TheNetsweeperEnterpriseFiltersolutionconsistsofseveralcomponents,mostofwhichcanbe runconcurrentlyonthesameserverhardwareor,asscalingrequires,separatelyon independent/loadbalancedserverhardware. ThetwomajorcomponentsaretheEnterpriseFilter(whichinterceptsoutboundInternettraffic andultimatelyallowsordeniesthattraffic)andthePolicyServer(whichmakesthe categorizationdecisionand,basedonthecategorizationdecision,makestheallowordeny decision).OthercomponentsaretheReporterServerandtheWebServerandAdministrator.

EnterpriseFilter
DeployingtheNetsweeperEnterpriseFiltercanbedoneinthreedifferentways: 1. DefaultGatewayRouter(inlinesolution)Followingthisdeploymentmethod,the EnterpriseFilterwillmonitorandfiltertrafficasittravelsfromonesubnettoanother withinalocalnetwork. 2. TransparentNetworkBridge(inlinesolution)InstallingtheEnterpriseFilterusingthis methodwillrequireallworkstationsonanetworktohavetheirdefaultgateway configuredtosendalltraffictotheNetsweeperEnterpriseFiltersoftware.Policy decisionswillbemadeforeachrequestandifallowed,forwardtherequestontoits defaultgateway. 3. Passbyfiltering(notaninlinesolution)Usingaswitchtothatiscapableofcopying andforwardingpackets(alsoknownasanIDSorPortMirroringswitch),packetswillbe copiedandsenttotheEnterpriseFiltersimultaneouslyforidentification.Shouldthe PolicyServerdeterminethattherequestistobeblocked,theEnterpriseFilterwill informtheswitchtocanceltherequestandserveupadenyscreen. Regardlessofthedeploymentmethoddeployed,thefollowingtypesofoutgoingInternet requestsarerecognizedandprocessed: HTTP FTP Textmessaging(alsoknownasinstantmessaging,orIM) Peertopeerfilesharing(P2P) Mail OtherUDPandTCPbasedprotocols.

Afterinterceptingoutgoingrequests,theEnterpriseFiltersendsthemtoaNetsweeperPolicy Server.BasedonthereplyfromthePolicyServer,theEnterpriseFilterthenblockstherequest orforwardsittotheInternet. TheEnterpriseFilterisanOSImodelbased,Layer7protocolanalyzerthatcanhandle30Mbps ofInternettrafficperhardwareserver.Itdoesnotneedinboundpacketstobereturnedthe samewaytheyweresent,makingitanidealsolutionforasymmetricroutingenvironments:the EnterpriseFilterchecksoutgoingrequestsonly.Thisalsointroducesbandwidthsavingsasthe requestisneversenttotheremotewebserverifthecontentisdeemedinappropriate.

9|P a g e

DeployingtheNetsweeperSolution

PolicyServer
TheNetsweeperPolicyServeristhecoreNetsweepercomponent.Itreceivesrequests regardingoutgoingInternetrequestsfromtheNetsweeperEnterpriseFilter,categorizesthe request,mapstherequeststoapolicy,anddetermineswhethertherequestshouldbeallowed orblocked. IfthePolicyServerisunabletomakeacategorizationdecisionlocally(usingitsowncacheand rules),itcommunicateswithupstreamNetsweeperdevicestoassignacategoryforthe requestedURL. ThePolicyServerisnotinlinewiththeInternettraffic.Itcanbehostedlocally,withinthe enterpriseorremotelyatacentrallocationthatisaccessible. ItisthePolicyServerthatrecordstherequestresultinthereportlog,nottheEnterpriseFilter. Initssmallestdeployment,theNetsweeperPolicyServerisasinglehardwareserverthatis runningthewebserverfortheadministrativefunctionsandthePolicyandtheReporter services.Inanultrasmalldeployment,theEnterpriseFiltercanalsoberunonthesame hardwareserverasthePolicyServer. Initslargestdeployment,theNetsweeperPolicyServerconsistsofmultiplepolicyservers,a separatewebserver,andaseparatereporterserver,plusloadbalancingappliances.

