management console reference guide - trustwave · the management console allows you to configure,...

Software Release 9.0

NG-8000

NG-5000NG-6000

Management Console Reference Guide

M a n a g e m e n t C o n s o l e R e f e r e n c e G u i d e

Vital Security™ Appliance Series NG-1000/NG-5000/NG-6000/NG-8000 Management Console Reference Guide© Copyright 1996 - 2008. Finjan Software Inc. and its affiliates and subsidiaries (“Finjan”). All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No. 3952315, 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743, 7155744 and may be protected by other U.S. Patents, foreign patents, or pending applications.Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. Websense® is a registered trademark of Websense, Inc. IBM® Proventia® Web Filter is a registered trademark of IBM Corporation. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners.For additional information, please contact one of our regional offices:

Catalog number: MCRG-UG-9.0 - 2Email:[email protected]:www.finjan.com

USA2025 Gateway Place Suite 180 San Jose, CA 95110, USA Toll Free: 1 888 FINJAN 8 Tel: +1 408 452 9700 Fax: +1 408 452 9701 [email protected]

UK4th Floor, Westmead House, Westmead, Farnborough, GU14 7LP, UKTel: +44 (0)1252 511118 Fax: +44 (0)1252 510888 [email protected]

Israel/Asia PacificHamachshev St. 1, New Industrial Area Netanya, Israel 42504 Tel: +972 (0)9 864 8200 Fax: +972 (0)9 865 [email protected]

GermanyAlte Landstrasse 27, 85521 Ottobrun, Germany Tel: +49 (0)89 673 5970 Fax: +49 (0)89 673 597 [email protected]

GeneralEmail: [email protected]: www.finjan.com

NetherlandsPrinterweg 563821 AD° AmersfoortNetherlandsTel: +31 334 543 555Fax: +31 334 543 [email protected]

-


1 . Introduction to the Vital Security Management Console . . . . . . . . . . 1

2 . Working with the Management Console............................. . . . . . . . . . 3Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Using the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 . Dashboard ........................................................................... . . . . . . . . . 9Security Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Device Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Device Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 . Users ........................................................................... . . . . . . . . 15Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Users/ User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Unknown Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Independent Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Creating a new User Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Adding a User to a User Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Moving Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22The Importance of User/User Group Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 22

LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Example for adding an LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Import Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Populating the LDAP Groups with Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Settings and Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Scheduled Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Unassigned LDAP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Assigning Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Moving LDAP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

-


5 .Policies ........................................................................... . . . . . . . . 33Working with Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Security Policies - Simplified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

URL Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35File Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36True Content Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37URL Categorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Assigned User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Add/Edit User Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Security Policies - Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Security Policies Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Available Policies Tree Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Security Policy Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Security Rule Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Condition Details for Security Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Example for Creating a Security Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

HTTPS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55HTTPS Policies Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55HTTPS Policy Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55HTTPS Rule Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Condition Details for HTTPS Policy Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Certificate Validation Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59URL Filtering (Websense/IBM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59URL Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Example for Creating an HTTPS Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Logging Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Logging Policies Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Logging Policy Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Logging Rule Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Conditions for Logging Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Example for Creating a Logging Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68Identification Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Identification Policies Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Identification Policy Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Identification Rule Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Condition Details for Identification Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . 73

Identification Logging Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Identification Logging Policies Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

-


Identification Logging Policy Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Identification Logging Rule Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Conditions for Identification Logging Policy Rules . . . . . . . . . . . . . . . . . . . . . . 78

Default Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Condition Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Available Condition Settings Tree Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Condition Settings: Active Content List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Condition Settings: Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Condition Settings: Authentication Clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Condition Settings: Binary Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Condition Settings: Content Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Condition Settings: Destination Port Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Condition Settings: File Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Condition Settings: Header Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Condition Settings: HTTPS Certificate Validation. . . . . . . . . . . . . . . . . . . . . . . 95Condition Settings: IP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Condition Settings: Pre Authenticated Headers . . . . . . . . . . . . . . . . . . . . . . . . . 99Condition Settings: Script Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Condition Settings: Time Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Condition Settings: URL Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Condition Settings: Vulnerability Anti.dote . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

End User Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Block / Warn Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Block / Warn Message Details screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Creating a Block/Warn Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Message Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

6 . Logs and Reports................................................................... . . . . . . . 135Introduction to Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Web Logs View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Add to URL List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Web Logs - Profile Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Transaction Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

System Log View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143System Logs - Profile Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Audit Log view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Audit Logs- Profile Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

-


Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149Available Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Report Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Show Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Exported Reports Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

7 .Administration ....................................................................... . . . . . . . 157Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Default Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Administrator Group Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Administrator Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

System Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165Finjan Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Available Device Tree Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Device IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Network Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Scanning Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Authentication Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209External Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Scanning Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Scanning Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Console Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Debug Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222Rollback Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Backup Now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Restore (Rollback) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Export/Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

-


Updates Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Alert Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Licensed Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Installed Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

8 . Help ........................................................................... . . . . . . . 249Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249External Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250About. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

A. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

B. End User Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

-

C H A P T E R

INTRODUCTION TO THE VITAL SECURITYMANAGEMENT CONSOLE

The Vital Security Management Console provides administrators with a tool for managing the entire Vital Security deployment from the Policy Server. This capability is provided via a Web based, user-friendly interface accessible via Microsoft Internet Explorer 6.0 or 7.0.The Vital Security Management Console provides administrators with the following functionality:

Security Management – Administrators can define Security Policies, the rules they are based on, and lists and behavior profiles that are the basis for the rules. User Management – Administrators can define User Groups and Users, and associate Security, HTTPS, Authentication and Logging Policies with these users and groups. Importing user data from external repositories is also managed from the Management Console.Monitoring –The Management Console enables monitoring the transactions in the system based on the Log Server stored data. Various filtering and sorting capabilities enable, for example, help desk operators to check the Web traffic and the results of the Security Policy.Reporting -The Management Console enables deep analysis of the transactions in the system based on the Report Server stored data. The Management Console provides built-in reports.Configuration Management – The Management Console provides the interface for updating parameters related to the actual deployment of the system.Update Management – The administrator can automatically or manually install both Software versions and Security updates for the Vital Security system

NOTE: This Management Console Reference Guide is based on Software Version 9.0

Chapter 1 - Introduction to the Vital Security Management Console 1

.

NOTE: For information on the setting up your system, please refer to the Setup and Configuration Guide

C H A P T E R

WORKING WITH THE MANAGEMENT CONSOLE

1 Management Console

The Management Console allows you to configure, update and maintain the day-to-day running of your organization’s security needs.

To access the Management Console:1. In your Internet browser, enter a URL containing the IP address assigned to your

Policy Server (https://policyserverIP). 2. In Internet Explorer 6, a Security Alert appears. Click Yes to continue to the

Console.

NOTE: Before accessing the Management Console, make sure to add the Policy Server IP to the Proxy Server Exceptions in your Internet settings. This will ensure optimum performance.

Chapter 2 - Working with the Management Console 3


Figure 2-1: Security Alert

3. If you are using Internet Explorer 7, then the first time you log in, this screen will appear. Click on Continue to this website.

Figure 2-2: Website's Security Certificate

4. The Vital Security Management Console appears on your screen with the Login dialog box.

1.1 Main Menu

The Main Menu of the Management Console appears as follows:

Chapter 2 - Working with the Management Console4


The Main Menu drop-down options comprise the functionality of the Vital Security Appliance as follows:Users: Provides options for the system administrator to import users, arrange them into groups, and assign them with Security and other Policies.Policies: Provides simplified and advanced configuration options for Policies. Security Policies comprise the main rules of Internet behavior for the end-users in your organization. definition of secure behavior and addresses the constraints imposed on Internet traffic. HTTPS Policies also focus on securing Internet Content on HTTPS sites. Logging policies determines which actions are recorded for analysis and Authentication Policies concentrate on identifying the end-users. Logs and Reports: Web Logs screen provides monitoring on the blocked or suspicious content that was not allowed through. Logs are also available for system monitoring and for administrator monitoring. Administration: Provides the main bulk of administrative, monitoring and configuration on the Vital Security devices and other scanning abilities. You can also perform system backups and restore from here; set High Availability, set alerts for system administrators and retrieve Security and Maintenance Updates.Help: Provides links, manuals and other resources for Finjan Vital Security.The following icons are explained in the table below:

Menu Bar Icons DescriptionDirects you to the Web Logs screen for monitoring transactions.

Redirects you to the Dashboard - the one-stop System Monitoring component of the Management Console allowing you to keep tabs on all the Devices in real time.“Commit Changes”. After editing and saving any changes, click Commit Changes. An additional dialog screen will pop up for you to add a Note to. This Note will be displayed in the Audit Log view.

Icons in Edit ScreenClick on this icon to add rows.

Click on this icon to add or delete specific rows.

5 Chapter 2 - Working with the Management Console


1.2 Using the Management Console

In addition to using the Menu bar and the icons there are several other important navigational aspects to the Management Console.

1.2.1 Understanding the ScreensWhenever there are several elements to be displayed within a category, the screen is divided into two: A tree in the left pane and an editing screen in the right.Left Pane Tree: Right-click on the folders in the tree to display further options. You can right-click on the top level folder and subsidiary folders to display different options. Right Screen Editing: You must click the Edit button to enable this screen for editing.

Figure 2-3: Understanding the Screens: Part One



Figure 2-4: Understanding the Screen: Part Two

1.2.2 General Navigational PointsThe following points are relevant for the Management Console:

Whenever any of the options are greyed out - such as the Edit button or a right-click option - it means the administrator does not have Update permissions for this object.Right-hand screens can contain a single pane or several tabs - each containing information.Fields appear in yellow when they are either missing data or have the wrong data inputted. In addition, when working on a multi-tab screen, if there are mistakes in one tab, it will appear with an exclamation mark besides it.

7 Chapter 2 - Working with the Management Console


Figure 2-5: Understanding the Screen: Part Three


C H A P T E R

DASHBOARDThe Dashboard presents crucial information on the status of the Vital Security system and the Finjan Devices within it in real-time. Its purpose is to keep System Administrators fully informed at all times.At the top of the Dashboard are the following options:

Available Updates: When there are Security or other updates for your system, this icon will be lit. In the Management Console, navigate to Administration Updates Updates Management - where you can choose to install the Update.Security Risk gauge: Shows the risk factor that your organization is exposed to. This risk calculation is based on the number of blocked transactions compared to the general traffic. Clicking on the Security Risk link opens up a graph showing you the risk factors involved.Total RPS gauge: Shows the total requests per second. Requests per Second (RPS) is defined as any new request sent through the Vital Security server. Therefore, each object on a web page generates a request. For example, if a user loads a web page with 10 objects (images, applets, etc.) on it, the user will have generated 11 requests: the browser will have issued one request for the web page and individual requests for each of the 10 objects.

0.1 Security Risk

The graph on this page shows the total risk level after calculating all the following factors.Anti-VirusBehavior AnalysisURL ListsURL Categorization

The graph shows the risk level in terms of transactions passing through your organization.Average means the average amount of blocked transactions for that particular category over a period of 24 hours.Current means the amount of blocked transactions for that particular category at this moment in time.

Chapter 3 - Dashboard 9


Maximum is the largest amount of blocked transactions at a particular time over the 24 hour period.

Figure 3-1: Dashboard: Security Risk

1 Devices

The main screen of the Dashboard provides monitoring information on the Finjan Devices.This is divided into three categories:

PerformanceDevice StatusMessages

1.1 Performance

Using the drop-down list, you can select the relevant device to see their performance status - measured by requests per second.Average: average request per second over a 24 hour intervalMaximum: maximum requests per second at a specific time slot during the 24 hour interval

Chapter 3 - Dashboard10


Figure 3-2: Dashboard: Device Performance

1.2 Device Status

For each Device (Policy Server, Scanning Server, All in One), the following information is given:

1.3 Messages

SNMP Messages will appear for errors or critical circumstances. The Message includes the following information:

Field DescriptionDevice Type Defines the type of Device such

as Scanning Server or All in One.IP IP Address of the DeviceTime Date and Time that last Status

update was receivedRPS Request per Second as shown on

the Performance graph.Device Utilization Clicking on the More

Information link shows various graphs showing utilization information on this Device.

Message Field DescriptionRead Select to denote that you have read

this message.Note Click the icon and add a note in for

yourself about the message

11 Chapter 3 - Dashboard


2 Device Utilization

This screen is reached by clicking the More Information button.For each device, a number of graphs display relevant information to the system administrator - allowing him/her to have real-time viewing on any overload for any particular device.Each graph shows both the Average (over a 24 hour period) and a Maximum at any one given time period.The following graphs are available:

Severity Critical, Major, Minor, Warning, Normal or Unknown as defined by SNMP messages

Time Date and Time the message was generated

Source Device IP addressMessage Text Message text. Last 30 updated

messages will be displayed.

Message Field Description

Graph Name DescriptionCPU Utilization Measures the percentage of CPU

being used over time.Memory Usage Measures the memory in bytes being

used.Disk Space Usage Measures the percentage of Disk

Partitions used (var, tmp, opt)RPS Usage Measures the request per second

rate for the specific device



Figure 3-3: Dashboard: Device Utilization

If the Device is not working or is experiencing any other error then the appropriate error message is displayed here.The Message includes the following information:

Message Field DescriptionRead Select to denote that you have read

this message.Note Click the icon and add a note in for

yourself about the messageSeverity Normal or Critical as defined by

SNMP messages

13 Chapter 3 - Dashboard


Time Date and Time the message was generated

Source Device IP addressMessage Message text

Message Field Description


C H A P T E R

USERS

1 Users

The Users menu contains all the actions that can be carried out for end-users browsing through Vital Security. The Management Console supports both individual Users and groups of Users. The Users menu contains the following options:

Users/ User GroupsLDAP

2 Users/ User Groups

In the User Groups menu option, you can create / delete a new User or User group, assign a policy to a User or User group, add a user to an existing User group, or move a User from one group to another.The User Groups tree on the left pane allows arranging Users into User Groups and assigning them with specific Security and Logging Policies. They can also be uniquely identified in a number of ways.

Figure 4-1: User / User Groups

2.0.1 User Group Details ScreenWhen creating a new User Group or editing the Details, the User Group Details screen

Chapter 4 - Users 15


appears.

Figure 4-2: Users Group Details Screen

The following table provides information on the fields displayed in the User Group Details screen:

Field Name DescriptionUser Group Name Defines the User Group Name.Security Policy Assigns a Security policy to the User Group. If you do not

specifically define a Security Policy here, the Policy defined in Policies Default Policy Settings will be used. This option is displayed as Use Default Values.NOTE: The Full Bypass Policy (which bypasses all scanning) can be set here. This Policy does not appear in the Security Policies Simplified or Advanced Configuration.

Logging Policy Assigns a Logging policy to the User group. If you do not specifically define a Logging Policy here, the Policy defined in Policies Default Policy Settings will be used. This option is displayed as Use Default Values.

Chapter 4 - Users16


2.0.2 User Details ScreenWhen creating a new User or editing the Details, the User Details screen appears.

Figure 4-3: User Details Screen

The following table provides information on the fields displayed in the User Details screen:

HTTPS Policy Assigns an HTTPS Policy to the User Group. If you do not specifically define an HTTPS Policy here, the Policy defined in Policies Default Policy Settings will be used. This option is displayed as Use Default values.

IP Ranges This table defines the required IP addresses (From IP and To IP fields). For a detailed explanation on IP Ranges, please refer to The Importance of User/User Group Identifiers.

Field Name Description

Field Name DescriptionUser Name Defines the User Name.Security Policy Displays the Security policy assigned to the User Group to

which the user belongs. HTTPS Policy Displays the HTTPS policy assigned to the User Group to

which the user belongs.

17 Chapter 4 - Users


2.1 Unknown Users

Unknown users are users that are browsing through Vital Security but have not been identified. The following table provides information on the fields displayed in the Unknown Users Details screen:

Once there is a list of Unknown Users in this group browsing through the system, you have the option to move these Users into predefined User Groups by using the right-click tree menu option to Move Users.

Logging Policy Displays the Logging policy assigned to the User / User group.

Identifiers The Identifiers section is used to uniquely identify the user to the system. If you want to identify the Users, you can choose between an Identifier Type, either IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain name/user name in the Value field. For a detailed explanation on Identifiers, please refer to The Importance of User/User Group Identifiers.

Field Name DescriptionUser Name Defines the User Name.Security Policy Displays the Security policy assigned to the Unknown

Users group.HTTPS Policy Displays the HTTPS policy assigned to the Unknown

Users group.Logging Policy Displays the Logging policy assigned to the Unknown

Users group.New Users Selecting the option displayed here means that unknown

users are automatically added to the Unknown Users group. The default setting is disabled which means that unknown users in this situation remain unknown. This is useful in large organizations so that hundreds of new users are not inundating the system and conversely, useful in smaller organizations, allowing manual control over addition of new users.


Chapter 4 - Users18


Figure 4-4: Unknown User

2.2 Independent Users

You can create independent users (i.e. they do not belong to a User Group) and assign them their own policies.

To create a new User:1. Right-click on the Independent Users folder and select Add User. The User

Details screen is displayed on the right hand pane.2. Enter a User Name for the user, for example, Debra.3. Assign Policies as required. For example, for the Security Policy, assign the

Finjan Basic Security Policy. For the Logging Policy select Log All Protective Actions and for the HTTPS policy, assign the Finjan HTTPS Policy.

4. The Identifiers section is used to uniquely identify the user to the system. Click to add a row.

5. In the Type drop-down list, choose between IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain name/user name in the Value field.

NOTE: You can double check this via Policies Security Default Basic Security Policy which will show the Users that the Policy is assigned to.



Figure 4-5: Example for Creating a New User

6. The IP Ranges can be deleted by clicking next to the relevant row and selecting

Delete.7. Click Save to apply the changes.

