Webwasher 6.0 Deployment Planning Guide - McAfee

DEPLOYMENT PLANNING GUIDE
Webwasher Secure Content Management
Version 6.0
www.securecomputing.com

Part Number: 86-0946251-A
All Rights Reserved, Published and Printed in Germany
©2006 Secure Computing Corporation. This document may not, in whole or in part, be copied, photocopied,
reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent
in writing from Secure Computing Corporation. Every effort has been made to ensure the accuracy of this
manual. However, Secure Computing Corporation makes no warranties with respect to this documentation
and disclaims any implied warranties of merchantability and fitness for a particular purpose. Secure Computing
Corporation shall not be liable for any error or for incidental or consequential damages in connection with
the furnishing, performance, or use of this manual or the examples herein. The information in this document
is subject to change without notice. Webwasher, MethodMix, AV PreScan, Live Reporting, Content Reporter,
ContentReporter, Real-Time Classifier are all trademarks or registered trademarks of Secure Computing Corporation
in Germany and/or other countries. Microsoft, Windows NT, Windows 2000 are registered trademarks
of Microsoft Corporation in the United States and/or other countries. McAfee is a business unit of Network
Associates, Inc. CheckPoint, OPSEC, and FireWall-1 are trademarks or registered trademarks of CheckPoint
Software Technologies Ltd. or its affiliates. Sun and Solaris are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States and other countries. Squid is copyrighted by the University of California,
San Diego. Squid uses some code developed by others. Squid is Free Software, licensed under the
terms of the GNU General Public License. NetCache is a registered trademark of Network Appliances, Inc.
in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Other product
names mentioned in this guide may be trademarks or registered trademarks of their respective companies
and are the sole property of their respective manufacturers.
Secure Computing Corporation
Webwasher – A Secure Computing Brand
Vattmannstrasse 3, 33100 Paderborn, Germany
Phone: +49 (0) 5251 50054-0
Fax: +49 (0) 5251 50054-11
info@webwasher.com
www.webwasher.com
www.securecomputing.com
European Hotline
Phone: +49 (0) 5251 50054-460
US Hotline
Phone: +1 800 700 8328, +1 651 628 1500

Contents
Chapter 1 Introduction ........................................................................................ 1– 1
1.1 About This Guide........................................................................... 1– 1
1.2 The Webwasher SCM Suite of Products ............................................. 1– 1
1.3 How Does Webwasher Work? .......................................................... 1– 3
1.4 ICAP and Webwasher .................................................................... 1– 3
1.5 Integration With Other Proxies and Appliances .................................... 1– 4
1.5.1 NetCache.................................................................................. 1– 4
1.5.2 Blue CoatProxy Appliances........................................................... 1– 4
1.5.3 Microsoft® ISA Server ................................................................... 1– 5
1.5.4 Squid .......................................................................................... 1– 5
1.6 Hardware Requirements ................................................................. 1– 5
1.7 System Requirements .................................................................... 1– 6
1.7.1 Windows...................................................................................... 1– 6
1.7.2 Solaris......................................................................................... 1– 6
1.7.3 Linux........................................................................................... 1– 6
Chapter 2 Deployment Planning ........................................................................ 2– 1
2.1 Pre-planning Questions................................................................... 2– 1
Chapter 3 Deployment Scenarios I — HTTP, FTP, HTTPS ................................... 3– 1
3.1 Webwasher as HTTP Proxy ............................................................ 3– 1
3.2 Webwasher as an ICAP Server ........................................................ 3– 3
3.3 Webwasher As Next Hop Proxy ........................................................ 3– 7
Chapter 4 Deployment Scenarios II — SMTP ...................................................... 4– 1
4.1 Webwasher as a Relay Host ............................................................ 4– 1
i

List of Figures
Figure 3–1. Webwasher as HTTP Proxy ............................................................. 3– 2
Figure 3–2. Webwasher as an ICAP server ......................................................... 3– 4
Figure 3–3. Webwasher as an ICAP server, with another ICAP server (i.e.
Webwasher) ................................................................................. 3– 5
Figure 3–4. Webwasher as an ICAP Server, third-party proxy has no HTTPS
filtering ........................................................................................ 3– 6
Figure 3–5. Webwasher as an ICAP Server, third-party proxy receives HTTPS
filtering ........................................................................................ 3– 7
Figure 3–6. Webwasher as Parent Proxy ............................................................ 3– 9
Figure 4–1. Webwasher as a Relay Host with one Mail Transfer Agent ..................... 4– 2
Figure 4–2. Webwasher as Relay Host, multiple Mail Transfer Agents ...................... 4– 3
iii