ReportingServer
TheReportingServerreceivesandstoreslogfilesthataretransferredfromthePolicyServerin realtimeasoutgoingrequestsarebeingprocessed.ThroughawebinterfaceonthePolicy Server,networkadministratorscanusethelogfilesontheReportingServerasasourcefor generatingInternetactivityreportsforallnetworkclientsandforeachnetworkworkstation. TheReportingServercanexportreportstostandardprograms,includingCrystalReportsand MicrosoftExcel.

WebServerandAdministrator
ThePolicyServeriscontrolledandadministeredthroughawebinterface.Thewebserverand systemadministratorallowscompleteremoteadministrationofthefiltering,reporting,and configuration.

10|P a g e

DeployingtheNetsweeperSolution

EstimatingServerRequirements
TodefineacustomNetsweeperdeploymentstrategy,thefollowingnetworkvariablescanhelp determinetheestimatedserverrequirementsforanorganizationsuniquenetworkneeds: ForNetsweeperEnterpriseFilters,theaveragenumberofMbpsofnetworktraffic. ForNetsweeperPolicyServers,theaveragenumberofconcurrentnetworkconnections. ForReportingServers: Thetotalnumberofconnectednetworks Thelengthoftimeforstoringlogsandreports.

EnterpriseFilter
ThenumberoffiltersrequiredforaNetsweeperdeploymentisdirectlyrelatedtotheaverage numberofMbpsofnetworktraffic.Ingeneral,thefollowingformuladetermineshowmany filtersarerequired: 30Mbpsoftraffic=1EnterpriseFilterand/or 100,000ofconcurrentTCP/UDPconnections=1EnterpriseFilter Note:SomeISPsmaychoosetouseatransparentorexplicitproxyserverwitha NetsweeperPolicyServerinsteadofoptingforaNetsweeperEnterpriseFilter.Although theseproxyserverscancacherequestedURLsandDNSqueries,theygenerallycanonly handle15MbpsofInternettrafficanddonotofferfilteringfortextmessaging(IM), peertopeerfilesharing(P2P),Mail,andotherUDPandTCPbasedprotocols.

PolicyServers
ThenumberofPolicyServersrequiredforaNetsweeperdeploymentisdirectlyrelatedtothe averagenumberofconcurrentconnectionsthatanetworkneedstosupport.Ingeneral,the followingformuladetermineshowmanyPolicyServersarerequired: 8,000concurrentconnections=1PolicyServer Ifnecessary,organizationscansplitthePolicyServerfunctionsintosubcomponentsover multipleserverstoaccommodateInternettrafficloadbalancingandsystemfailover.

ReportingServers
ForReportingServerstoragerequirements,consider: Thetotalnumberofconnectednetworkstodeterminetheeffectsonprocessingpower Thelengthoftimethatyouwanttoarchivelogsandreportstodetermineharddisk space(100GBminimumisrecommended) Ingeneral,havingaseparateserverforreportingcansaveprocessingpowerfortheNetsweeper EnterpriseFiltersandPolicyServers.However,onasimplenetwork,theReportingServercan belocatedonaPolicyServer.

FailoverandLoadBalancingRequirements
Anorganizationsservicelevelagreementmaydictatefurtherenvironmentmodificationsto allowforfailoverandloadbalancing.Tocomply,theNetsweeperdeploymentcaninclude 11|P a g e

DeployingtheNetsweeperSolution multiplePolicyServers,EnterpriseFilters,ReportingServerswithRAIDdiskarrays,andload balancingOSILayer4/7devices. Note:SomemodelsofOSILayer4/7switchdonotsupportbothfailoverandload balancing.Ifbotharerequired,thedeviceperformingtheloadbalancingandfailover mayneedtobeupgradedtocomplywiththeserequirements.