2.3 Creating a new User Group

To create a new User Group:1. Right-click on the User Groups main node and select Add Group from the drop-down

menu. The User Group Details screen is displayed on the right hand pane.2. Enter a Group Name for the new group, for example, Special Division.3. Assign Policies as required. For example, for the Security Policy, assign the Finjan

Basic Security Policy. For the HTTPS policy, assign the Finjan HTTPS Policy and for the Logging Policy select Log All Protective Actions.

4. In the IP Ranges section, click to add a new row.

NOTE: All Policies have default values set via Policies Default Policy Settings. The default values for each of the Policies (Security, HTTPS and Logging) are automatically assigned to users in the system if no other policy has been assigned to them.

Chapter 4 - Users20


5. Add the required IP addresses in the From IP and To IP fields. For a detailed explanation on IP Ranges, please refer to The Importance of User/User Group Identifiers.

Figure 4-6: Example for Creating New User Group

6. The IP Ranges can be deleted by clicking next to the relevant row and

selecting Delete.7. Click Save to apply the changes.

2.4 Adding a User to a User Group

To add a new user to a User Group:1. Right-click on the required User Group and select Add User.2. Enter a new user name.3. The Identifiers section is used to uniquely identify the user to the system. Click on

and select Add.

4. In the Type drop-down list, choose between IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain name/user name in the Value field.

5. Click Save to apply the changes.



2.5 Moving Users

To move a user from one Group to another:1. Right-click on the main folder of the source User Group you wish to move users from,

and select Move Users from the drop-down menu. The Move Users screen is displayed on the right hand pane.

2. The Users in the selected group are listed in this screen. If the Users in the group exceeds the limit displayed per page (i.e. there is a large list of names spanning several pages) use the Previous and Next buttons to move between consecutive pages. Otherwise, enter a name in the Find All section and go to that particular selection. This filter may be cleared using the Clear button.

3. Select the destination User Group that you want to move your users To from the drop-down list.

Figure 4-7: Move Users from one Group to another

4. When you have finished moving the Users from the source User Group to the destination User Group, click OK to apply changes.

2.6 The Importance of User/User Group Identifiers

A Security Policy is enforced only when it is assigned to a User or User Group. When the Vital Security Appliance scans traffic, the first step is to identify the User and ascertain whether a

Chapter 4 - Users22


security policy has been assigned. It is therefore important to enter the maximum number of available user identifiers.When working with a supported LDAP directory you do not need to enter identifiers for each individual user. You can import a small number of LDAP groups, relevant to the security policy. Or, you may prefer to create special groups for use with Vital Security.In order for user credentials to be available for matching with user identifiers, user authentication is required.Authentication is done by way of Identification policies. Please refer to the User Identification and Authentication Feature Description for more information.

As soon as Vital Security authenticates a user by confirming a matching identifier, the assigned policy is enforced. The identification parameters are checked from the more specific to the less specific – until a match is found - in the following order:

User Name: The first transaction parameter that the system looks for is the user name. If a user name is found and can be matched to an assigned policy, then the policy is enforced and the remaining identifiers are no longer relevant.IP Address: If a user name is not found, the system takes the IP address and looks for a user using this address. If a match is found, then the rule is enforced.IP Range: If a specific IP address is not identified in the system, then Vital Security searches for a match in the defined IP ranges. IP ranges should not be overlapping. If the IP matches more than one range, then it is not possible to predict which user/policy will be enforced.LDAP Group: If user identifiers show that the user is included in an LDAP group, the group policy is assigned to the transaction. If a user belongs to more than one group, the policy for the group highest on the list is assigned.

3 LDAP

This section allows for importing of large numbers of LDAP Groups into the Management Console and assigning them with specific Security, HTTPS and Logging Policies. LDAP Groups can be imported or deleted. The definition of users and groups is based on a retrieval mechanism that is attached to a remote directory (LDAP directory) such as Microsoft Active Directory, IBM Tivoli, Custom Directory and Sun One Directory. Right-click on one of the directory types to add a directory.



Figure 4-8: LDAP Directories Screen

In general, the LDAP procedural steps are as follows:Define a DirectoryImport GroupsImport Users

3.1 General

Depending on the type of directory you would like to add, right-click on one of the directory types to add a new directory. The following table provides information on the LDAP Directory fields displayed in the General tab:

Field Name DescriptionAddress This enables the configuration of multiple directories.

Each directory is identified with an IP or hostname/domain name, for example, 10.194.20.15:393The IPs should be separated by a comma

Base DN This is the DNS domain component name (e.g. dc=Finjan, dc=com).Realm / Domain This refers to the directory’s identifier in the authentication process

between the browser and the scanning server (e.g. Finjan). This value will be detected automatically when working with Microsoft Active Directory.

User Authorized User DN for connecting to the directory. When using Microsoft Active Directory, enter the username only instead of its DN.

Password Password for entering into your organization’s directory.

Chapter 4 - Users24


3.2 Advanced Settings

The following table provides information on the LDAP Directory fields displayed in the Advanced Settings tab:

Use Kerberos Authentication

Enables Kerberos Authentication method (Kerberos can only be enabled for Microsoft Active Directory). If this options is not selected, simple authentication is used. Use to import the Kerberos keytab file. Click on Import button to display the Kerberos Authentication Upload screen.Browse to the location where the Kerberos keytab file exists and then click Import to activate the changes. In order for Kerberos authentication to work, the following requirements must be met:A DNS server must be present, and all directory servers must be resolved via the Vital Security Appliance.The times on the Policy Server and the directory machine must be synchronized.

Check Connection

If checked, check the connection with the server after you press save. If the connection failed, the parameters will not be saved.

Field Name DescriptionUser Identifier Attribute

This parameter defines the attribute which indicates a user’s unique identifier. The value for this attribute is compared to the username provided by the proxy authentication. Default values are as follows:Microsoft AD - sAMAccountNameIBM Tivoli - eraliasesSunOne - uidIf this field is left empty then users/groups will be identified according to their DN.

User Object Filter This parameter defines the filter in LDAP syntax that will be used to identify user objects. Default values are as follows:Microsoft AD - (&(objectclass=person)(objectclass=user)(!objectclass=computer))IBM Tivoli - (&(objectclass=person)(objectclass=organizationalPerson))SunOne - (&(objectclass=person)(objectclass=organizationalPerson))




3.3 Example for adding an LDAP Directory

To add an LDAP Directory:1. As an example, we will add a Microsoft Active Directory, so in this case, right-click on

the Microsoft AD server from the LDAP Directory tree on left pane and select Add Directory. The right pane is enabled for you to insert the Directory settings.

Group Identifier Attribute

This parameter defines the attribute which indicates a group’s unique identifier. The values of this attribute is used by the Management Console to display group names and assigning policies. Default values are as follows:Microsoft AD - sAMAccountNameIBM Tivoli - ouSunOne - cnIf this field is left empty then users/groups will be identified according to their DN.

Group Object Filter

This parameter defines the filter in LDAP syntax that will be used to identify group objects. Default values are as follows:Microsoft AD - (objectclass=group)IBM Tivoli - (&(objectclass=organizationalunit)(objectclass=erOrgUnitItem))SunOne - (objectclass=groupofuniquenames)

Connection Timeout

This parameter enables you to set the maximum number of seconds for an unanswered LDAP query (the default is 120 seconds for all directory types).

memberOf Attribute

This parameter specifies which attribute holds the list of groups in which the user is a member. This attribute may remain empty, in which case the Member attribute is used to establish hierarchy. Default values are as follows:Microsoft AD - memberOfIBM Tivoli - erparentSunOne - not supportedNOTE: memberOf Attribute and Member Attribute cannot both be empty. If both attributes have values, the memberOf Attribute has priority.

Member attribute This parameter specifies which attribute holds the list of members of a selected group. This attribute may remain empty, in which case the memberOf Attribute is used to establish hierarchy. Default value is as follows:SunOne - uniqueMember

Set Default Returns all the parameters above to their default values.


Chapter 4 - Users26


2. In the General tab, enter your company Base DN (e.g. dc=finjan, dc=com), and IP

Address for the new directory. To add a row for IP Address, click .to add a new row..

3. Enter the user name (e.g. cn=administrator) and password for logging in to your organization's directory.

4. Select to Use Kerberos Authentication. The Import button is enabled..

Figure 4-9: Example for adding LDAP Directory

5. Click on Import button to display the Kerberos Authentication Upload screen.

NOTE: The Realm / Domain is not required when the server is Microsoft Active Directory. An example for a different directory is FINJAN.

NOTE: For the Microsoft Active Directory, the user name should be the user’s account name (i.e. the name that appears on emails before the @company.com)

NOTE: LDAP passwords cannot include the < , > or space characters. Make sure not to use non-English characters when using the Kerberos authentication method.

NOTE: Kerberos authentication can be used only for the Microsoft Active Directory.



6. Browse to the location where the Kerberos Keytab file exists and then click Import to activate the changes.In order for Kerberos authentication to work, the following requirements must be met:

A DNS server must be present, and all directory servers must be resolved via the Vital Security Appliance.

The times on the Policy Server and the directory machine must be synchronized.7. In the Advanced Settings tab, configure the advanced settings as follows

8. In the User Identifier Attribute field, enter sAMAccountName.9. For User Object Filter, enter

(&(objectclass=person)(objectclass=user)(!objectclass=computer))10.For Group Identifier Attribute, enter sAMAccountName.11.For Group Object Filter, enter (objectclass=group).12.Select the member Of Attribute and enter memberOf.13.Enter the Connection Timeout (120 seconds is default).14.To ensure that your IP address is successful, run an automatic check of your

connection by enabling the Check connection box and clicking Save. 15.The Microsoft AD server will appear in the LDAP Servers tree. You can aso check in

the logs for verification.).

3.4 Import Groups

After defining the required Directory, the next step is to retrieve LDAP groups from the Directory to the Management Console, and choose those groups you want to import and define within Vital Security.

To import LDAP Groups:1. Right-click on a defined LDAP directory and select Add Groups from the drop-down

menu. The LDAP Groups screen is displayed on the right hand pane. If this is the first time you are adding groups, this screen will be empty. If this is a repeat procedure, the system will display the User Groups previously imported.

NOTE: When first selecting one of the server types the default recommended values for the advanced LDAP parameters are used.

NOTE: Right-click on the Active Directory LDAP server in tree on the left pane and select Check Connection from the drop-down menu to check the IP address (i.e. successful connection to server). An error message is displayed if there was a problem connecting to the server(s).

Chapter 4 - Users28


Figure 4-10: Example for Importing LDAP Groups

2. Use the Retrieve LDAP Groups option to retrieve the list of User Groups from the directory and display them on the screen.

3. Select the User Groups for import into the Management Console and click OK. The User Groups are displayed in the tree on the left pane.

3.5 Populating the LDAP Groups with Users

To import LDAP users into an LDAP Group:1. To perform an immediate import, right-click on the top node of the Directories tree

and select Import LDAP Users. A message should appear on the bottom left side of screen to please check system logs to confirm completion.

2. Navigate to Logs and Reports View System Logs for confirmation that the immediate import was carried out.

3.6 Settings and Defaults

The two tabs displayed refer to scheduling the importing of LDAP Users and also the policies assigned to groups which have not been defined within the system.

3.7 Scheduled Settings

In this screen you can configure the LDAP Import Schedule. This determines whether or not to import LDAP users, defining the frequency and time at which the import process



takes place.To edit the LDAP Import Schedule screen, click Edit.

Figure 4-11: LDAP Import Schedule Screen

To configure the Import Schedule:1. In the LDAP Import Schedule, you can select an import to run either daily at a

preconfigured time or every x number of hours. Alternatively, you can select No

Scheduled Import. After making any changes, click Save and click .2. Another option in this bar is to perform an immediate import. This is done by right-

clicking on the top level folder Directories and selecting Import LDAP Users. Navigate to Logs and Reports View System Logs for confirmation that the immediate import was carried out.

3.8 Unassigned LDAP Groups

Unassigned LDAP groups are groups which have not been defined within the system.To edit the LDAP Group screen, click Edit on right hand pane.

Figure 4-12: Unassigned LDAP Group Screen

Chapter 4 - Users30


The following table provides information on the fields displayed in the LDAP Group screen:

3.9 Assigning Policies

User groups can be imported from various LDAP directories.

To assign policies to an LDAP Group:1. Click on the imported user group to display the LDAP Group screen on right hand

pane.2. To edit the LDAP Group screen, click Edit. The LDAP Group name is displayed.3. Assign a Security policy to the LDAP group from the drop-down menu.4. Assign a Logging policy to the LDAP group from the drop-down menu.5. Assign a HTTPS policy to the LDAP group from the drop-down menu.

6. Click Save to apply changes, else Cancel.

Field Name DescriptionGroup Name Defines the LDAP Group Name.Security Policy Assigns a Security policy to the LDAP group. If you do not

specifically define a Security Policy here, the Policy defined in Policies Default Policy Settings section will be used. This option is displayed as Use Default Values.NOTE: The Full Bypass Policy (which does not appear in the Security Policies list) can be set here.

Logging Policy Assigns a Logging policy to the unassigned LDAP groups. If you do not specifically define a Logging Policy here, the Policy defined in Policies Default Policy Settings section will be used. This option is displayed as Use Default Values.

HTTPS Policy Assigns an HTTPS policy to the unassigned LDAP groups. If you do not specifically define an HTTPS Policy here, the Policy defined in Policies Default Policy Settings section will be used. This option is displayed as Use Default Values.

NOTE: If you do not specifically define a policy here, the policy defined in the Policies Default Policy Settings section will be used. This option is displayed as Use Default Values.



3.10 Moving LDAP Groups

If a user is included in more than one group, the policy implemented will automatically be that of the first group appearing in the list. Group priority is listed from top to bottom.

To move an LDAP Group (i.e to change the order of the Imported Groups):1. Right-click on the LDAP group which you want to move and select Move Group to

from the drop-down menu.2. Right-click on the LDAP group before which you want this group to be positioned and

select Above this Group from the drop-down menu.

Chapter 4 - Users32

C H A P T E R

POLICIES

1 Working with Policies

The Policies menu contains the following options:Security Policies - Simplified: Simplified Policy Management interface allows you to configure the Security Policies using a light editing system.Security Policies - Advanced: Security Policies contain rules which define how to handle content passing through the system. This option allows you to fine-tune the rules and conditions which make up these Policies.HTTPS Policies: HTTPS Policies contain rules which deal with access to HTTPS sites.Logging Policies: Logging Policies define what transactions to log and which locations to send the logged transactions to.Identification Policies: Identification Policies define which methods to use to either identify or authenticate the end-user browsing through the system.Identification Logging Policies: Identification Logging Policies define which identification transactions are logged and which locations to send the logged identification transactions to.Default Policy Settings: Default Policy Settings define options relating to the Security, HTTPS and Logging Policies.Condition Settings: Condition Settings have configurable values and are used to tweak the Policies to match your organization’s needs. End User Messages: You can customize the Block Page and Warn Page messages sent to end-users as chosen in the Security and HTTPS Rules.

2 Security Policies - Simplified

Finjan has designed three Security Policies intended to meet your individual organization's unique security needs.

Chapter 5 - Policies 33


Figure 5-1: Simplified Security Policies

Finjan Basic Security Policy: In this policy, only the basic engines for client web security are activated. This policy provides a baseline policy that can be used when connecting two relatively secure environments to each other.Finjan Medium Security Policy: This policy builds on top of the basic security policy and adds more proactive, behavioral, real-time elements in order to provide better security when connecting to the Internet. The policy uses all the security engines, and enforces the standard measures or code analysis.Finjan Strict Security Policy: This policy is used for higher sensitivity scenarios, where security cannot be compromised. It utilizes all the rules and standards for secure web behavior, while keeping HTML fixup enabled in order to still provide a usable browsing experience without blocking complete pages that may have violated some security standards.

There are two adversely different ways of editing and configuring these PoliciesSimplified Setup: Designed for busy customers, this Simplified Policy Management screen enables you to configure the level of protection your organization needs with the minimum of configuration effort. Simplified Policy Management setup allows you to add Security Policies to specific User Groups.Advanced Setup: For more experienced system administrators, the Policies are comprised of both rules and conditions and can be duplicated and then heavily edited and tweaked from the main Policies tab. For more information on Security Policies - Advanced, please refer to the Security Policies In-Depth manual.In the Simplified Policies management screen, each of the three Policies is composed of four “building blocks”:

URL ListsFile ExtensionsTrue Content TypeURL Categorization

IMPORTANT: Any changes you make to any of these four building blocks will not be overwritten by Security Updates.

Chapter 5 - Policies34


Figure 5-2: Simplified Policy Management

2.1 URL Lists

For each of the three Security Policies (Basic, Medium or Strict), the administrator can edit three URL Lists. Note that these Lists can also be edited via Policies Condition Settings URL Lists and can therefore change the Security Policy.

Component Name Description Advanced Security Rule

URL Bypass List (Basic/Medium/Strict)

Any URLs that you add to this list will be exempt from scanning and as such should be highly trusted.

Allow Trusted Sites (Policies Security Policies)

URL White List (Basic/Medium/Strict)

Any URLs that you add to this list will be allowed through but the containers will be scanned by Anti-Virus and Finjan’s own security engines.

Allow Access to White Listed Sites (Policies

Security Policies)

URL Black List (Basic/Medium/Strict)

Any URLs that you add to this list will be blocked to end-users.

Block Access to Blacklisted Sites Policies Security Policies (Strict/Medium)Block Customer-Defined File Extensions Policies Security Policies (Basic)

35 Chapter 5 - Policies


Figure 5-3: Black Listed URL

2.2 File Extensions

For each of the three Security Policies, the administrator can choose to edit three File Extensions Lists. Note that these Lists can also be edited via Policies Condition Settings

File Extensions.