Introduction
Chapter 1
Thank you for considering Webwasher as your company’s Secure Content
Management (SCM) solution. With a complete portfolio of high-performance
Secure Content Management features, webwasher products deliver the right
measures to address today’s productivity and security threats. From Webwasher’s
portfolio of intelligently bundled solutions for managing, filtering, securing
and reporting over all key protocols, you can find the right solution for
the issues that confront your network. Positioned at the gateway, webwasher
products reduce the load on mail servers and components within the network.
1.1
About This Guide
This guide has been for system administrators and/or decision makers who
would like to begin planning the deployment of Webwasher in their company.
It describes the various ways that Webwasher can be integrated into your existing
corporate network. It will guide you and assist in making a decision about
the most suitable Webwasher integration approach to take.
Since all corporate networks and company goals vary in terms of their existing
structure and requirements, this document has been designed only to act as a
general guideline, providing a starting point as well as describing the variety of
possibilities of how Webwasher could fit into your corporate network. To obtain
additional assistance, please contact your local support representative.
1.2
The Webwasher SCM Suite of Products
The Webwasher Secure Content Management Suite provides an optimal solution
for all of your content security management needs. It is unique in that it offers
best-of-breed security solutions for individual threats (URL Filter, Anti Malware,
Anti Spam, etc.) and at the same time a fully integrated architecture that
affords in-depth security and cost/time savings through interoperability. Your
1–1

Introduction
1–2
company can rest assured that it is getting all of the corporate network protection
necessary for a secure, well-managed and streamlined data exchange.
Webwasher
URL Filter
Webwasher
Anti-Malware
Webwasher
Anti-Virus
Webwasher
Anti-Spam
Webwasher
Content
Protection
Webwasher
SSL Scanner
Webwasher
Instant
Message Filter
Webwasher
Content
Reporter
Webwasher URL Filter helps you to boost productivity by
reducing non-business related surfing to a minimum, curb
your IT costs, and suppresses offensive sites and prevents
downloads of inappropriate files, minimizing risks of legal
liabilities.
Webwasher Anti-Malware offers in-depth protection with its
security filters, which provide rule-based filtering of potentially
harmful code. Since anti virus protection on the client or group
server level is no longer sufficient, gateway protection is the
best insurance.
Webwasher Anti-Virus offers in-depth protection with its
security filters, which provide rule-based filtering of potentially
harmful code. Since anti virus protection on the client or group
server level is no longer sufficient, gateway protection is the
best insurance.
For complete protection of the central Internet gateway.
Webwasher Anti-Spam’s highly accurate spam detection
stems the flood of unwanted spam mail before it reaches the
user’s desktop. It will not impair your systems, maintaining
the availability of valuable internal mail infrastructures such
as group servers.
Webwasher Content Protection ensures that your systems
are protected against threats transported in Web and e-mail,
prevents downloads and uploads of inappropriate files, and
keeps IT costs low via reduced bandwidth and storage loads.
With high incidences of attacks via HTTPS, disclosure of
confidential corporate data and infringements of Internet usage,
Webwasher SSL Scanner helps you to protect your critical data
and ensure that no one is illicitly sharing sensitive corporate
materials.
This is a perimeter security software solution that detects,
reports and selectively blocks the unauthorized use of high-risk
and evasive P2P and IM from enterprise networks. It scans
network traffic for characteristics that match the corresponding
protocol signatures.
Webwasher Content Reporter features a library of rich,
customizable reports based on built-in cache, streaming media,
e-mail/activity, Internet access and content filtering queries,
all supported by unmatched convenience and performance
features.