12|P a g e

DeployingtheNetsweeperSolution

DeploymentExamples
ThefollowingexamplesrepresentonlytwoofthemanypossibilitiesofNetsweeperEnterprise Filterdeploymentstrategiesthataddresstheuniqueneedsoftwosamplenetwork environments.

HighDemandNetwork
Inatypical,highdemandnetworkNetsweeperdeployment,multiplePolicyServersand EnterpriseFiltersareinstalledtoaccommodateahighvolumeofconcurrentconnectionsand outgoingInternettraffic,andtoprovidefailoversupport.Inboundtrafficdoesnottravel throughtheEnterpriseFilter. TheOSILayer4switchmanagesloadbalancingbyroutingorforwardingURLrequeststo availablePolicyServersandEnterpriseFilters.Inaddition,astandaloneReportingServerisset uptoprovidemaximumprocessingpowerforrequestreviewsandfilteringonthePolicyServers andEnterpriseFilters.TheadministratorwebserverisgenerallyputononeofthePolicy Servers.

Figure2:Large,highdemandnetworkdeployment
13|P a g e

DeployingtheNetsweeperSolution

ModestDemandNetwork
InamodestdemandnetworkNetsweeperdeployment,withalowvolumeofconcurrent connectionsandoutgoingInternettraffic,itspossibletohavethePolicyServer(andallofits components)andtheEnterpriseFilteralllocatedononehardwareserver.Ifnofailoverorload balancingsupportisneeded,aOSILayer4/7switchisnotneeded.

Figure3:Small,modestdemandnetworkdeployment

14|P a g e

DeployingtheNetsweeperSolution

Conclusion
TheresnodoubtthatservicesoverIPfilteringhasbecomeessentialinanInternetconnected world.WitheverynetworkconnectedthroughtheInternet,itsatwowaystreetwithabundant accesstoinformation,communication,andproductsandservicesoffsetbyavulnerabilityto performanceloss,networkcomplexity,andethical,andevencriminalintrusion.Thebestway foranorganizationtorealisethebenefitsoftheInternet,andmaximizeproductivityand networkmanagementistodeployaneffective,tailormadeIPservicesfilteringsystem. Netsweeperoffersmaximumfilteringalongwithscalability,robustfunctionality,andbestofall, asimpledeploymentthatconformstoeachorganizationsuniqueITinfrastructure.Froma singleserverthathousesthecompletefiltering,caching,andreportingsolutiontomultiple serversthatmanage,filter,balance,andreportonhighvolumesofoutgoingInternetrequests, NetsweeperprovidestheflexibilitytomeetanyorganizationsIPservicesfilteringneeds.

AboutNetsweeper
Netsweeper,Inc.specialisesincontentfilteringsoftwaresolutionsandholdspossiblythe industrysmostadvancedproprietaryglobalfilteringsystemforcorporations,Internetservice providers,educationalinstitutionsandgovernmentorganizations. Netsweeperscontentfilteringproductsoperateonamodelthatcategorizesnewsiteson demand,makesthatcategorizationavailabletoallNetsweeperusersworldwide,storesthe categorizationforfastretrievalandperiodicreclassification,andeffectivelyuseslocalcachesto reflectthenatureofthelocalInternetusers.Withover1billionpagescurrentlyloggedand constantupdatesoccurringdaily,Netsweepersfilteringmatrixsystemevolvestoofferthe organizationsandindividualsthatdeployitssoftwarethemostprotectedandsecureInternet experienceavailableonthemarket. Netsweepersflexibleandcustomizabletechnologyenablesdeploymentonawidevarietyof networks.Netsweeperclientsarelocatedoneverycontinentandineveryindustryvertical. ThecompanyisheadquarteredinGuelph,Ontario,CanadawithofficesinIndiaandtheUKand distributionchannelssituatedaroundtheworld.

15|P a g e