File Extensions White List (Basic/Medium/Strict)

Any File Extensions that you add to this list will be allowed through but the containers will be scanned for viruses.

Allow Customer-Defined File Extensions Policies Security Policies

File Extensions Black List (Basic/Medium/Strict)

Any File Extensions that you add to this list will be blocked from entering the organization.

Block Blacklisted File Extensions Policies Security Policies (Strict and Medium only)Block Customer-Defined File Extensions Policies Security Policies (Basic)



Figure 5-4: White Listed File Extensions

2.3 True Content Type

For each of the three Security Policies, the administrator can choose to edit three True Content Type lists. Note that these lists are based on existing True Content Type profiles and cannot be edited via Policies Condition Settings.


True Content Type White List (Basic/Medium/Strict)

Any True Content Type that you check in this list will be allowed through but will be scanned for viruses

Allow Customer-Defined True Content Type (Policies Security Policies)

True Content Type Black List (Basic/Medium/Strict)

Any True Content Type that you check in this list will be blocked from entering the organization.

Block Customer-Defined True Type Content (Policies Security Policies)



Figure 5-5: True Content Type Black List

2.4 URL Categorization

For each of the three Security Policies, the administrator can choose to block URL Categories. Note that these lists are based on existing URL Filtering categories and cannot be edited via Policies Condition Settings.

Figure 5-6: URL Categorization (IBM)

Component Name Description Security RuleURL Category Black List - IBM /Websense (Basic/Medium/Strict)

Any category that you check in this list will be blocked from entering the organization. This is in addition to the pre-selected categories in the URL Filtering condition.

Customer-Defined URL Filtering (Policies

Security Policies)



3 Assigned User Groups

This screen displays the User Groups you have in the system and the Security Policy assigned to them. Clicking allows you to add new groups; clicking next to each User Group allows you to edit the details.

3.1 Add/Edit User Group

The following table provides information on the fields displayed in the User Group Details screen:

Figure 5-7: Assigned User Groups

Click OK after making your changes.

4 Security Policies - Advanced

In addition to editing the Security Policies via the Simplified Policy Management interface, you can also view or edit the Security Policies via the more advanced interface. In this context, a Security Policy is comprised of a set of rules that describe how to handle Web content passing through the system. It focuses on proactively blocking Active Content and Malicious Code while allowing non-dangerous content through. Active content characteristics are identified and classified as violations so that you can actually create a

Field Name DescriptionUser Group Name Defines the User Group Name.Security Policy Assigns a Security policy to the User Group. If you do not

specifically define a Security Policy here, the Policy defined in Policies Default Policy Settings will be used. This option is displayed as Use Default Values.NOTE: The Full Bypass Security Policy (which bypasses all scanning) can be set here. This policy does not appear in the Security Policies Simplified or Advanced Configuration.

IP Ranges This field defines the required IP addresses (From IP

and To IP fields). Use to add or delete IP ranges.



behavior profile for each code type to incorporate into your rules/policies. A typical Policy should use successive blocking rules that narrow down the possible content that passes via the Vital Security Appliance. Security Policies in the Advanced setup are built as follows:

Policies are compiled from rules.Rules are based on Conditions.A Policy must be assigned to at least one user or user group, in order for it to be active.

In order to create a new Policy, you must create a set of rules on which the policy is built. Examples of such rules in a Security Policy are Block Access to Spyware Sites or Allow White-listed Executables. A rule specifies a combination of conditions with a corresponding action (User Response Action for Security / HTTPS rules and Logging Action for Logging rules). Security Policy rules are numbered in descending order of priority from highest priority at the top to lowest priority at the bottom. Any action taken will be according to the rule of highest priority that matches a given transaction. After a rule is enforced, rules of lower priority are no longer relevant and are not evaluated. This can be useful when considering which reasons are reported for blocking in the Logs and Reports (and optionally sent to an end-user). For example, if a rule could be blocked due to a specific virus or as a suspicious file type - then placing the Anti-Virus rule higher up will display the name of the Virus in the Logs - which is more useful information than the suspicious file type.In addition, allow rules which basically state that if their conditions are matched then the rules after that will not be checked against content, should be carefully positioned within the Policy. In other words, each Allow rule creates a trust level - and content after that is not scanned by any blocking rules that come after it.

4.1 Security Policies Tree

The Security Policies tree holds all the current Security Policies within that definition - as well as the rules that make up these Policies - and the conditions that make up the rules.

Figure 5-8: Security Policies Tree

The Security Policies tree provides easy navigation through each Policy and displays the



rules and components of each Policy at a glance. Finjan provides six preconfigured Security Policies:

Finjan Basic Security Policy: In this policy, only the basic engines for client web security are activated. This policy provides a baseline policy that can be used when connecting two relatively secure environments to each other.Finjan Medium Security Policy: This policy builds on top of the basic security policy and adds more proactive, behavioral, real-time elements in order to provide better security when connecting to the internet. The policy uses all the security engines, and enforces the standard measures or code analysis. Finjan Strict Security Policy: This policy is used for higher sensitivity scenarios, where security cannot be compromised. It utilizes all the rules and standards for secure web behavior, while keeping HTML fixup enabled in order to still provide a usable browsing experience without blocking complete pages that may have violated some security standards. Finjan Emergency Policy: This was designed for emergency situations such as a massive Internet virus outbreak.Full Bypass Policy: This Policy cannot be viewed in the Policies Tree, but rather the Full Bypass Policy is set via the Users menu. Please refer to Users Users/ User Groups for more information on how to set this Policy. This policy contains one rule which disables the Status page as well as security scanning. It can be configured by the administrator for end-users who wish to surf through the Vital Security Appliance without any scanning. Finjan X-Ray Policy: An X-Ray Policy ensures that transactions are evaluated against rules but there is no blocking action or content change. The results of the X-Ray Policy, and rules within, can be assessed in the Logs View. The purpose of an X-Ray Policy is to evaluate the effects of a “would-be” security policy on the system before implementing it.

In addition, individual rules in a Security Policy can also be created in X-Ray mode. This means that the rule is logged but not activated so that the transaction evaluation is continued and the next rule that meets the conditions for this transaction is activated and logged. This is useful when adding a new rule to an existing policy, allowing you to assess the impact of the rule on the system before actually enforcing it. If, in a policy, both x-Ray and non x-Ray rules were activated, only the last triggered rule will be reported.

Policies, rules, and conditions can be added, duplicated, moved around (applies to rules only) or deleted by right-clicking on the relevant node. Finjan's default Security Policies cannot be modified or deleted; however, they can be duplicated to create new

NOTE: Rules within the X-Ray Policy are not marked as X-Ray.



customizable policies.

4.2 Available Policies Tree Options

The following right-click options for Policies tree are available:

NOTE: For full details on the Security Policies, please refer to the Security Policies In-Depth manual.

Action DescriptionAdd Policy Available from top level folder only.

Allows you to create a new Policy.Add Rule Available from Policy folder. Allows you

to create a new Rule.Add Condition Available from Rule. Allows you to

create a new ConditionDelete Policy Available from specific Policy. Allows

you to remove a Policy. Note that deleting a Policy will delete all the Rules and Conditions belonging to it.

Delete Rule Available from specific Rule. Allows you to remove a Rule from the Policy.

Delete Condition Available from specific Condition. Allows to remove a Condition from a Rule.

Duplicate Policy Available from specific Policy. Allows you to clone a predefined Policy and customize it for your own needs.

Insert New Rule Available from any rule. Allows you to insert a new rule into your Policy above the rule you are currently standing on.

Move Rule ToBefore this RuleAfter this Rule

Available from specific Rule. Select Move Rule To and then move cursor to desired place. Select Before this Rule/After this Rule to move the rule to the required location.

Export to HTML Available from specific Policy. Allows you to export to HTML format - which you can then save or print as required.

Export to XML Available from specific Policy. Allows you to export to XML format - which you can then save or print as required.



4.3 Security Policy Details

Click on any Security Policy to display the Policy Details screen in the right pane.

Figure 5-9: Security Policy Details Screen

For non-predefined Security Policies, click Edit on right pane to edit the fields on this screen.The Policies Details screen displays the following information:

Field DescriptionPolicy Name Name of the specific policyX-Ray Defines whether the Policy is X-Ray or

not. (X-Ray means the policy is logged but no action is taken)

Description Contains a description of the policy. User Groups/Users using this policy

Security Policies can be assigned to different User Groups and Users. This section displays which Users have this particular Policy assigned to them. For more information on assigning Policies to Users, please refer to Users/ User Groups.



4.4 Security Rule Details

Click on a Security rule to display the Rules Details screen in the right pane.

Figure 5-10: Security Rule Details

For non-predefined Security Rules, click Edit on right pane to edit the fields on this screen.The Rules Details screen contains the following information:

Field DescriptionRule Name Defines the name of the Security rule.X-Ray If the X-Ray checkbox is ticked, the rule is evaluated

in the Logs only. In other words, an x-ray rule is activated and logged, but no block, warn or explicit allow action is taken.

Description This provides a place for you to write a description of the rule.

Enable RuleWhen checked, the rule is enabled. When unchecked, the rule is disabled. Action: Block The web content is blocked.



.

For more detailed information on each of the Security Rules, please refer to the Security Policies In-Depth guide.

Action: Coach The web content is temporarily blocked and the end-user receives a warning message that this site is not recommended and that his/her activities will be logged. The end-user can then decide whether to proceed or not

End-User Message Defines which message is sent in the Page Block/Warn message. The end-user message list and associated text is managed via Block / Warn Messages. The end-user Message template can be modified via Message Template.

Do not send End-User Message

Withholds sending a block page to the end-user

Allow - Advanced Action

Three types of Advanced Allow Action are included:Allow transactions and scan Containers. The content is allowed, but container files are opened and the contents are scanned. (This is the default option)Bypass Scanning – Allows content through without any scanning at all on the request or response stage. This allows full streaming and is useful, for example, for sites which contain stock ticker streaming.Allow content and don’t scan Containers – Allows content through including container files, such as zip or rar files, without scanning inside them. Content is allowed through on request stage but may be stopped on response stage.

NOTE: The Coach action can be applied to URL Categories and URL Lists in an Outgoing direction only. In addition, the following Conditions only can be added: Time Frame, Header Fields, File Extension.

NOTE: The Allow-Advanced actions which allow container files through without scanning can be placed anywhere in your Security Policy.

NOTE: In certain circumstances, X-Ray block rules might block traffic. This happens when the web server replies with non-standard HTTP traffic. This is applicable only for X-ray rules and not for X-ray policies.

Field Description



4.5 Condition Details for Security Policy Rules

Click on a condition to open up the Condition details in the right pane.

Figure 5-11: Condition Details for Security Policy Rules

For non-predefined Security conditions, click Edit on right pane to edit the fields on this screen.The Condition Details displays the following information:

Field DescriptionCondition Name Displays name of Condition. If you are

defining a new condition, choose the required condition from the drop-down list.

Applies To You can select which options are to be included or excluded. In other words, you can either choose to apply this rule to everything selected below or to apply this rule to everything EXCEPT for the items selected below.



The following Conditions are available for selection within the Security Policy rules:Active Content ListAnti-Virus (McAfee/Sophos/Kaspersky)Archive ErrorsBehavior Profile (Binary)Behavior Profile (Script)Binary VADContent SizeDigital SignatureDirectionFile ExtensionsHeader FieldsIMParent Archive TypeProtocolSpoofed ContentStatic Content ListTime FrameTrue Content TypeURL Filtering (Websense/IBM)URL ListsRule Action (for Logging Rules only)

4.5.1 Active Content ListThe Active Content List condition contains active content objects such as ActiveX Controls and Java Applets which have already been scanned by Vital Security and are located in the Vital Security Server Database – or added by Finjan's MCRC (Malicious Code Research Center). Each newly scanned Applet, Control or Executables is automatically added to the Auto-generated list, which is the only list that cannot be used in a rule. Items from the Auto-generated list may be moved to other lists – such as Allowed, Blocked or customer-created lists - in order to create exception rules.

Select/Deselect All Choose to select/deselect all the items in the Condition

The items will display differently according to the Condition you have chosen.

Field Description



This condition can be used to block or allow specific and known active content objects, without changing the Default Security Policy.Allowed and Blocked lists can be modified via Condition Settings: Active Content List The table below shows the default options in the Active Content List condition:

4.5.2 Anti-Virus (McAfee/Sophos/Kaspersky) This condition is used to identify known viruses by using traditional (signature-based) third party Anti-Virus scanners such as McAfee, Sophos or Kaspersky.The Anti-Virus engine appears in Administration System Settings Scanning Engines but cannot be configured by the administrator.The table below shows the options in the Anti-Virus condition:

4.5.3 Archive ErrorsThe Archive Errors condition identifies compressed archive files (such as ZIP) which contain various errors.The archive depth, maximum entries in container and maximum extracted content size can be edited via Condition Settings: Archives.

Option DescriptionAllowed List of trusted objects from the Auto-generated

list which were identified as such by the administrator.

Blocked List of suspicious objects from the Auto-generated list which were identified as such by the administrator.

Spyware objects

Contains known spyware profiles in a list predefined by Finjan. This list cannot be viewed or edited.

Unscannable Refers to active content that could not be scanned by Vital Security.

Option DescriptionsThe AV Engine could not scan this file

Refers to files that the Anti-Virus engine could not scan.

Virus Detected Refers to files that contain a virus as detected by the Anti-Virus engine.



The table below shows the options in the Archive Errors condition:

4.5.4 Behavior Profile (Binary)This condition is used to identify binary files which perform forbidden operations and violate the Behavior Profile policy. Behavior Profiles are lists of actions that might be considered malicious or suspicious when executed by ActiveX Controls, Java Applets, executable files or other relevant files. Each Behavior Profile contains a different subset of these forbidden actions. Administrators cannot modify or delete the default Profiles; however they can duplicate Profiles which can then be customized. The Binary Behavior profiles can be viewed, duplicated and edited via Condition Settings: Binary BehaviorThe table below shows the default options in the Behavior Profile (Binary) condition:

4.5.5 Behavior Profile (Script) This condition is used to identify textual files which perform forbidden operations and violate the Behavior Profile policy. Behavior Profiles are lists of actions that could be considered malicious or suspicious when executed by Web pages, VB Script files, Java

Option DescriptionMaximum Extracted Content Size - exceeded

The expanded file size exceeds the predefined limit.

File could not be extracted

The file could not be extracted from the container.

Invalid format Contains an invalid format.Archive Depth - exceeded

Nesting depth (i.e. archives within archives) exceeds the predefined limit.

Maximum entries in Container - exceeded

Number of files within the container exceeds the predefined limit.

Password protected The Archive is password protected.

Option DescriptionDefault Profile – Binary Behavior

Refers to the default Binary Behavior Profile.

Full Profile – Binary Behavior

Refers to the full profile (this includes the higher sensitivity profile and any new behaviors).

Higher Sensitivity Binary Behavior Profile

Refers to the Higher Sensitivity Profile which has every single item selected within the profile.

Suspected Malware Contains behavior profile patterns that are specific to malicious software. This is a pre-defined Profile which is supplied with the Anti-Spyware module and cannot be modified or viewed by the administrator.

Unscannable Active Content

Refers to Active Content that has not been scanned.



Script files or other relevant files. Each Behavior Profile contains a different subset of these forbidden actions. Administrators cannot modify or delete the default profiles, however they can duplicate Profiles which can then be customized.The Script Behavior profiles can be viewed, duplicated and edited via Condition Settings: Script BehaviorThe table below shows the default options in the Behavior Profile (Scripts) condition:

4.5.6 Binary VADThe Binary Vulnerability Anti.dote (VAD) condition scans binary files, looking for patterns of exploits. The Binary Exploits list is maintained and updated by MCRC and is not accessible by the administrator.

4.5.7 Content SizeThis condition is used to assign rules to specific file sizes. Content size is relevant for performance and stability, not necessarily security. The administrator can create new content sizes as required via Condition Settings: Content Size.

4.5.8 Digital SignatureThis condition allows the administrator to block (or allow) content where the digital signature is either missing or invalid. The missing or invalid Digital Signatures are maintained and updated by Finjan and cannot be accessed by the administrator. Digital signatures provide an extra layer of security in determining the integrity of the content.

Option DescriptionDefault Profile – Script Behavior

Refers to the default script behavior profile.

HTML Repair (only visible in Logging Rule Editor)

When checked, content that has been “repaired” by the HTML Repair feature will be displayed in the Log View.

Higher Sensitivity Script Behavior Profile

Refers to the Higher Sensitivity Script Behavior Profile which has every single rule selected within the profile.

Spyware Profile Refers to the list of behavior profile patterns specific to Spyware objects. This cannot be viewed or modified by the administrator.

Unscannable Active Content

Refers to Active Content that has not been scanned.

Vulnerability Anti.dote Profile

Refers to the default Vulnerability Anti.dote behavior profile.

Higher Sensitivity Vulnerability Anti.dote Profile

Refers to the Higher Sensitivity Vulnerability Anti.dote behavior profile which has every single rule selected within the profile.



The table below shows the options in the Digital Signature condition:

4.5.9 DirectionThis condition allows the administrator to trigger a rule specifically on the request (Outgoing) or response (Incoming) phase of the transaction. For example, in HTTP, outgoing is the request phase, and in ICAP, outgoing is the REQMOD phase. If no direction is specifically applied – then the rule is checked on both the request and response phases.The table below shows the options in the Direction condition:

4.5.10 File ExtensionsThis condition refers to the requested content type, i.e. the file extension. This condition also includes potentially malicious multiple extensions (e.g. txt.exe). This condition is normally enforced during the request phase. The File Extensions can be modified via Condition Settings: File Extensions.