1.3
How Does Webwasher Work?
1.4
Introduction
Webwasher offers a wide range of Internet filters for multiple Internet protocols.
Webwasher’s ICAP platform offers a great deal of flexibility in deployment and
possibilities and requirements depend on the functionality you need and the
network architecture you already have.
The basic principle is that Webwasher combines all filters on a centralized
place called the ICAP server (cluster) and that this ICAP server receives its
filtering requests from proxy servers and gateway products that route the Internet
traffic through your corporation’s gateway. webwasher AG also offers
some of these proxy servers and gateway products as a feature of the Webwasher
CSM suite and since all these features (such as ICAP server, HTTP
proxy, HTTPS proxy and SMTP gateway) are shipped in a single binary, installation
becomes very easy while deployment possibilities are extremely flexible.
ICAP and Webwasher
Webwasher supports both ICAP/0.95 and ICAP/1.0.
ICAP (Internet Content Adaptation Protocol) is an open and standardized protocol
that can enhance ICAP-enabled proxy servers and caches (see Section
1.5 for more details) to offer application services, as well as fast and reliable
access to Web content. In general, ICAP increases performance and flexibility,
and is the key to communication between the Webwasher ICAP server and
other ICAP–enabled proxy servers and caches.
1–3

Introduction
1.5
ICAP is usually used where either a separate HTTP proxy server or a programmable
network device could serve as an alternative solution. It allows
ICAP clients to pass HTTP messages to ICAP servers for “adaptation”. The
server executes its transformation service on messages and sends back responses
to the client, usually with modified messages. The adapted messages
may be either HTTP requests or HTTP responses (see the following sections).
When an ICAP client is implemented in a cache or proxy, it can use any kind
of additional feature that is offered by an ICAP server running on a different
machine.
Its specification is published as RFC 3507.
Integration With Other Proxies and Appliances
1.5.1
NetCache
Since Webwasher takes the role as an ICAP server fully implementing RFC
3507, it can be seamlessly integrated with a variety of other third-party proxies
and appliances that contain ICAP client implementations. These include the
Cisco Content Engine, NetCache, Blue Coat proxy appliances, Microsoft®
ISA Server + Webwasher® ISA Server Plugin, and Squid (see below).
Integrating the Webwasher ICAP server with any of the above-mentioned ICAP
proxies and appliances is simple – Webwasher just needs to be configured as
an ICAP server in your ICAP client proxy (see Section 3.2 for more information).
The NetCache appliance is a scalable content-caching appliance that reduces
bandwidth load and latency. Linking Webwasher to NetCache through an ICAP
interface allows NetCache to cache and the filtering can be done on a separate
server. For details on how to set up NetCache with ICAP, please take a look
at the Setting Up NetCache With ICAP guide.
1.5.2
Blue CoatProxy Appliances
1–4
Blue Coat proxy appliances allow enterprises to deploy applications such as
content filtering, Web virus scanning and Web proxy and bandwidth management,
and integrate easily with existing security and network infrastructure. For
more information about Blue Coat proxy appliances and ICAP setup, please
take a look at the Blue Coat Web site.

Introduction
To set up Webwasher with Blue Coat, please refer to the Setting Up Webwasher®
with Blue Coat guide.
1.5.3
Microsoft® ISA Server
1.5.4
Squid
1.6
Microsoft ISA Server provides an extensible enterprise firewall and a scalable
Web cache server, acting as an Internet gateway for securing connections
and optimizing network performance. The Webwasher ISA Server Plugin is
an ICAP client for ISA Server, enabling ISA Server to talk ICAP to the Webwasher
ICAP server.
For details on how to set up the Webwasher ISA Server Plugin, please see the
Setting Up Webwasher® on Microsoft ISA Server guide.
Squid is a free Web proxy cache which runs on Unix systems. ICAP client
implementation can be set up within Squid so that it can be integrated with the
Webwasher ICAP server.
For more information on Squid ICAP client development, please refer to our
Squid page under http://www.webwasher.com/squid-icap.
Hardware Requirements
Hardware requirements may vary according to number of users and product
feature set chosen. The minimum hardware requirements are:
• Intel Pentium III 800 MHz
• SunSparc 500 MHz
• 512 MB memory
• 180 MB disk space
For NetCache ICAP server configuration, information about number of Net-
Caches appropriate for described load and number of ICAP servers recommended
should be obtained from Network Appliance. Please contact your
local support representative for more details.
1–5