4.5.11 Header FieldsThis condition is used to identify transactions based on request or response HTTP headers.The Header Fields can be modified via Condition Settings: Header FieldsThe table below shows the options in the Header Fields condition:

Option DescriptionInvalid Digital Signature

The digital signature is invalid. For example, it might be corrupted or it might have expired.

Missing Digital Signature

The binary object does not have a digital signature.

Option DescriptionIncoming Information coming from the Internet to the end-

user.Outgoing Information sent from the end-user to the Internet.

Option DescriptionContent-Disposition Executable

Defines malicious exes detected as spoofed executables.

Exclude by Headers

Provides a list for customers to add headers which identify applications (such as IM etc.).

Firefox 1.x and 2.x Defines specific browser versions of FirefoxMedia Players Defines Media Players header fields.Netscape 7.x Defines browser version of Netscape version 7.



4.5.12 IMThis condition is used to identify an initialization of Instant Messenger transactions which are tunneled through port 80. You can use this condition to log or block new IM sessions, but it cannot be used to track sessions that have been opened or scan the content of transferred files or messages. IM includes AOL, ICQ, MSN Messenger and Yahoo Messenger. This list of supported IM types is predefined and non-editable.

4.5.13 Parent Archive TypeAn archive file is considered a “parent” when it contains other files inside it – such as ZIP, CAB, etc. This condition will not match files outside of archives or the archive files themselves. This list is self-contained and cannot be edited elsewhere by the administrator.Use the Allow - Advanced actions to ensure that each set of files in an archive folder is not treated as a separate level and is allowed through without scanning.

4.5.14 ProtocolThe Protocol condition enables detection of different types of protocols and can block or allow them in conjunction with other conditions. These protocols cannot be edited elsewhere.The table below shows the options in the Protocol condition:

4.5.15 Spoofed ContentThis condition identifies potentially malicious files that are spoofed as harmless files. The list of potentially malicious files and their spoofed type is provided by MCRC. In addition to the

Older and Unsafe Browsers

Defines a list of browsers based on older versions and those that are considered unsafe.

Partial Downloading

Refers to partial downloads of Internet content.

SSL Defines SSL header fields. Pinpointing specific SSL headers enables the administrator to build specific rules regarding SSL content.

Option DescriptionFTP over HTTP Protocol between a web browser and an FTP endpoint/proxy.HTTP Protocol which usually uses port 80HTTP Tunneling HTTP Tunneling forwards packet data in both ways, hence

acting as a tunnel. It can also be used for delivering HTTPS traffic and for ICAP.

HTTPS Protocol used between Finjan’s SSL appliance and the Vital Security NG appliance.

Native FTP FTP Protocol which usually uses port 21.

Option Description



spoofed content detected by the scanning engine, one can also block unscannable content.

4.5.16 Static Content ListThis condition is used to identify known Malicious Objects based on their malicious behavior signatures. This list is invisible to the administrator, and is constantly updated by Finjan's MCRC.

4.5.17 Time FrameThis condition is used to execute Policies during certain hours of the day or week. As such, rules based on this condition reflect the needs of your organization, and focus on productivity rather than security. These can be modified via Condition Settings: Time Frame.

4.5.18 True Content TypeUnlike declared content type such as file extensions or mime-type, the True Content Type detection scanner can detect types of files based on their actual structure and format. This condition can identify known file types even if they have a non-standard name. The list of supported file types is predefined and non-editable.

4.5.19 URL Filtering (Websense/IBM)This condition can be used to apply rules based on the type or category of the requested site. For example, a condition used to block requests to “News” sites will prevent users from browsing to CNN.com. The list of categories is maintained by the respective 3rd party provider. The categories cannot be modified – however the administrator can select/deselect the necessary categories within the Rule Condition.

4.5.20 URL ListsThis condition refers to lists of URLs – both predefined and configurable. The administrator can use this condition to create blocking or coaching rules as required. These lists can be modified and created via Condition Settings: URL Lists.

4.6 Example for Creating a Security Rule

To create a Security rule:1. Right-click on an existing rule and select Add Rule from the drop-down menu. 2. In the Rule Details screen, enter a new rule name in the Rule Name field. The

name you select should describe as clearly as possible the purpose of the rule, for example, Block All Binary Executables.

NOTE: The Finjan Recommended Black List cannot be viewed.



3. Use the Description field to add a more comprehensive description of the rule. 4. Select the Enable Rule box in order to activate the new rule.5. In the Action drop-down menu, select Block.6. Select a message from the End-User Message drop-down list which will be

displayed in the Page Block message sent to the end-user. For example, Binary VAD Violation.

7. Click Save.8. In the Security Navigation tree on the left, right-click on the Block All Binary

Executables rule and select Add Condition from the drop-down menu. 9. In the New Condition screen, select True Content Type from the Condition drop-

down list.10.Select Any of the items selected below.11. In the options displayed, select Windows Executable File.

Figure 5-12: Example for creating New Security Rule

12.Click Save to apply changes. Next, click .



5 HTTPS Policies

HTTPS Policies provide the option to define which HTTPS sites are fully allowed, which are inspected, which request user approval to continue and which are blocked. The blocking mechanism is based on White Lists, URL categorization and checking to see if Certificates have errors or comply with validation criteria. The HTTPS Policies are only displayed for customers who have the required license. HTTPS Policies can be assigned per User Group or per User.

5.1 HTTPS Policies Tree

The HTTPS Policies tree holds all the current HTTPS Policies within that definition - as well as the rules that make up these Policies - and the conditions that make up the rules.

Figure 5-13: HTTPS Policies Tree

Finjan provides two preconfigured default HTTPS policies:Finjan Emergency HTTPS Policy: This was designed for emergency situations and contains two rules. This can be globally enabled via Default Policy Settings. This can also be enabled per User.Finjan HTTPS Policy: This Policy contains just one rule which is designed to block any sites which contain faulty certificates.

Policies, rules, and conditions can be added, duplicated or deleted by right-clicking on the relevant node. Finjan's default HTTPS Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies.

5.2 HTTPS Policy Details

Click on any HTTPS Policy to display the Policy Details screen in the right pane.

NOTE: For full details on the Finjan HTTPS Policy and the Finjan Emergency HTTPS Policy and their rules, please refer to the Security Policies In-Depth manual.



Figure 5-14: HTTPS Policy Details Screen

To edit the fields on this screen, click Edit on right pane.The Policy Details screen contains the following information:

5.3 HTTPS Rule Details

Click on an HTTPS rule to display the Rules Details screen in the right pane.

Field DescriptionPolicy Name Name of the specific HTTPS policyX-Ray Defines whether the Policy is X-Ray or

not. (X-Ray means the policy is logged but no action is taken)

Description Contains a description of the policy. User Groups Policies can be assigned to different

User Groups and Users. This section displays which Users have this particular Policy assigned to them. For more information on assigning Policies to Users, please refer to Users/ User Groups.



Figure 5-15: HTTPS Rule Details Screen

To edit the fields on this screen, click Edit on right pane. Note that you cannot edit Finjan predefined policies.The Rule Details screen contains the following information:

Field DescriptionRule Name Defines the name of the HTTPS rule.Description This provides a place for you to write a description of

the rule. Enable RuleWhen checked, the rule is enabled. When unchecked, the rule is disabled.Action Block: Blocks HTTPS sites.

User approval: Sends an approval page to the end-user for each new HTTPS site that is accessed. This is sent for situations where user approval is required to decrypt traffic for this site. If the end-user chooses not to approve the transaction, the connection is closed. Bypass: No HTTPS or Security scanning will take place.Inspect Content (default): HTTPS rules and Security rules scanning is carried out.



5.4 Condition Details for HTTPS Policy Rules

Clicking on a condition opens up the Conditional details in the right pane.The Condition Details screen contains the following information with the option to make changes using the Edit Save/Cancel options.

Each HTTPS rule may include multiple conditions; all of which must be met in order for the rule to be followed.

End-User Message

Defines which reason is used in the Page Block or User Approval message sent to the end-user. The Reason text and template can be edited via End User Messages.

Do not send End-User message

Withholds sending a page blocked message to the end-user

Conditions: Defines the conditions for inclusion within the rule. Please refer to Condition Details for HTTPS Policy Rules for further information.

NOTE: After content is scanned by the HTTPS rules, the content will be subjected to security scanning.



Description Contains a description of the Condition.Applies To You can select which options are to be

included or excluded. In other words, you can either choose to apply this rule to everything selected below or to apply this rule to everything EXCEPT for the items selected below.

Select/Deselect All

Choose to select/deselect all the items in the Condition

The items will display differently according to the Condition you have chosen.

Field Description



Figure 5-16: Condition Details for HTTPS Policy Rules

The following Conditions are available for selection within the HTTPS rules:Certificate Validation ErrorsURL Filtering (Websense/IBM)URL Lists

5.5 Certificate Validation Errors

This condition refers to various types of errors that can arise when checking the validity of certificates for secured content. The Certificate Validation errors can be viewed and customized via Condition Settings: HTTPS Certificate Validation

5.6 URL Filtering (Websense/IBM)

This condition can be used for URL categorization for HTTPS based sites. For example, a condition using the Bypass functionality can ensure that content such as banking sites will not be decrypted for scanning, safeguarding end users privacy. The list of categories is maintained by the respective 3rd party provider. The categories cannot be modified – however the administrator can select/deselect the necessary categories from the Simplified Policy Management Interface or within a Rule condition if it’s not a predefined



Finjan Policy.

5.7 URL Lists

This condition refers to lists of URLs – both predefined and configurable. The administrator can create new lists in the Lists tab which will appear as part of the condition. These lists can be viewed and modified via Condition Settings: URL Lists.

5.8 Example for Creating an HTTPS Rule

To create an HTTPS rule:1. Right-click on an existing rule and select Insert New Rule from the drop-down menu.2. In the New Rule screen, enter a new rule name in the Rule Name field. The name

you select should describe as clearly as possible the purpose of the rule, for example, Block Non-Validated Certificate.

3. Select the Enable Rule box in order to activate the new rule.4. In the Action drop-down menu, select Block HTTPS.5. Select a message from the End-User Message drop-down list which will be

displayed in the Page Block message sent to the end-user. For example, Certificate Validation Mismatch.

6. Click Save.7. In the Security Navigation tree on the left, right-click on the Block Non-Validated

Certificate rule and select Add Condition from the drop-down menu. 8. In the New Condition screen, select Certificate Validation Errors from the

Condition drop-down list.9. Select Any of the items selected below.10.Select Default Certificate Validation Profile.



Figure 5-17: Example for Creating an HTTPS Rule

11.Click Save to apply changes. Next, click .

6 Logging Policies

A Logging Policy is a set of rules dealing with the logging of transaction data. The only action resulting from a logging rule is to log the transaction. The Logging Policy can implement logging at different levels, depending on your requirements. Logging Rules decides both what is logged (blocked, allowed, all) and where the information is sent to (logs, archives, reports etc.). As with Security rules, any action taken will be according to the rule of highest priority that matches the terms of the Rule. Note that if any transaction is not matched specifically in the rules – it is allowed. In other words – the Vital Security default behavior is Allow.

6.1 Logging Policies Tree

The Logging Policies tree holds all the current Logging Policies within that definition - as well as the rules that make up these Policies - and the conditions that make up the rules.



Figure 5-18: Logging Policies Tree

This provides easy navigation through each Policy - displaying the components of that Policy at a glance.Policies, rules, and conditions can be added or deleted by right-clicking on the relevant node. Finjan's default Logging Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies. Finjan provides three default Logging Policies:

Log All Protective ActionsLog All Protective Actions and Web pages Logging everything except Image files

These Finjan Logging Policies comprise the following rules:

Rule Name Description TargetLog All Coached Transactions Logs all HTTP transactions

that have been defined as coach in the Security Policy.

Send to logSend to report

Log All Blocked Transactions Logs all HTTP transactions that have been defined as block in the Security Policy.




You may, for example, want to log all blocked transactions together with all transactions where Web pages were viewed, in order to analyze URL categories accessed by your users. Another example is that you may want to log all HTTP Web pages only. In this case, you would duplicate the Log All Protective Actions policy and amend the rules by choosing to select everything except the HTTPS Protocol.

Log all User Approval Transactions

Logs all HTTPS transactions that have been defined as User Approval in the HTTPS Policy.


Log all Block HTTPS Transactions

Logs all HTTPS transactions that have been defined as block in the HTTPS Policy.


Log all Web pages (relevant for Log All Protective Actions and Web pages policy only)

Logs all Web pages that have passed through the system (both HTTP and HTTPS)

Send to log

Log everything except Image files (relevant for Logging everything except Image files policy only)

Logs all content passing through the system except for Image files (both HTTP and HTTPS)

Send to log

Rule Name Description Target



Figure 5-19: Log all web pages except for HTTPS

6.2 Logging Policy Details

Clicking on any Logging Policy displays the Policy Details on the right pane.

NOTE: When defining the Logging Rule, the conditions selected must match those of the Security Policy rule in order for the relevant transactions to appear in the Log View.



Figure 5-20: Logging Policy Details

The Policy Details screen contains the following information with the option to make changes using the Edit Save/Cancel options.:

6.3 Logging Rule Details

Clicking on any Logging rule displays the Rule Details screen on the right pane.

Field DescriptionPolicy Name Name of the specific policyDescription Contains a description of the policy. User Groups/Users Policies can be assigned to different

User Groups and Users. This section displays which Users have this particular Policy assigned to them. For more information on assigning Policies to Users, please refer to Users/ User Groups.



Figure 5-21: Logging Rule Details

The Logging Rule Details screen contains the following information with the option to make changes using the Edit Save/Cancel options.

Field DescriptionRule Name Defines the name of the Logging rule.Description Contains a description of the rule.Enable RuleWhen checked, the rule is enabled. When unchecked, the rule is disabled. Send To: Archive Sends log information in files to an external remote

location. This must be selected to ensure that there is relevant information to archive.

Log Sends information to the Finjan log database, which can be seen via the Log View.

Report Sends information to the Finjan reports database. This must be selected prior to running Reports to ensure that there is relevant information to display results.

Syslog Sends information to one or two UNIX Syslog facilities which log data.



6.4 Conditions for Logging Policy Rules

Clicking on a condition opens up the Condition details in the right pane.The Condition Details screen displays the following information with the option to make changes using the Edit Save/Cancel options.

The following Conditions are available for selection within the Logging Policy rules:Active Content ListAnti-Virus (McAfee/Sophos/Kaspersky)Archive ErrorsBehavior Profile (Binary)Behavior Profile (Script)Binary VADContent SizeDigital SignatureDirectionFile ExtensionsHeader FieldsIMParent Archive TypeProtocolSpoofed ContentStatic Content List





The bottom of the screen will display differently according to the Condition you have chosen.



Time FrameTrue Content TypeURL Filtering (Websense/IBM)URL ListsRule Action (for Logging Rules only)

6.4.1 Rule Action (for Logging Rules only)This condition allows you the option of logging transactions when one or more of the end-user actions is carried out (Allow/Block/Block HTTPS/Bypass/Inspect Content/User Approval).You can also choose to leave the Rule Action blank if you want to log all transactions.

7 Example for Creating a Logging Rule

To create a Logging Rule:1. Create a new logging policy. 2. Right-click on this Policy and select Add Rule. The New Rule screen appears.3. Enter a name for the new logging rule for example, Log All Blocked Transactions.

Enter a brief description of the logging rule in the Description box.4. Select the Enable Rule box in order to activate the new rule5. In the Send To area, click the required checkboxes and click Save.6. Right-click on the rule you have created and select Add Condition.7. In the New Condition screen, in the Condition Name drop-down menu, select

Content Size. Select Greater than 100 MB from the options below.8. In the Applies To: area, select Any of the items selected below

NOTE: When defining a Logging Rule, the conditions selected must match those of the Security Policy rule in order for the relevant transactions to appear in the Log View.



Figure 5-22: Example for Creating A Logging rule

9. Click Save to apply changes. Next, click .

8 Identification Policies

Identification Policies carry out the classification of an end-user to determine whether the end-user should browse through the system or not. The Identification Policy also enables the system to enforce the proper Security Policy for the end-user. The Rules are based on both the type of Authentication or Identification that Vital Security will use as well as using Conditions of Header Fields, IP Ranges, Port Ranges and URLs.

8.1 Identification Policies Tree

The Identification Policies tree holds all the current Identification Policies within that definition - as well as the rules that make up these Policies - and the conditions that make up the rules.

NOTE: For full configuration details on the Authentication feature, please refer to the User Identification and Authentication Feature Description.



Figure 5-23: Identification Policies Tree

This provides easy navigation through each Policy - displaying the components of that Policy at a glance.Policies, rules, and conditions can be added, duplicated or deleted by right-clicking on the relevant node. Finjan's default Identification Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies.Finjan provides several predefined Identification Policies:

Authentication: This Policy contains the Identify and Authenticate Users rule whose purpose it is to authenticate end-users using an Authentication Device. The rule in this policy is disabled by default. To activate it, configure an Authentication Domain via Authentication Server, and within the Rule Details screen, click on the Active button and then OK.Get User Credentials: This policy contains the Get User Credentials to Identify Users rule whose purpose is to obtain USERID information using the NTLM protocol and the default cluster of Authentication Devices IF the end-user is NOT in the defined IP Range and Header Field lists.Read Headers: This policy contains the Always Identify Users by Headers rule whose purpose is to identify the users based on the HTTP headers that have been pre authenticated.Source IP Only: This Policy contains the Always Identify Users by Source IP rule whose purpose is to identify the user by Source IP. This is the default identification action.

8.2 Identification Policy Details

Clicking on any Identification Policy displays the Policy Details screen in the right pane.

NOTE: For full configuration details on the Authentication feature, please refer to the User Identification and Authentication Feature Description.