Introduction
1.7
System Requirements
1.7.1
Windows
1.7.2
Solaris
1.7.3
Linux
1–6
Webwasher supports ICAP servers and the standalone HTTP proxy on Windows,
Solaris and Linux. Please ensure that your equipment meets or exceeds
the system requirements listed below:
• Windows workstation
• 512 MB RAM (or more)
• Windows 2000, Windows NT, Windows Server 2003, Windows XP
• Standard Web browser
• Sun Ultra SPARC workstation
• 512 MB RAM (or more)
• Sun Solaris 8 or 9
• Standard Web browser
• Linux i586 workstation (Pentium class processor-compatible)
• 512 MB RAM (or more)
• Red Hat Enterprise Linux 3, SUSE LINUX Enterprise Server 8, Debian
GNU/Linux 3.0
• Standard Web browser

Deployment Planning
Chapter 2
When considering deployment of Webwasher, always think about the proxy
servers, gateways and the ICAP filtering server engine as building blocks for
your network architecture. Due to the one binary principle, multiples of these
building blocks can run in one process on one box, or one building block could
on the other hand be installed several times and on multiple boxes to allow
load balancing and failover strategies.
2.1
Pre-planning Questions
The question of which proxy servers (from Webwasher or third-party) will be
used and how many computers are needed for installation depend highly on
these and other questions that can be discussed with your local support representative:
Question Answer
Which operating system do you
prefer/use?
What kind of existing gateway
products do you use?
Are you also interested in
third-party ICAP services?
Are you going to install a solution
for one Internet protocol, or for
multiple protocols?
Do different users/user groups
need different Webwasher
settings?
Does this require user
authentication? Please note:
NTLM authentication is only
available under Windows!
2–1

Deployment Planning
2–2
What building blocks should/must
do the authentication?
Are there other mandatory
elements in your network
architecture that the filtering
building blocks must
communicate with?
What is the number of requests
per second and the expected
data volume?
Do you have a need for
load balancing, redundant
components, failover strategies?
Do you have experience with
some of the possible third-party
components?
Are you going to replace an
existing solution and prefer to
change only a minimum in your
setup?
How easy should the solution
scale when requirements grow?
Do you prefer fewer and bigger
servers or more and smaller
ones?
Do you like open source programs
such as Squid?
Do you need a caching solution?
Is a proxy chain what you are
looking for, or do you prefer a
flexible solution such as ICAP?

Chapter 3
Deployment Scenarios I — HTTP,
FTP, HTTPS
All of the following deployment scenarios can be advanced using third-party
load balancers, as well as load balancing in ICAP.
All of Webwasher’s proxy engines can run within the same binary as the filtering
engine (see Figure 3–1), or on separate hardware (see Figure 3–2). In
both cases, ICAP is used as the communication protocol between the parts.
Important! In the case of HTTPS traffic, care has to be taken to protect
the ICAP connection between the HTTPS proxy and the filtering engine. An
attacker could use this connection to sniff or alter the information. We strictly
recommend running the Webwasher HTTPS proxy and the Webwasher ICAP
server within a protected area of your network so that neither can be accessed
by outsiders nor by unauthorized insiders. Since this goal is easier to achieve
for a single computer than for a network segment, we recommend running the
HTTPS proxy and the filtering engine within one binary and on one computer.
3.1
Webwasher as HTTP Proxy
In this scenario, Webwasher is acting as a proxy server. There can also be
multiple of these ’standalones’.
For filtering HTTPS traffic, Webwasher has to be used as a proxy server for
HTTPS traffic (see Figure 3–1). If Webwasher is already used as a proxy server
for HTTP data, there is usually nothing additional that needs to be done, other
than to ensure that the proxy settings in your browsers are set to also proxy the
“Secure” protocol to the Webwasher proxy. Webwasher uses the same proxy
port as for HTTP traffic (default 9090).
Advantages Disadvantages
No other product is needed No caching functionality
Proxy is included in the license price
Easy to install
3–1

Deployment Scenarios I — HTTP, FTP, HTTPS
Figure 3–1.
Webwasher as HTTP Proxy
3–2
Canbeusedwithotherproxiesinproxy
chain
Offers authentication options, such as NTLM
or LDAP