Figure 5-24: Policy Details for Identification Policy

The Policy Details screen contains the following information with the option to make changes using the Edit Save/Cancel options:

8.3 Identification Rule Details

Clicking on an Identification rule displays the Rule Details screen in the right pane.

Field DescriptionPolicy Name Name of the specific policyDescription Contains a description of the policy.



Figure 5-25: Identification Rule Details

The Identification Rule Details screen contains the following information with the option to make changes using the Edit Save/Cancel options.

Field DescriptionRule Name Defines the name of the Identification rule.Description Contains a description of the rule. Enable RuleWhen checked, the rule is enabled. When unchecked, the rule is disabled. Action Authenticate: Vital Security communicates with the

client to get USERID information and uses an external Authentication Server to validate this information. In order to do so, various parameters must be defined.Get User Credentials: Vital Security gets User Identification via NTLM or another method.Identify by Headers: Used when a downstream device (proxy) provides user information by forwarding device specific HTTP headers within the request.Identify by Source IP: Identifies the end-user by source IP. This is the default method of identification.Depending on the action that you take - the following options will appear.



8.4 Condition Details for Identification Policy Rules

Clicking on a condition opens up the Conditional details in the right pane.The Condition Details screen contains various options.

The following Conditions are available for selection within the Identification rules:Destination Port RangeHeader FieldsIP RangeURL Lists

8.4.1 Destination Port RangeThis condition is used to distinguish a client application connecting to Vital Security by the

Authentication Protocols

Determines the type of protocol (Basic, NTLM or Both)

Authentication Clusters

Drop-down list which includes all the Authentication Devices in the topology as defined in External Devices. This is only used for transparent proxy when getting user credentials.

Authentication Domain

Drop-down list which includes the customer Authentication Domains as defined in External Devices.

Pre Authenticated Headers

Drop-down list which includes all headers which have been pre authenticated as defined in Condition Settings: Pre Authenticated Headers

Field DescriptionCondition Name This displays the condition name. When

creating new conditions, choose the required Condition from the drop-down list.



The bottom pane will display differently according to the Condition you have chosen.

Field Description



destination port that they target. The default rule allows the administrator to exclude a list of Port ranges. Destination Port Range can be edited via Condition Settings: Destination Port Range

8.4.2 Header FieldsThis condition is used to identify a client application connecting to Vital Security by the User Agent or any other HTTP header name and value. The Header Fields list can be modified via Condition Settings: Header FieldsThe table below shows the options in the Header Fields condition:

8.4.3 IP RangeThis condition is used by the administrator to define IP address ranges that end-users may be using in order to effectively identify or authenticate them. In the default rule provided, these IP ranges are excluded from identification methods. This list can be edited via Condition Settings: IP Range

8.4.4 URL ListsThis condition refers to lists of URLs – both predefined and configurable. The administrator can create new lists to identify client connections to Vital Security by the URL they target. These lists can be viewed and modified via Condition Settings: URL Lists

9 Identification Logging Policies

Identification Logging Policies log the transactions carried out by the Identification Policies.

Option DescriptionContent-Disposition Executable

Defines malicious exes detected as spoofed executables.

Exclude by Headers

Provides a list for customers to add headers which identify applications (such as IM etc.). In the default rule provided, these identification headers are excluded from identification.

Firefox 1.x, 2.x Defines specific browser versions of Firefox.Media Players Defines Media Players header fields.Netscape 7.x Defines browser version of Netscape version 7.Older and Unsafe Browsers

Defines a list of browsers based on older versions and those that are considered unsafe.

Partial Downloading

Refers to partial downloads of Internet content.

SSL Defines SSL header fields. Pinpointing specific SSL headers enables the administrator to build specific rules regarding SSL content.



9.1 Identification Logging Policies Tree

The Identification Logging Policies tree holds all the current Identification Logging Policies within that definition - as well as the rules that make up these Policies - and the conditions that make up the rules. This provides easy navigation through each Policy - displaying the components of that Policy at a glance.

Figure 5-26: Identification Logging Policies Tree

Policies, rules, and conditions can be added or deleted by right-clicking on the relevant node. Finjan's default Identification Logging Policy cannot be modified or deleted; however, it can be duplicated to create new customizable policies.Finjan provides a predefined Identification Logging Policy:

Identification Logging Policy: This Policy contains one rule designed to log all authentication attempts that failed.

9.2 Identification Logging Policy Details

Clicking on any Identification Logging Policy displays the Policy Details on the right pane.



Figure 5-27: Identification Logging Policy Details

The Policy Details screen displays the following information.:

9.3 Identification Logging Rule Details

Clicking on any Identification Logging rule displays the Rule Details on the right pane.

Field DescriptionPolicy Name Name of the specific policyDescription Contains a description of the policy.



Figure 5-28: Identification Logging Rule Details

The Identification Logging Rule Details screen contains the following information.

Field DescriptionRule Name Defines the name of the logging rule.Description This provides a place for you to write a description of

the rule. Finjan provides pre-defined rule descriptions.

Enable RuleWhen checked, the rule is enabled. When unchecked, the rule is disabled. Send To: Archive Sends log information in files to an external remote

location. This must be selected to ensure that there is relevant information to archive.

Log Sends information to the Finjan log database, which can be seen via the Log View.

Report Sends information to the Finjan reports database. This must be selected prior to running Reports to ensure that there is relevant information to display results.

Syslog Sends information to one or two UNIX Syslog facilities which log data.



9.4 Conditions for Identification Logging Policy Rules

Each rule may include multiple conditions; all of which must be met in order for the rule to be followed. The following Conditions are available for selection within the Identification Logging Policy rules:

Authentication MethodsAuthentication ClustersAuthentication ProtocolsAuthentication StatusAuthentication DomainHeader FieldsIP Range Destination Port RangePre Authenticated HeadersURL Lists

9.4.1 Authentication MethodsThis condition details the four authentication methods defined in the Action in the Identification Rules. This condition can be used to include or exclude the authentication methods for logging purposes.The table below shows the options in the Authentication Methods condition.

NOTE: When defining the Identification Logging Rule, the conditions selected must match those of the Identification Policy rule in order for the relevant transactions to appear in the Log View.

Option DescriptionAuthenticate Vital Security communicates with the

client to get USERID information and uses an external Authentication Server to validate this information.

Get user credentials

Vital Security gets user identification via NTLM or another such method.

Identify by headers Identifies the end-user according to the Header (HTTP)

Identify by source IP

Identifies the end-user by source IP



9.4.2 Authentication ClustersThis condition details the cluster of Authentication Devices as defined in the Lists tab. This condition includes / excludes this list for logging purposes.

9.4.3 Authentication ProtocolsThis condition details the protocols used for authentication (Basic, NTLM or both) for logging purposes.

9.4.4 Authentication StatusThis condition details the failed status of the authentication attempts for the purposes of logging.

9.4.5 Authentication DomainThis logging rule condition covers the Domains (identifying names for Authentication Server) as used in the parameters for Authenticate or Get User Credentials in the Identification rules.

9.4.6 Header FieldsThis logging rule condition covers the Header Fields as detailed in Header Fields.

9.4.7 IP RangeThis logging rule condition covers the IP ranges as detailed in IP Range.

9.4.8 Destination Port RangeThis logging rule condition covers the Destination Port ranges as detailed in Destination Port Range.

9.4.9 Pre Authenticated HeadersThis logging rule condition covers the Pre Authenticated headers as used in the Identify by Headers action in the Identification rule.

9.4.10 URL ListsThis logging rule condition covers the URL Lists as detailed in URL Lists.

10 Default Policy Settings

In the Default Policy Settings screen you can define options relating to the Security, HTTPS and Logging Policies.



Figure 5-29: Default Policy Settings Screen

Enable Emergency Policy - Setting Emergency Policies here assigns them to all Users and overrides any other Security Policies individually set per User or per User Group.

From the Emergency Policy drop-down list, select the policy to be used as an emergency policy.From the Emergency HTTPS Policy drop-down list, select the policy to be used as an emergency HTTPS policy.

Default Policy Values - The default Security, Logging and HTTPS policies are set here and will automatically be assigned to users in the system if no other Policies have been assigned to them in the Users tab. They will also be assigned automatically to unknown users.

From the Security Policy drop-down list, select one of the policies to be used as the Security policy by default. The Finjan Strict Security Policy is the default value provided by the system.From the Logging Policy drop-down list, select one of the policies to be used as the Logging policy by default. The Log All Protective Actions policy is the default value provided by the system.From the HTTPS Policy drop-down list, select one of the policies to be used as the HTTPS policy by default The Finjan HTTPS Policy is the default value provided by the system.

11 Condition Settings

Many of the Policy Rule Conditions have configurable values and can be tweaked to fine-tune

NOTE: The policies you define here will be the values referred to in User Groups and LDAP Groups.



the Policies to match your organization’s needs. The following Condition Settings are available for editing:

Condition Settings: Active Content ListCondition Settings: ArchivesCondition Settings: Authentication ClustersCondition Settings: Binary BehaviorCondition Settings: Content SizeCondition Settings: Destination Port RangeCondition Settings: File ExtensionsCondition Settings: Header FieldsCondition Settings: HTTPS Certificate ValidationCondition Settings: IP RangeCondition Settings: Pre Authenticated HeadersCondition Settings: Script BehaviorCondition Settings: Time FrameCondition Settings: URL ListsCondition Settings: Vulnerability Anti.dote

11.1 Available Condition Settings Tree Options

The following right-click options are available for each of the Condition Settings:

11.2 Condition Settings: Active Content List

The system identifies Java Applets, ActiveX and executable files when they enter the

Action DescriptionAdd Component Available from top level folder only.

Allows you to create a new Condition Component.

Delete Component Available from specific Component. Allows you to delete a Component.

Duplicate Component Available from Finjan pre-defined profiles. Allows you to duplicate a Component and then you can select required options.



system, and then creates a signature for each file. These signatures are stored for caching purposes in the system. A list of these items, the Auto-Generated list, is generated automatically. This list cannot be used in a rule but items from this list may be moved to the following two lists (or indeed any new list that you create) in order to create exceptions as rule conditions:

Allowed – you can move trusted items from the Auto-generated list to the Allowed list.Blocked – you can move questionable objects from the Auto-generated list to the Blocked list.

Click the plus icon on any piece of Active Content to display information on the Active Content.

11.2.1 Moving between Active Content listsFinjan has provided an Allowed and Blocked list for you to move Active Content items to.

To move an entry from one Active Content list to another:1. Select a component from the Active Content tree, for example, Auto-generated list. 2. Click Edit to enable changes.3. Use the checkbox to select all the entries you want to move.4. In the To drop-down list, choose the list you want to move the entries to, for example,

the Blocked list.


NOTE: Moving these objects into new lists or changing their status from Blocked or Allowed, will impact on your Security Policy – if these lists are selected in the Rule Conditions.



Figure 5-30: Moving between Active Content Lists

11.2.2 Auto-Generated List SettingsAuto-Generated list is automatically generated with Java Applets, ActiveX and executable files that enter the system. The following options are available for the Auto-Generated List.

Field DescriptionList Name Displays the list name: Auto-

generatedFind All Enter a search term in this fieldPlus Icon Expands entry to show more

detail.Go Click Go after entering a search

term in the Find All field to return a list matching your search term.

Clear Clears the items found in the Search and restores the Auto-generated list.

Previous/Next Allows you to move through the entries in the List



11.3 Condition Settings: Archives

An archive file is a file that contains other files. That is, it is a bundle of files packaged together. Groups of files that belong together are archived because it's easier to move one bundled file from one place to another than it is to transfer many individual files, one at a time.In the Archives tabs, you can configure the amount of files bundled together; the amount of archives within archives and the size of the extracted file. Archives include: Zip Archive, GZip Archive, RAR Archive, CAB Archive, BZ2 Archive and TAR Archive.The following table provides more information on the Archive Engines fields:

Checkbox Check this if you want to select one or all entries to move to another list.

To Select which list to move the selected entries to. Click Save to move the entries.

Delete after x days Defines the number of days after which the Active Content in this list will be deleted.

Maximum number of entries

Defines the maximum number of profiles that will be left in the List after daily cleanup (midnight) - after which the list will fill up again.

Field Name Description Defaults Allowed Values

Archive Depth Configures the maximum depth level of nested archives.

5 1- 64000

Maximum Entries in Container

Configures the maximum number of entries allowed per archive. If the number of entries exceeds this amount, the container will not be scanned or forwarded.

2000 1- 4500000000

Maximum Extracted Content Size

Determines the size of the maximum extracted content.

1073741820 bytes

1- 4000000000 bytes

Field Description



11.4 Condition Settings: Authentication Clusters

In the Identification policy, the administrator needs to select a component from the Authentication Clusters when selecting the Authenticate method or Get user credentials. The Authentication Cluster contains a DNS hostname (actual or virtual) that is used to direct requests to the cluster, and an IP port used by the devices. The hostname can be used as a reference to a Vital Security device, to a Load Balancer IP when devices are clustered, or to a virtual non-existing host.

11.4.1 Default ClusterThe following information is displayed in this screen:

To generate a new Authentication Cluster:1. Right-click on the top level heading Authentication Cluster and select Add

Component.2. Enter a name for this Authentication Cluster.3. Enter a DNS Host Name, for example, finjan-aud1 and Port, for example 8080.


5. If you need to modify this list in the future, select Edit and make your changes.

11.5 Condition Settings: Binary Behavior

Finjan’s binary behavior engine is based on checking security behaviors and profiles that are a subset of all available behaviors. The behaviors are examined through the inspection of the binary’s exposed mechanisms that define its required interfaces in the system, and which can be detected and filtered by the groups defined below. By applying the organizational security policy and translating it to the behaviors defined in the binary behavior profile, adequate protection and implementation of the security policy can be achieved. The behavior groups are created by Security experts from Finjan’s Malicious Code Research Center (MCRC), and fed into the Binary Behavior Profile, enabling the identification of malicious active content that defies the standard organizational security policy.Finjan provides a Default Binary Profile Behavior which displays the following tabs: Automatic Execution

Field Description ExampleName Name of Authentication

ClusterDefault Cluster

DNS Host Name DNS Host Name Finjan-aud1Port Port number 8080



File AccessRegistry AccessNetwork AccessMinor Risk OperationsDisclosure of InformationJava RuntimeChange SettingsSystem SettingsGeneralControl Other Running Applications

11.5.1 Automatic ExecutionThe following Automatic Execution options are considered unsafe when performed by ActiveX & Executables:.

The following Automatic Execution options are considered unsafe when performed by Java Applets:

Automatic Execution DescriptionCreate Process Potential misuse of function which is

used to create system processes.Dynamic Link Library Invocation Functions

Access to external DLL files in order to gain additional functionality by ActiveX.

Terminate Process The binary file contains a reference to process termination operation.

Unresolved Library Access An attempt to access a library of functions that cannot be resolved directly.

Automatic Execution DescriptionAccess other applications Accessing applications outside the

context of the applet is considered a security violation. Applets are usually self-contained and do not need access to other applications.

Create Process Potential misuse of function which is used to create system processes

Load Class Potential misuse of function which is used to load/locate external Java program



11.5.2 File AccessThe following File Access options are considered unsafe when performed by ActiveX & Executables:

The following File Access options are considered unsafe when performed by Java Applets:

Load Library Potential misuse of function which is used to load library (external library which contains program codes)

Remote Method Invocation An attempt to call a method on a remote object accessible over the network (internal or external)

System Commands The binary file contains a reference to system commands (execute, schedule processes, etc.)

Terminate Process The binary file contains a reference to process termination operation

File Access DescriptionFile Delete Potential misuse of local privileged

functions for file/directory remove File Read Potential misuse of local privileged

functions for file read, data read File Write Potential misuse of local privileged

functions which write data to a file (audio, text or binary types)

File Access DescriptionFile Create Potential misuse of local privileged

functions as File Create/File Copy File Write Potential misuse of local privileged

functions which write data to a file (audio, text or binary types)

File Delete Potential misuse of local privileged functions for file/directory remove

File Read Potential misuse of local privileged functions for file read, data read

File Query Potential misuse of local privileged functions for file read, open file, querying files parameters, etc.

File Rename Potential misuse of local privileged functions for file rename

Automatic Execution Description



11.5.3 Registry AccessThe following Registry Access options are considered unsafe when performed both by Java Applets and ActiveX & Executables:.

11.5.4 Network AccessThe following Network Access options are considered unsafe when performed by ActiveX & Executables:

Registry Access DescriptionRegistry Delete Potential misuse of local privileged

functions for deleting registry key/value

Registry Read Potential misuse of local privileged functions for reading registry key/value

Registry Write Potential misuse of local privileged functions for writing/changing registry key/value

Network Access DescriptionBluetooth Networking Potential misuse of local privileged

functions such as sending an authentication request to a remote Bluetooth device or retrieving information on a remote Bluetooth device

DNS Functions Potential misuse of local privileged functions that use DNS Client API, such as DNS query, record compare, etc.

Network Connect Potential misuse of local privileged functions in order to connect to other network elements such as functions that use HTTP client API to send requests through HTTP protocol to other HTTP servers, etc.

Network Listen Potential misuse of local privileged functions calls in order to access network services (e.g. listen for incoming connection)



The following Network Access options are considered unsafe when performed by Java Applets.

11.5.5 Minor Risk OperationsThe following Network Access options are considered unsafe when performed by ActiveX Executables:

The following Minor Risk Operations options are considered unsafe when performed by

Network Receive Potential Misuse of local privileged functions calls in order to access network services (e.g. retrieving content/data from other resources such as retrieving file from FTP server)

Network Send Potential misuse of local privileged functions calls in order to access network services (e.g. send network commands)

Network Access DescriptionNetwork Receive Suspected network behavior such as

open socket, receiving data packetsNetwork Resolve Suspected network behavior such as

communicating with DNS server, getting host information, etc.

Network Send Suspected network behavior such as open socket, sending data packets

Open Socket Suspected network behavior such as open socket for communication (for data packet transfer)

Minor Risk Operations DescriptionPotentially Dangerous Memory Management Functions

Changing the way that an application uses the system memory may result in a crash or the disclosure of sensitive data.

Potentially Dangerous Process-Debugging Functions

Process debugging functions may be used to reveal information from the system and alter the execution logic of the debugged applications.

Network Access Description



Java Applets:.

11.5.6 Disclosure of InformationThe following Disclosure of Information options are considered unsafe when performed by Java Applets:.

Minor Risk Operations DescriptionCORBA Connection An attempt to create or manage a

CORBA connection (Common Object Request Broker Architecture). This may utilize functionality that is provided remotely by an external object.

Memory Write An attempt to write data to a mapped memory segment.

Database Access Functionality related to database access activity.

Print Access Indicated access to printing functionality within the application.

Exit Browser Terminates the browser session.Use Reflection Provides functionality to query

existing applications and objects by examining them and gathering functionality information.

Disclosure of Information DescriptionAccess Clipboard Potential misuse of local privileged

functions such as reading computer clipboard and revealing sensitive information

Access Cookies Potential misuse of local privileged functions such as reading Internet cookies which might allow remote user to access bank accounts/web based email, etc.

Enumerate Printer Connections

Potential misuse of local privileged functions such as mapping or removing printer connections

Get User Information Potential misuse of local privileged functions such as getting specific user information (user name, system name, etc.)

Keystrokes Potential misuse of local privileged functions such as logging of keystrokes which might reveal user’s password



11.5.7 Java RuntimeThe following Java Runtime options are considered unsafe when performed by Java Applets since by doing so an attacker may eliminate security restrictions:.

11.5.8 Change SettingsThe following Change Settings options are considered unsafe when performed by ActiveX Executables:.

11.5.9 System SettingsThe following System Settings options are considered unsafe when performed by Java Applets:.

11.5.10 GeneralThe following General options are considered unsafe when performed by ActiveX and

Java Runtime DescriptionSet Class Loader Potential misuse of function in order

to locate, run Java programSet Properties Potential misuse of function which

might change the current working environment

Set Security Manager Potential misuse of function in order to set system’s security

Change Settings DescriptionChange Network Systems Potential misuse of local privileged

functions calls in order to change network settings (e.g. using HTTP server API functions)

Change System Settings Potential misuse of local privileged functions in order to change system settings (e.g. shell commands, network programming)

System Settings DescriptionChange Printer Connections Attempt to change printer

connections which may lead to disclosure of data



Executables:

11.5.11 Control Other Running ApplicationsThe following Control Other Running Applications options are considered unsafe when performed by ActiveX and Executables:

The Higher Sensitivity Binary Behavior Profile contains the same Profile information. However, in this screen all the options are checked.

11.6 Condition Settings: Content Size

Content size refers to the size of the content being scanned. These content size values can be selected as a Condition to be included in your Policy Rules thereby limiting very large files from entering or leaving your organization. The predefined content sizes cannot be modified. However, new Content Size lists can be created.

11.6.1 Generating a Content Size

To generate a Content Size:1. Right-click on the top-level heading Content Size and select Add Component.

Database Access DescriptionDatabase Access Potential misuse of local privileged

functions which allow accessing database

Exit Windows Potential misuse of local privileged functions which perform system shutdown, lock work station, etc.

Control Other Running Applications

Description

Code Injection into Running Process

Potential misuse of local privileged functions which allows, for example, creating a thread that runs in the virtual address space of another process

Sending Messages to other Applications

Potential misuse of local privileged functions which allows sending messages to a specific system process/procedure on local machine, etc.

NOTE: For containers, the content size refers to the size of the files once taken out of the containers - so while the actual container might be smaller than the size you defined, it could still be blocked.



2. Enter an appropriate Content Size name.3. Enter the required Content Size.


5. If you need to modify this component in the future, select Edit and make your changes.

11.7 Condition Settings: Destination Port Range

The Destination Port Range contains one or more port ranges that may be used as inclusion in the Identification Policy Rule in order to be blocked / allowed. This Range is used to distinguish a client application connecting to the Vital Security device by the destination port that they target.

11.7.1 Generating an item in the Destination Port Range

To generate a new item in a Destination Port Range:1. Right-click on the top-level heading Destination Port Range and select Add

Component.2. Enter an appropriate Destination Port Range name.

3. In the Destination Port Range section, click to add a new row.

4. Enter a Port number in the From / To range (for example, 443 to 450).

5. Repeat for as many times as necessary. You can delete entries by clicking on

the same row as the entry and selecting Delete Port Range.


7. If you need to modify this range in the future, select Edit and make your changes.

11.8 Condition Settings: File Extensions

Each File Extension listed here is actually a list of other file extensions according to topic. The File Extensions are presented here as predefined lists for ease of convenience. They can be used as rule conditions in your security policy.You cannot add or delete extensions from the existing File Extensions provided by Finjan. However, you can create new File Extension lists.

NOTE: Persistent connections enable the client to connect to various targets via the same proxy connection. This means that the first request may target a different server port than the following requests.



11.8.1 Generating a new item in File Extensions

To generate a new item in File Extensions:1. Right-click on the top-level heading and select Add Component.2. Enter an appropriate File Extension name.

3. In the File Extensions section, click to add a new row.

4. Enter the relevant File Extension.

5. Repeat for as many times necessary. You can delete entries by clicking on the

same row as the entry and selecting Delete Extension.


7. If you need to modify this list in the future, select Edit and make your changes.

11.8.2 Multiple File ExtensionsThe Multiple File Extensions list can be edited here. Multiple File Extensions means that a file has more than one extension at the end of it, for example, file.txt.exe. where the last extension allows the Operating System to run the file

11.9 Condition Settings: Header Fields

Headers are metadata allowing the customer to customize rules based on these header fields. For example, you can create a rule that blocks requests from specific user-agents. The headers can be either request or response headers.

11.9.1 Generating an item in the Header Field

To generate a new item in Header Field:1. Right-click on the top-level heading and select Add Component.2. Enter an appropriate Header Field name.

3. In the Header Fields section, click to add a new row.

4. Enter a Name, Operator and Value as required.


the same row as the entry and selecting Delete Header.

NOTE: The Header Field value uses various parameters for Regular Expression or Equals to. For example, “.*?finjan” searches for the shortest string before the word finjan.




7. If you need to modify this Component in the future, click Edit and make your changes.

11.10 Condition Settings: HTTPS Certificate Validation

Certificate validation includes expiration checks, revocation and matching. Vital Security ensures that corporate policies regarding certificates are enforced, while removing the decision from the user’s hands by automatically validating each certificate and making sure that the chain goes back to the trusted authority. Policies regarding certificates are enforced by checking individual certificate names, date, trusted authority chain and revocation lists.A list of trusted certificate authorities is supplied with the system and used for digital signature analysis and for SSL certificate validation. Digital certificate lists are updated via the Finjan security updates. These lists include the required trusted certificate authorities as well as the Certificate Revocation Lists.Administrators cannot modify or delete this default profiles, however they can duplicate the Default HTTPS Profile which can then be customized.Finjan includes one predefined Default Certificate Validation Profile which contains the following certificate error events.Invalid Certificate StructureCertificate cannot be trustedCertificate is not currently validCertificate RevokedHost cannot be trustedBad Certificate Usage

11.10.1 Invalid Certificate StructureThe following table describes the options:

Invalid Certificate Structure DescriptionCannot decode issuer public key

The certificate signature could not be decrypted (meaningful for RSA keys).

Certificate signature cannot be decrypted

The public key in the certificate SubjectPublicKeyInfo could not be read.



11.10.2 Certificate cannot be trustedThe following table describes the options:

Certificate cannot be trusted DescriptionIssuer certificate could not be found

This occurs if the issuer certificate of an untrusted certificate cannot be found.

Certificate signature failure The signature of the certificate is invalid.

Certificate is self signed The certificate is self signed and the same certificate cannot be found in the list of trusted certificates.

Root certificate could not be found locally

The certificate chain could be built up using the untrusted certificates but the root could not be found locally.

Unable to get local issuer certificate

The issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete.

Unable to verify the first certificate

Unable to verify the first certificate - signatures could not be verified because the chain contains only one certificate and it is not self signed.

Certificate chain too long The certificate chain length is greater than the supplied maximum depth.

Invalid CA certificate Either the CA is not valid or it may not be used to sign the tested certificate for HTTPS communication.

Certificate not trusted The root CA is not marked as trusted for the specified purpose.

Certificate rejected The root CA is marked to reject the specified purpose.

Subject issuer mismatch The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate.

Authority and subject key identifier mismatch

The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate.



11.10.3 Certificate is not currently validThe following table describes the options:

11.10.4 Certificate RevokedThe following table describes the options:

Authority and issuer serial number mismatch

Authority and issuer serial number mismatch - The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate.

Key usage does not include certificate signing

The current candidate issuer certificate was rejected because it may not sign other certificates (keyUsage).

Certificate is not currently valid

Description

Certificate is not yet valid The notBefore date is after the current time.

Certificate has expired The notAfter date is before the current time.

Format error in certificate’s notAfter field

The certificate notAfter field contains an invalid time.

Format error in certificate’s notBefore field

The certificate notAfter field contains an invalid time.

Certificate revoked DescriptionUnable to get certificate CRL The CRL of a certificate could not be

found.Unable to decrypt CRL’s signature

This means that the actual signature value could not be determined rather than it not matching the expected value.

CRL signature failure The signature of the certificate is invalid.

CRL is not yet valid Certificate is not yet valid - The notBefore date is after the current time.

CRL has expired Certificate has expired - The notAfter date is before the current time.

Certificate cannot be trusted Description



11.10.5 Host cannot be trustedThe following table describes the options:

11.10.6 Bad Certificate UsageThe following table describes the options:

11.11 Condition Settings: IP Range

The IP Range contains one or more IP ranges that end-users may be using in order to effectively identify or authenticate them. This can be used for inclusion as in the Identification Policy rule making. The range is used to distinguish the client machine connecting to the Vital Security device by its source IP. The default list named Exclude by IP was provided by Finjan for the administrator to add / modify their own IP ranges as required.

11.11.1 Generating a new Item in IP Range

To generate a new item in an IP Range:1. Right-click on the top-level heading IP Range and select Add Component.2. Enter an appropriate IP Range name.

3. In the IP Range section, click to add a new row.

4. Add in the appropriate addresses in the From IP Address and To IP Address fields.

Format error in CRL's lastUpdate field

The CRL lastUpdate field contains an invalid time.

Format error in CRL's nextUpdate field

The CRL nextUpdate field contains an invalid time.

Certificate revoked The certificate has been revoked.

Host cannot be trusted DescriptionHost name does not match certificate name

The host name mismatches the one mentioned in the certificate.

Cannot verify hostname The host name is unavailable and therefore cannot be verified against the certificate.

Host cannot be trusted DescriptionUnsupported certificate purpose

The supplied certificate cannot be used for the specified purpose.

Path length constraint exceeded The basicConstraints pathlength parameter has been exceeded.

Certificate revoked Description




the same row as the item and selecting Delete IP Range.


7. If you need to modify this range in the future, select Edit and make your changes.

11.12 Condition Settings: Pre Authenticated Headers

Pre Authenticated Headers includes headers which have been pre-authenticated (i.e. assumes that header data has been previously authenticated by a downstream proxy agent). These are available for inclusion in the Identification Policy Rules.

11.12.1 Generating a Pre Authenticated Header

To generate a Pre Authenticated Header:1. Right-click on the top-level heading Pre Authenticated Header and select Add

Component.2. Enter an appropriate Pre Authenticated Header name.3. Enter an IP address for example X-Client-IP.4. Select a Domain / User, for example, a Custom header such as X-Authenticated-

User, or a Basic Authenticated header from downstream proxy.


6. If you need to modify this component in the future, select Edit and make your changes.

11.13 Condition Settings: Script Behavior

Finjan’s script behavior engine is based on checking security behaviors and profiles that are a subset of all available behaviors. The groups that drive the operation of the Application-Level Behavior Based engine are not signature-based. Groups at various levels define language tokens, semantic patterns of Active Code, forbidden combinations of operations, parameters and programming techniques. These Behavior groups are created by security experts from Finjan’s Malicious Code Research Center (MCRC), and fed into the Behavior Profile scanning engines, enabling the identification of malicious active content.The system is preconfigured with default Behavior Profiles. These defaults are available for

NOTE: When the Basic Authenticated header from downstream proxy checkbox is set, the proxy will use the basic authentication header per transaction and not per connection.



inclusion in your Rule Conditions.The Default Script Behavior displays the following tabs:File System OperationsWindows Network OperationsRegistry OperationsOperating System OperationsAdvanced

11.13.1 File System OperationsThe following File System operations are considered unsafe when performed by VB/Java scripts:.

11.13.2 Windows Network OperationsThe following Windows Network operations are considered unsafe when performed by VB/Java scripts:.

File System Operations DescriptionFile Copy Attempt to copy local fileFile Create Attempt to create local fileFile Delete Attempt to delete local fileFile Query Attempt to detect whether a file exists

under specific path in the local file system

File Read Attempt to read local fileFile Write Attempt to write to a local file

Windows Network Operations

Description

Network Drive Delete Attempt to remove a shared network drive from the computer system

Network Drive Query Attempt to detect whether a specific network drive exists

Network Printer Operations Attempt to manipulate network printers by adding/removing a remote MS-DOS-based or windows printer connection to the computer system or set different default printer, etc.

Query Logged-On User An attempt to query for specific user domain name, user name, computer name, etc.

Windows Log Operations An attempt to manipulate a Windows log event



11.13.3 Registry OperationsThe following Registry operations are considered unsafe when performed by Java applets:.

11.13.4 Operating System OperationsThe following Operating System operations are considered unsafe when performed by Java applets:.

Registry Operations DescriptionRegistry Read Attempt to read system registry key

or valueRegistry Write An attempt to create a new key within

the system registry, add another value-name to an existing key (and assign it a value), or change value of an existing value-name

Registry Delete An attempt to delete a key or one of its values from the system registry

Operating System Operations

Description

Access Microsoft Outlook An attempt to run Microsoft Outlook could result in accessing sensitive data (reading and sending out of corporate network)

Access Potentially Dangerous Applications

Attempt to execute an application on a local machine. These applications are legitimate ones and are used to bypass local machine security to perform non legitimate acts such as accessing restricted data

Create Process An attempt to open shell command and execute system processes

Inter-Process Communication An attempt to perform communication between running processes by sending parameters which may results in performing non legitimate processes.

Environment Variables-Related Operations

Environment variables are strings that contain information about the environment for the system, and the currently logged on user. This group refers to any manipulation performed on those variables.



11.13.5 AdvancedThe following Advanced operations are considered unsafe when performed by Java applets:

Advanced DescriptionAccess to Environment Variables

Web content that tries to access local environment variables may use the information for malicious or identity theft purposes

Bogus Script Function Usage to Crash Browser

Some non-legitimate script functions can cause the browser to stop working

Browser Status Bar Modification The browser's status bar can be changed using specially crafted scripts.

Channel Adding to the Active Desktop

Remote scripts can be used to add active desktop channels

Clipboard Referencing Remote scripts can be used to grab information stored in the user’s clipboard

Code Obfuscation (Home- Encoding)

These are a set of different programmatic techniques used to obfuscate code. Usually the purpose of code obfuscation is to bypass signature based security products and are considered potentially malicious

Code Obfuscation (Home- Encoding) (Complementary Rule)


Code Obfuscation (Home-Encoding) Type II


Code Obfuscation (Home-Encoding) Type III


Dangerous ActiveX Objects Remote Creation Protection, Remote File Read and Execution Protection

Some ActiveX Objects can be used to remotely read, write and execute files.



DHTML Properties Setting Some uncommon DHTML attributes can be used to mask malicious actions.

Dynamic Addition of HTML Elements

Dynamically adding HTML elements can be used to mask malicious content.

Dynamic creation of HTML Element

Dynamic creation of HTML elements can be used to mask malicious actions.

Dynamic HTML Assignment Dynamic assignment of HTML content can be used to mask malicious actions.

Dynamically setting a Mouse Event

Dynamically setting a mouse event can be used to mask malicious actions.

Endless Loop Denial of Service Scripts using endless loops can take over the CPU.

Environment Variables Remote Access/Reference Protection

Referring to local environment variables can allow remote cross-zone scripting.

Faking a known Application Dialog

Displaying a fake version of a known local application dialog in the browser can be used for phishing and spoofing attacks.

Generic History Theft Protection Scripts that try to access the browsing history can use the information to collect browsing habits for the purpose of marketing, as well as refining attack vectors where the victim may visit a site who's profile matches his browsing habits

Generic Internet Explorer Remote Zone Bypass, Address Bar Spoofing and Status Bar Spoofing

Specially created URLs can be used for phishing and spoofing attacks.

Generic Local Resource Remote Reference

Links to local files can be used for remote cross-zone scripting.

Generic Shellcode Detection Detect the use of shellcode. Shellcode should be blocked since it compromises the end user’s computer.

Generic Shellcode Detection Type II

This is another type of shellcode detection technique.

Generic VB Script/Java Script Injection Attempts

Links containing script injections can be used for remote cross-zone scripting.

Help Protocols and Windows Help System Remote Code Execution

Help protocol handlers that are part of the help system provided by Microsoft Windows can be used for remote cross-zone scripting.

Help Protocols Usage Help protocol handlers can be used for remote cross-zone scripting and buffer overflow attacks.

Advanced Description



HTML Code Injection HTML code injections can be used for masking malicious actions.

HTML Code Injection at a Specific Location

HTML code injections at a specific location in the data object model can be used for masking malicious actions.