3.2
Webwasher as an ICAP Server
Deployment Scenarios I — HTTP, FTP, HTTPS
In this scenario, Webwasher takes the role as the ICAP server to a third-party
proxy cache: Webwasher acts as the “Filtering Engine”, in addition to an HTTP
“Gateway” or third-party ICAP client. See Section 1.5 for more details about
possible third-party ICAP clients.
Configuration details for NetCache can be found in the Setting Up Net-
Cache With ICAP guide, and configuration details for the Webwasher ISA
Server Plugin can be found in the Configuring The Webwasher® ISA
Server Plugin guide. Both guides can be downloaded from the webwasher
AG extranet.
The optimal, high-end solution suggested by webwasher AG consists of a
caching engine (such as NetCache) with one or more ICAP server systems
running Webwasher.
Advantages Disadvantages
Eliminates proxy chaining
Scalable
High-performance environment
Integrated load balancing
(NetCache with one or more ICAP server
systems running Webwasher): ICAP
protocol works with previews which allows
Webwasher to stop processing Web objects
that will not be modified by any of the
enabled Webwasher features.
(NetCache with one or more ICAP server
systems running Webwasher): In case the
ICAP server is overloaded, a further system
running Webwasher can be easily added
totheservicefarm. InthiscaseNetCache
provides load balancing.
The work done by the cache engine and
washing engine is shared
3–3

Deployment Scenarios I — HTTP, FTP, HTTPS
Figure 3–2.
Webwasher as an ICAP server
3–4

Figure 3–3.
Deployment Scenarios I — HTTP, FTP, HTTPS
Webwasher as an ICAP server, with another ICAP server (i.e. Webwasher)
Note: Should Webwasher be deployed as an ICAP server that receives HTTP
data from a third-party proxy or cache that includes an ICAP client, this cannot
simply be extended for SSL connections. These products are currently unable
to terminate the SSL connections in forwarding proxy mode, but can only tunnel
the HTTPS traffic which is insufficient for filtering (with or without ICAP). The
original HTTPS data has to be proxied through Webwasher on its proxy server
port.
If the third-party proxy server currently
DOES NOT receive HTTPS traffic (i.e.
browsers are using direct connections to
the Internet)...
If the third-party proxy server currently
DOES receive HTTPS traffic and tunnels
it to the Internet...
...change the browser setting to proxy HTTPS
connections through Webwasher (see Figure
3–4).
...a forwarding rule for HTTPS traffic needs to be
created on the proxy server (set up Webwasher
as a parent/proxy cache for HTTPS) (see Figure
3–5).
3–5

Deployment Scenarios I — HTTP, FTP, HTTPS
Figure 3–4.
Webwasher as an ICAP Server, third-party proxy has no HTTPS filtering
3–6

Figure 3–5.
Deployment Scenarios I — HTTP, FTP, HTTPS
Webwasher as an ICAP Server, third-party proxy receives HTTPS filtering
3.3
Webwasher As Next Hop Proxy
In this scenario, Webwasher is acting as a next hop proxy. Webwasher is configured
as the next hop proxy in the third-party proxy cache settings. Browser
configuration is needed for the third-party proxy. The third-party proxy will need
to have Webwasher configured as a next hop proxy.
3–7

Deployment Scenarios I — HTTP, FTP, HTTPS
3–8
Advantages Disadvantages
Otherproxymaybeabletoperform
additional authentication functions that
Webwasher does not support (i.e. client
certificate-based authentication).
Webwasher can do policy mapping based on
the client IP only (and only if sent by other
proxy)

Figure 3–6.
Webwasher as Parent Proxy
Deployment Scenarios I — HTTP, FTP, HTTPS
3–9

Chapter 4
Deployment Scenarios II — SMTP
4.1
Webwasher as a Relay Host
In this scenario, your company mail server (such as sendmail or MS Exchange)
is configured to use Webwasher as a next hop gateway.
You have to add a routing rule for Webwasher, or install a local DNS server and
create an MX record that points to the company mail server, so that Webwasher
can deliver incoming messages.
4–1

Deployment Scenarios II — SMTP
Figure 4–1.
Webwasher as a Relay Host with one Mail Transfer Agent
4–2
Webwasher can be configured to either forward all mails to a predefined server
or to use DNS (MX records) to deliver mails. Usually you will configure Webwasher
to use MX records, and add routing rules for local mail delivery.
The diagram below is the same as above, but with two company mail servers.
When there is more than one mail server, you need to add another routing rule.
For example:
...@domain2 = via Mail Transfer Agent 2
...@domain1 = via Mail Transfer Agent 1

Figure 4–2.
Deployment Scenarios II — SMTP
which says that e-mails @domain1 should go via Mail Transfer Agent 1, and
e-mails @domain2 should go via Mail Transfer Agent 2.
Webwasher as Relay Host, multiple Mail Transfer Agents
4–3