HTML Elements hiding by ActiveX Objects

Special ActiveX Objects that hide HTML elements can be used in phishing and spoofing attacks.

HTML Elements Hiding by Setting the HTML Style

Special style attributes that hide HTML elements can be used for phishing and spoofing attacks.

IE Favorites Manager Remote File Overwriting Protection

The Internet Explorer Favorites Manager can be used to overwrite local files.

IE NavigateAndFind Zone Bypass Protection

The Internet Explorer NavigateAndFind function can be used for remote cross-zone scripting.

Import HTML Tag Usage The HTML Import tag can be used to mask malicious actions.

Importing a Style Sheet into an Existing Style Sheet

Scripts that add external style sheets to an existing style sheet can be used to mask malicious actions.

Location.Assign Remote Code Execution Vulnerability

Setting the "Assign" property of a location object can be used for remote cross-zone scripting.

MHTML Protocol Remote File Creation, Cross-Domain Scripting and/or Remote Code Execution

When referring to MHT files, MHTML protocol handlers can be used for remote cross-zone scripting or buffer overflow attacks.

Mailto: Protocol Injection The mailto protocol handler, when combined with specially crafted scripts, can be used for remote cross-zone scripting.

Media Protocols Usage Some media protocol handlers can be used for remote cross-zone scripting or buffer overflow attacks.

Media/Search Bars Code Injection Protection

Directing pages to the Internet Explorer Media and Search bars can be used for remote cross-zone scripting.

Microsoft IE popup blocker bypass vulnerability

Scripts that try to open popup windows may try to bypass the built-in protection in recent versions of Internet Explorer.

Microsoft Office Protocols Usage

Microsoft Office protocol handlers can be used for remote cross-zone scripting or buffer overflow attacks.




Microsoft Windows Remote Permanent Code Execution/Script Injection into Desktop

Scripts that refer to a user's desktop can be used for remote cross-zone scripting.

Miscellaneous Protocols Usage Some common protocol handlers can be used for remote cross-zone scripting or buffer overflow attacks.

Mozilla Firefox (About:) Protocol Scripts attempting to use the about: protocol in Mozilla may try to alter system settings and make the security mechanisms built into the browser less effective.

Netscape/Mozilla Privilege Manager Protection

The Privilege Manager in Netscape/Mozilla can be used for remote cross-zone scripting.

News Protocols Usage News protocol handlers (e.g. http) can be used for remote cross-zone scripting or buffer overflow attacks.

Obfuscated Text Content Obfuscating text content can be used for masking malicious actions.

Opening Non-focused window from a link

This malicious behavior can be used for spoofing/phishing attacks.

P2P Protocols Usage P2P protocol handlers can be used for remote cross-zone scripting or buffer overflow attacks.

Potentially exploitable protocol handlers

Detects and blocks the use of potentially exploitable protocol handlers

Reference to Local Resources Any remote access to a local file is a clear violation of the Internet Zones separation.

Remote Code Execution, Remote Data Theft, and all Drag and Drops Generic Protection

Certain Internet Explorer default style behaviors can be used for remote cross-zone scripting.

Reoccuring Function Invocation or Expression Evaluation

Expression evaluation and time elapsed function invocation functions can be used for masking malicious actions.

Resource Protocols Usage Resource protocol handlers (e.g. using the “res” protocol handler) can be used for remote cross-zone scripting.

Script Source Attributed to an Icon

The link tag allows loading a custom image as the icon for a website, displayed in the location bar and in the tab title.Setting the href attribute of this tag to a javascript url is potentially malicious and non standard behavior.




The Higher Sensitivity Script Behavior Profile contains the same Profile information. However, in this screen all the options are checked.

11.14 Condition Settings: Time Frame

The existing Finjan time frames given with the system can be modified to suit local times and customs. New Time Frames can also be added. This condition enables the administrator to modify organizational demands and needs according to varying times of the week, thereby increasing system efficiency and productivity. The Time Frame included as a Condition for Policy Rules can be configured here.

11.14.1 Generating a new item in a Time Frame

To generate a new item in a Time Frame:1. Right-click on the top-level heading Time Frame and select Add Component.2. Enter an appropriate Time Frame name.

3. In the Time Frames section, click to add a new row.

4. Enter a Name, From Day, From Time and To Day, To Time values as required.

Sensitive Data Compromise Some Internet Explorer HTML Tags and style behaviors can be used to disclose sensitive private information.

Show Modeless Dialog Suspicious Usage of Function

Modeless dialog, when combined with specially crafted scripts, can be used for phishing and spoofing attacks.

Size Limitation of Tag Property Inside HTML Content

Setting a very long value in HTML tag attributes can be used for buffer overflow attacks.

Telnet Protocols Usage Telnet protocol handlers can be used for remote cross-zone scripting or buffer overflow attacks.

Using Script Encoded Functions Scripts that are encoded or may attempt to encode content are considered potentially malicious as this technique is used to bypass signature based security protocols.

Web Forms Auto Completion Text

Scripts that use auto-complete functions can disclose a user’s private information.

Windows and Frames Showing in an Absolute Position

Setting the position of windows or frames can be used for phishing and spoofing attacks.





the same row as the entry and selecting Delete Time Frame.

6. Click Save to apply the changes. Next, click .

7. If you need to modify this list in the future, click Edit and make your changes.

11.15 Condition Settings: URL Lists

The URL lists allow you to include specific URLS in a white list (allowed) or black list (blocked) to accelerate system performance. URL lists play a large part in Security Policy making. Finjan predefined URL lists, such as Finjan Recommended White List cannot be modified.The following right-click options are available from the URL Lists tree:.

11.15.1 Generating a new item in a URL ListThere are two different ways to add URLs to this new list. The first option involves importing pre-created text files or xml files containing URL addresses (without protocols).

To add xml or txt files containing URLs to the list:1. First, write a text file of URLs, with each URL starting on a new line. OR - write an

xml file with each node representing a URL2. Next, save the file to a known location. Alternatively, export an existing list of

URLs to a known location and edit the list.

Option DescriptionDelete List Deletes the listImport to List Allows importing many URL

addresses into a list. Please refer to Generating a new item in a URL List

Export to File Allows exporting the URL addresses within a list to a file which can then be edited, printed, imported etc.

Delete all URLs Deletes all the URL addresses in the list on the right screen.

NOTE: The Bypassed Context Scanning List can be edited here but is not included in Rule Conditions. You can edit this list to decide which embedded objects do NOT need to be scanned in their full context. This is automatically used as part of the scanning process.



3. Right-click on the list you want to import the files to on the right of the screen and select Import to List.

4. Click Browse and navigate to your saved file. Next, click Open on the Windows dialog box.

5. Click Import, located on the bottom of the screen. The contents of the file – that is, the URL addresses, appear in the pane.


The second option involves adding individual URLs (without protocols) to the list.

To add individual URLs to a given list:1. Right-click on the top-level heading and select Add List. 2. Enter an appropriate URL List name.

3. In the URL section, click to add a new row.

4. Enter an appropriate URL.


the same row as the entry and selecting Delete URL.


7. If you need to modify this list in the future, click Edit and make your changes.

11.16 Condition Settings: Vulnerability Anti.dote

Vulnerability Anti.dote utilizes a multi-layered rule-based engine that can “understand” HTML, scripts and other programmatical components that make up HTTP-based content, at a level similar to compiler analysis. Finjan’s MCRC experts create detailed rules that capture the essence of the various possible vulnerabilities in browser applications, Windows operating system and services, and other applications that can be accessed by active content such as FTP, Windows Media Player, etc. Based on these behavioral rules, Finjan's scanning servers detect any attempt to exploit one or more vulnerabilities and block such content from entering your network. Vulnerability Anti.dote appears as several tabs of identifiable browser and operating system vulnerabilities proprietary to Finjan. This Vulnerability Anti.dote profile is not configurable, but is updated by MCRC Security Updates as new Windows vulnerabilities are discovered. It is also possible to create a customized Vulnerability Anti.dote profile, selecting the required

NOTE: To include the entire domain, a slash (/) and an asterisk (*) must be added.



vulnerabilities to be added to the profile.The Vulnerability Anti.dote profile contains the following list of vulnerabilities.Crashing Internet ClientsRemote ScriptRemote ActiveXCross-Site and SpoofingBuffer Overflows3rd Parties

11.16.1 Crashing Internet ClientsThe following table describes the following Denial of Service vulnerabilities:

Crashing Internet Clients DescriptionBrowseDialog class Internet Explorer Denial of Service vulnerability

BrowseDialog ActiveX control is prone to Denial of Service vulnerability. Could allow remote attacker to cause Denial of Service

DirectAnimation.StructuredGraphicsControl ActiveX denial of service vulnerability

Microsoft Internet Explorer is vulnerable to a denial of service, caused by a NULL pointer dereference

FireFox object DoS Mozilla Firefox is prone to denial of service vulnerability

IE ActiveX bgColor Property Denial of Service vulnerability

Multiple ActiveX controls in Microsoft Windows operating systems allow attacker to cause Denial of Service to Internet Explorer.

IE CLSID Denial of Service Vulnerability

Microsoft Internet Explorer allows remote attackers to cause a denial of service (crash) via an OBJECT tag that contains a crafted CLSID

IE DirectAnimation. DAUser Data Denial of Service vulnerability

Microsoft Internet Explorer is vulnerable to a denial of service using the DirectX component responsible for animations in a certain manner.

IE DXImageTransform.RevealTrans Denial of Service Vulnerability


IE HREF Save as Denial of Service vulnerability

A vulnerability in Microsoft Internet Explorer allows a remote user to create a link that will cause the target user's browser to crash when attempting to save the link



IE HtmlDlgSafeHelper Denial of Service Vulnerability


IE Listbox Object DoS vulnerability

A vulnerability in Microsoft Internet explorer which could cause Denial of Service.

IE Malformed File URI Denial of Service Vulnerability

The affected browser will crash when a malformed 'file:' URI is processed.

IE Meta Tag Denial of Service vulnerability

Internet Explorer allows remote attackers to cause a denial of service (crash), which triggers a null dereference

IE MHTML Redirect Denial of Service Vulnerability

A Denial of Service occurs when Internet Explorer attempts to parse certain malformed HTML content.

IE MHTMLFile Denial of Service Vulnerability


IE Object.DXTFilter Denial of Service Vulnerability


IE OVCtl NewDefaultItem Denial of Service Vulnerability

Microsoft Internet Explorer is vulnerable to a denial of service, caused by an integer underflow and a NULL pointer dereference

IE Print Without Prompt Vulnerability

Uses OLE object method ExecWB to bypass page-print dialog box

IE Recursive JavaScript Event Denial of Service Vulnerability

Indirect recursive calling of an onError event which redefines an invalid source to an image tag

IE Style Tag Comment Memory Corruption Vulnerability

Microsoft Internet Explorer is vulnerable to a heap-based buffer overflow which can be exploited by a remote attacker to execute arbitrary code

IE TriEditDocument. TriEdit Document Denial of Service Vulnerability

Vulnerability in Microsoft Internet Explorer that may allow a denial of service.

IE Window Function Crash Vulnerability

Prevents IE crash when calling window function or with no user interaction when calling from onload event.

IE7 DoS Vulnerability Microsoft Internet Explorer 7 is prone to a denial-of-service vulnerability which allow attackers to consume excessive CPU resources

Crashing Internet Clients Description



Microsoft ADODB.Connection ActiveX Denial of Service vulnerability

ADODB.Connection ActiveX object contains a vulnerability which may cause Remote Code Execution

Microsoft CEnroll stringToBinary DoS vulnerability

Microsoft Internet Explorer is vulnerable to a denial of service, caused by a memory access error

Microsoft IE OutlookExpress.AddressBook COM Object memory corruption vulnerability

Vulnerability in Microsoft Internet Explorer that may allow a denial of service due to a null-pointer dereference.

Microsoft Internet Explorer Malformed HTML Null Pointer Dereference Vulnerability (mshtml.dll)

Microsoft Internet Explorer version 6 crashes when executing 'for' scripts

Microsoft Office Outlook Recipient Control (ole32.dll) Denial of Service vulnerability

Microsoft Recipient ActiveX control in Windows XP SP2 allows remote attackers to cause a denial of service (Internet Explorer 7 hang) via crafted HTML

Microsoft OWC11 DataSourceControl DoS vulnerability

Microsoft Internet Explorer is vulnerable to a denial of service, caused by an integer underflow and a NULL pointer dereference

Mozilla Firefox Range Object Denial of Service Vulnerability

A Denial of Service vulnerability can occur in Mozilla Firefox.

MS dxtmsft.dll DoS vulnerability IE may crash when handling Multiple COM Objects.

MS RDS.DataControl heap overflow vulnerability

A Microsoft Internet Explorer crash (Denial of Service) can be caused by the Remote Data Service Object (RDS.DataControl).

MS Shell32.dll Dos vulnerability Shell32.dll is vulnerable to a buffer overflow in the ShellExecute API function. A remote attacker can overflow a buffer and possibly cause a denial of service or execute code on the system

Multiple Vendor Graphics Driver Large JPEG Processing Vulnerability

Microsoft Windows is prone to a denial of service vulnerability which manifests when an image is resized using very large dimensions

Several COM Objects Initiation Internet Explorer Crash Vulnerability

Initiation of a non-ActiveX COM object can lead to IE crash.

Crashing Internet Clients Description



11.16.2 Remote ScriptThe following table describes the Remote Script options:

Remote Script DescriptionAcer Notebook LunchApp.APlunch ActiveX Control Remote Code Execution vulnerability

A vulnerability in LunchApp.APlunch ActiveX Control, which can lead to remote code execution.

Acrobat AcroPDF.dll ActiveX Control Remote Code Execution Vulnerabilities

Using a long argument string in the LoadFile method in an AcroPDF ActiveX control could allow an attacker full control over the victim's machine. These flaws are due to memory corruption errors in the AcroPDF ActiveX control (AcroPDF.dll)

ActiveX Control and COM objects Memory Corruption Vulnerability

Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code

Alipay Password Input ActiveX Control Vulnerability

Alipay ActiveX Control is vulnerable to a remote code-execution vulnerability.

AOL CDDBControlAOL.CDDBAOLControl ActiveX Remoe Code Execution vulnerability

A vulnerability in AOL’s ActiveX, which could allow Remote Code Execution

AOL ICQPhone.SipxPhoneManager ActiveX remote code execution vulnerability

A vulnerability found in ICQ, could lead to Remote Code Execution

AOL YGPPicDownload.dll Heap Corruption Vulnerabilities

The AOL YGP (You've Got Pictures) Pic Download ActiveX control is vulnerable to a buffer overflow in the downloadFileDirectory property. A remote attacker could exploit this vulnerability to execute arbitrary code on a victim's system.

Attacker toolkit detection Detects and blocks Web Attacker toolkit which is a bundled hacking utility which allows anyone to upload client side browser exploit to web server and create malicious web page

Citrix ICAClient ActiveX Remote Code Execution vulnerability

A vulnerability has been discovered in Citrix Presentation Server Client which could allow Remote Code Execution.



Code Base Vulnerability A vulnerability exists where the codebase of an ActiveX can be modified in a way that would allow an attacker to exploit the system, and may allow code execution.

COM Object Instantiation Memory Corruption Vulnerability - CVE-2007-0218

Microsoft Internet Explorer uses certain COM objects as ActiveX controls, which allows remote attackers to execute arbitrary code.

COM Object Instantiation Memory Corruption Vulnerability, CVE-2006-3638 (MS06-042)

Microsoft Internet Explorer uses certain COM objects as ActiveX controls, which allows remote attackers to execute arbitrary code.

daxctle.ocx Heap Overflow Vulnerability

Microsoft Internet Explorer is vulnerable to a denial of service, caused by a heap overflow when the DirectAnimation.PathControl COM object is instantiated as an ActiveX control with an invalid Spline method

DirectAnimation ActiveX Controls Memory Corruption Vulnerability

Vulnerability in DirectAnimation ActiveX controls. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

IE %USERPROFILE% Folder Disclosure Vulnerability

Microsoft Internet Explorer is prone to an issue which could permit an attacker to load a known, existing file in a user's temporary directory

IE AutoScan Method Browser Security Policy Violation Vulnerability

A flaw has been reported in Microsoft Internet Explorer in the way the AutoScan method is implemented. This weakness may result in the violation of the browser security policy.

IE BackToFramedJPU Cross-Domain Policy Vulnerability

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 are vulnerable to cross-site scripting

IE Cached Objects Zone Bypass Vulnerability

Internet Explorer allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and execute code, via cached methods and objects

IE Cascading Style Sheet File Disclosure Vulnerability

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 could allow a remote attacker to read portions of files on other user's systems, caused by a vulnerability in Cascading Style Sheets (CSS).

Remote Script Description



IE Codebase Double Backslash Local Zone File Execution

A vulnerability in IE may potentially permit HTML documents to gain unauthorized access to local resources by using specific syntax

IE createObject vulnerability This rule handlesa vulnerability in some COM objects which could allow remote code execution.

IE Cross-Domain Event Leakage Vulnerability

Microsoft Internet Explorer is prone to an issue that may leak sensitive information across foreign domains.

IE Custom HTTP Error HTML Injection Vulnerability

A vulnerability in Internet Explorer, which can be exploited by malicious people to execute arbitrary script code due to an input validation error in the custom errors generated by IE.

IE DHTML Object handling vulnerabilities

Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer allows remote attackers to execute arbitrary code

IE DHTML Script Function Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way Internet Explorer interprets certain DHTML script function calls.

IE Dialog Same Origin Policy Bypass Vulnerability

Cross-site scripting vulnerability in Internet Explorer allows remote attackers to execute scripts in the Local Computer zone

IE Document Reference Zone Bypass Vulnerability

A vulnerability has been reported in Microsoft Internet Explorer that may allow for remote attackers to execute script code in the context of other domains/security Zones.

IE Double Backslash CHM File Execution Vulnerability

Microsoft Internet Explorer version 6.0 could allow a remote attacker to execute files on a vulnerable system.

IE DragDrop Method Local File Reading Vulnerability

The file upload control in Microsoft Internet Explorer allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files

IE Implicit Drag and Drop File Installation Vulnerability

Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code on a victim's system, caused by a vulnerability regarding the dragDrop method




IE ITS Protocol Zone Bypass Vulnerability

Microsoft Internet Explorer is prone to a vulnerability that may permit hostile content to be interpreted in the Local Zone exploited via the ITS Protocol URI handler

IE Java Script Local File Enumeration Vulnerability

Javascript can be used to enumerate files on the local machine and reveal confidential information regarding the system.

IE Local Resource Reference Vulnerability

Local resources on the system (files and applications) can be referenced and used from within IE, which may lead to information disclosure, and code execution.

IE Malicious Shortcut Self-Executing HTML Vulnerability

A vulnerability exists in Microsoft Internet Explorer which allows a malicious web content to create a self-executing HTML file. When that file contains scripting that creates, modifies and saves a link (.lnk) file on the system, it leads to remote code execution.

IE MMS Protocol Handler Executable Command Line Injection Vulnerability

Prevents MMS Protocol Handler Executable Command Line Injection.

IE Script URL Cross-Domain Access Violation Vulnerability

Microsoft Internet Explorer allows a remote attacker to bypass the cross-domain security model, caused by a vulnerability when a specific programming function is used.

IE Self-Executing HTML File Vulnerability

Microsoft Internet Explorer contains a vulnerability that can allow script code within an HTML document to run an embedded executable file.

IE Shell.Application Object Script Execution Vulnerability

Microsoft Internet Explorer could allow a remote attacker to execute code on a victim's system. A remote attacker could create a malicious Web page that uses the Shell.Application ActiveX object, which would execute arbitrary code on the victim's system.

IE ShowHelp Arbitrary Command Execution Vulnerability

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 could allow a remote attacker to bypass the cross-domain security model, caused by a vulnerability in the Windows showHelp() method.




IE Temporary Internet Files Folder Disclosure Vulnerability

An attacker can gain access to the path of the temporary internet files folder on a remote machine. This can lead to exploitation of existing vulnerabilities to enable an attacker to execute any program

IE Unauthorized Document Object Model Access Vulnerability

Microsoft Internet Explorer is prone to a vulnerability that may enable a frame or iframe to gain unauthorized access to the Document Object Model (DOM) of other frames/iframes in a different domain.

IE Unconfirmed Memory Corruption Vulnerability

Internet Explorer may be prone to a potential memory corruption vulnerability that could allow a remote attacker to cause a denial of service condition in the browser

IE VML Vulnerability A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows.

IE WebViewFolderIcon vulnerability

Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code on the system.

IE window.open Media Bar Cross-Zone Scripting Vulnerability

Microsoft Internet Explorer may be prone to a cross-zone scripting vulnerability that could ultimately lead to execution of malicious script code and Active Content

IE window.open Search Pane Cross-Zone Scripting Vulnerability

A vulnerability in Microsoft Internet Explorer could enable unauthorized access by malicious scripts and Active Content to document properties across different Security Zones and foreign domains

IE WMIScriptUtils createObject vulnerability

This rule handles a vulnerability in WMISCriptUtils CreateObject. An attacker who successfully exploits this vulnerability, could gain the same user rights as a local user and gain full control over the victim's machine.

IE XML Page Object Type Validation Vulnerability

Internet Explorer does not properly handle object types, when rendering XML based web sites. This may result in possible execution of malicious software.




IE5 with Office 2000 Remote Command Execution Vulnerability

Prevents Remote Code Execution for Microsoft Internet Explorer 5 users with Microsoft Office 2000 installed.

MHTML Forced File Execution Vulnerability

A vulnerability has been discovered in Microsoft Outlook Express when handling MHTML file and res URIs that could lead to an unexpected file being downloaded and executed.

MHTML Redirection Local File Parsing Vulnerability

A vulnerability in Microsoft Outlook Express may allow an attacker to parse local files on a system. The vulnerable component is also used by Microsoft Internet Explorer.

MHTML URL Handler File Rendering Vulnerability

Microsoft Outlook Express introduced a URL handler called MHTML (MIME Encapsulation of Aggregate HTML). This allows Internet Explorer to pass MHTML files to Outlook Express for rendering

Microsoft Windows VML Buffer Overrun Vulnerability (MS07-004)

Vulnerability in Vector Markup Language could allow Remote Code Execution.

Microsoft XMLHTTP.4.0 ActiveX remote code execution vulnerability

A vulnerability in Microsoft XML Core Services XMLHTTP ActiveX control which could lead to Remote Code Execution.

MMC Redirect Cross-Site Scripting Vulnerability, CVE-2006-3643 (MS06-044)

Microsoft Windows 2000 Management Console (MMC) is vulnerable to cross-site scripting, caused by improper restrictions on certain embedded resource files used by the Microsoft Management Console library

Mozilla Browser Cache File Multiple Vulnerabilities

Mozilla Browser is prone to multiple vulnerabilities that could eventually allow for code execution on the local computer

Mozilla Browser Input Type HTML Tag Unauthorized Access Vulnerability

A remote attacker could create a malicious Web page containing JavaScript code, which would cause a malicious file to upload to a server, once the Web page is visited

Mozilla data: URI Remote Code Execution Vulnerability

Prevents bypass security restrictions and Remote Code Execution.

Mozilla Firefox JavaScript Navigator Object Remote Code Execution Vulnerability

Mozilla Firefox JavaScript Navigator Object Remote Code Execution Vulnerability

Mozilla Shared Function Objects Remote Code Execution Vulnerability

Prevents Remote Code Execution vulnerability exploitation in some of Mozilla's shared function objects.




MS ADODB Buffer overflow vulnerability

Microsoft's ADODB is vulnerable to a buffer overflow attack that can result in remote code execution.

MS CAPICOM.Certificates RCE Vulnerability

A remote code execution vulnerability exists in Cryptographic API Component Object Model (CAPICOM) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

MS IE COM Object Instantiation Memory Corruption Vulnerability

Microsoft Internet Explorer uses certain COM objects from Imjpcksid.dll as ActiveX controls, which allows remote attackers to execute arbitrary code.

MS IE COM Object Instantiation Memory Corruption Vulnerability - CVE-2007-0219

A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution.

MS IE COM Object Instantiation Memory Corruption Vulnerability - CVE-2006-4697

Microsoft Internet Explorer uses certain COM objects from Imjpcksid.dll as ActiveX controls, which allows remote attackers to execute arbitrary code.

MS MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability

The Microsoft Windows Media Server ActiveX control is prone to a remote code-execution vulnerability.Successfully exploiting this issue allows remote attackers to execute arbitrary code on an affected system.

MS Shell Object Vulnerability The Shell object used from Microsoft Internet Explorer can be exploited to allow remote code execution.

Multiple IE Script Execution Vulnerabilities

Multiple issues in Microsoft Internet Explorer

Multiple Vendor URI Protocol Handler Arbitrary File Creation/ Modification Vulnerability

A vulnerability has been identified in multiple products from multiple vendors that may allow a remote attacker to create or modify arbitrary files.

Object tag vulnerability Crafting an Object tag in a certain manner can allow an attacker to execute code from web pages viewed by Internet Explorer.

RDS Cross Zone Scripting Vulnerability

Blocks Cross-Zone Scripting using RDS ActiveX Object.




Rediff Bol Downloader (ActiveX Control) Remote Code Execution vulnerability

This vulnerability allows remote code execution and may compromise affected computers.

Softwin BitDefender AvxScanOnlineCtrl COM Object Remote File Upload and Execution Vulnerability

The AVXSCANONLINE.AvxScanOnlineCtrl.1 ActiveX control in BitDefender Scan Online allows remote attackers to obtain sensitive information or download and execute arbitrary code

Sun Java Runtime Environment Java Plug-in Java Script Security Restriction Bypass Vulnerability

The Java plug-in used to run applets from within a web page is vulnerable to an attack vector that would allow bypassing the built-in security mechanisms, and result in code execution.

SupportSoft ActiveX Remote Code Execution Vulnerability

Some vulnerabilities have been reported in various SupportSoft ActiveX controls, which can be exploited by malicious people to compromise a user's system.

VeriSign ConfigChk ActiveX Control Buffer Overflow Vulnerability

A vulnerability has been identified in VeriSign ConfigChk ActiveX control, which could be exploited by remote attackers to take complete control of an affected system.

Windows Media Player Plugin Buffer Overflow Vulnerability

Buffer overflow in the plug-in for Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.

Windows Media Player PNG Vulnerability

Microsoft Windows Media Player is prone to a remote code-execution vulnerability. This vulnerability is related to handling of malicious PNG images.

Windows XP Explorer Self-Executing Folder Vulnerability

Microsoft Windows XP Explorer allows attackers to execute arbitrary code via a HTML and script in a self-executing folder that references an executable file within the folder, which is automatically executed when a user accesses the folder.

Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability

Microsoft Windows XP is vulnerable to cross-site scripting, caused by a vulnerability in the helpctr.exe program.

Winzip remote code execution vulnerability

WinZip is prone to multiple remote code-execution vulnerabilities in an ActiveX control that is installed with the package.




11.16.3 Remote ActiveXThe following table describes the options:

Remove ActiveX DescriptionDigWebX ActiveX Control Unspecified Vulnerability

Prevents initiation of old versions of DigWebX ActiveX Control.

IE Cross Frame security vulnerability

Internet Explorer versions 5.5 and 6.0 are vulnerable to a Cross Frame Scripting attack, which may allow execution of arbitrary code.

IE NavigateAndFind Zone Bypass Protection

Internet Explorer allows remote attackers to bypass zone restrictions by using the NavigateAndFind method to load a file.

IE RDS ActiveX Vulnerability Microsoft Data Access Components (MDAC) is a collection of components that provide the back-end technology which enables database access for Windows platforms.

IE Self-Executing HTML Arbitrary Code Execution Vulnerability

The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine, allows remote attackers to execute arbitrary code in the Local Security context.

IE ShowHelp Arbitrary Command Execution Vulnerability

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 could allow a remote attacker to bypass the cross-domain security model, caused by a vulnerability in the Windows showHelp() method.

Office Web Components Active Script Execution Vulnerability

A vulnerability in an Microsoft Office Web Components (OWC) Spreadsheet component makes it possible to execute arbitrary Active Script code, even when Active Scripting has been disabled by the client.

Office Web Components Clipboard Information Disclosure Vulnerability

A vulnerability in OWC Spreadsheet component makes it possible to gain control of the clipboard operations, even when the “Allow paste operations via script” security feature in IE is disabled.

Outlook Web Access HTML Attachment Script Execution Vulnerability

An interaction between the Outlook Web Access (OWA) and Internet Explorer allows attackers to execute malicious script code against a user's mailbox via a message attachment that contains HTML code.



11.16.4 Cross-Site and SpoofingThe following table describes the options:

Spyware object detected This rule was created in order to avoid false positives in top sites.

Windows HTML Help Control Cross-Zone Scripting Vulnerability

The windows Help Control is used to display Help information when using the PC. When exploiting this vulnerability from a web page, the permissions of the malicious script could be elevated to those of the Help object and bypass security mechanisms.

Windows Media Player Automatic File Download and Execution Vulnerability

Vulnerability in Windows Media Player which allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters.

Windows Media Player IE Zone Access Control Bypass Vulnerability

A method for evading the Zone based access control model used by Microsoft Internet Explorer which relies on a flaw in Windows Media Player that allows for untrusted content to access the Local Zone.

Cross-Site and Spoofing DescriptionBookmark URL-check Bypass Vulnerability

Prevents security validations bypass vulnerability on URIs saved on favorites

Cross Site Scripting in HTML Script Sections

Scripts in HTML attributes such as style can be used for malicious actions.

HTTP Request splitting protection Protecting proxy from HTTP request splitting which could be used to "smuggle" malicious sites by tricking the Proxy into unintentionally associating a URL to another URL page (content).

IE CDROM Ejection Vulnerability via WMP

Prevents a remote attacker from opening the CDROM tray using WMPlayer ActiveX Object.

IE DHTML Script Function Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way Internet Explorer interprets certain DHTML script function calls.

IE FTP Commands Injection Vulnerability

Prevents command injections using FTP protocols as part of a URL.

Remove ActiveX Description



IE Java Script Desktop Spoofing Vulnerability

It is possible for a user to create a webpage containing JavaScript, which will consume the entire screen of an unknowing Internet Explorer user.

IE Java Script Method Assignment Cross-Domain Scripting Vulnerability

Assigning methods from within a malicious script in a certain manner could allow the privilege escalation of the script and execute arbitrary code on the attacked machine.

IE mailto URI Handler Arbitrary File Attachment Vulnerability

Blocks information disclosure vulnerability in Microsoft Outlook caused by injection of command line argument.

IE Meta Data Foreign Domain Spoofing Vulnerability

In Internet Explorer enables someone to use an ssl certificate in a website which belongs to someone else. This vulnerability can be used in Phishing scams.

IE MSXML XML File Parsing Cross-Site Scripting Vulnerability

Cross-site scripting (XSS) in Internet Explorer allows remote attackers to insert arbitrary web script via an XML file that contains a parse error.

IE Popup.show Mouse Event Hijacking Vulnerability

A vulnerability exists in Microsoft Internet Explorer that may permit a malicious Web page to hijack mouse events. This could potentially be exploited to trick an unsuspecting user into performing unintended actions such as approving pop-up dialogs.

IE showModalDialog Cross-Site Scripting Vulnerability

The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method.

IE Unauthorized Clipboard Contents Disclosure Vulnerability

Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object.

IE window.createPopup Interface Spoofing Vulnerability (chromeless)

Internet Explorer allows remote attackers to create chromeless windows using the Javascript window.createPopup method, which could allow attackers to simulate a victim's display, conduct unauthorized activities or steal sensitive data.

Cross-Site and Spoofing Description



IE Window.MoveBy/Method Caching Mouse Click Event Hijacking Vulnerability

Internet Explorer allows remote attackers to direct drag and drop behaviors, as well as other mouse click actions to other windows.

Internet Explorer and Mozilla Firefox Local File Disclosure Vulnerability

Internet Explorer and Mozilla Firefox are vulnerable to a JavaScript bug that could allow an attacker to trick users into giving up sensitive personal information (for version 8.4.x and above).

Internet Explorer CSS Cross-Domain Vulnerability

Microsoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files.

Microsoft Agent Spoofing Vulnerability

Prevents loading Microsoft Agent ActiveX Control in order to avoid spoofing.

Mozilla FireFox about blank phishing vulnerability

Mozilla Firefox might allow remote attackers to conduct spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar.

Mozilla Firefox Java.net.Socket Information disclosure vulnerability

Block attempt to use Java.net.socket API in a malicious manner.

Mozilla Firefox location.hostname Cross-Domain Vulnerability CVE-2007-0981

Mozilla Firefox is vulnerable to data theft. Remote attackers can steal cookies and other information by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code.

Multiple Browser URI Display Obfuscation Vulnerability

A weakness has been reported in multiple browsers that may allow attackers to obfuscate the URI for a visited page.

Multiple Vendor Web Browser Java Script Modifier Keypress Event Subversion Vulnerability

In Internet Explorer and Opera malicious JavaScript may subvert some keypress events, with consequences including the disclosure of arbitrary local files to a remote server.




11.16.5 Buffer OverflowsThe following table describes the options:

Onunload Multiple Browser Entrapment Vulnerability

The vulnerability is caused due to an error in multiple browsers' handling of "onunload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar.

Opera Web Browser IFrame OnLoad Address Bar URL Obfuscation Vulnerability

A condition in Opera web browser causes Opera to fill in the address bar before the page has been loaded, which allows remote attackers to spoof the URL in the address bar.

Outblaze Webmail HTML Injection Vulnerability

Outblaze Webmail is reported prone to an-HTML injection vulnerability because the application fails to properly sanitize user-supplied HTML email content.

Buffer Overflows DescriptionIE Shell: IFrame Cross-Zone Scripting Vulnerability

The Windows Shell application allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename.

Internet Explorer Input-createTextRange Memory Corruption Vulnerability

This new rule blocks attempts to exploit the createTextRange() function vulnerability.

Macrovision FLEXnet boisweb.dll ActiveX Control Buffer Overflow Vulnerability

Multiple buffer overflows in an ActiveX control (boisweb.dll) in Macrovision FLEXnet Connect could allow remote code execution of malicious code.

Microsoft Windows XVoice.dll and Xlisten.dll Buffer Overflow Vulnerability

An exploitable buffer overflow in Microsoft Windows DirectSpeechSynthesis and DirectSpeechRecognition which may allow remote code execution.

Mozilla InstallVersion-compareTo Remote Code Execution Vulnerability

A Remote Code Execution vulnerability exists in the way Mozilla compares installation versions. It is possible to control the EIP and therefore construct a Remote Code Execution.




11.16.6 3rd PartiesThe following table describes the options:

MS Office DeleteRecordSourceIfUnused vulnerability

Buffer overflow in the Microsoft Office MSODataSourceControl ActiveX object allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.

MS Office OUACTRL.OCX HelpPopup method Remote Buffer Overflow

Buffer overflow in the HelpPopup method in the Microsoft Office ActiveX control (OUACTRL.OCX) allows remote attackers to cause a denial of service through a specially crafted web page.

Office XP RTF Buffer Overflow Vulnerability

A buffer overflow in Office XP RTF file format can allow Remote Code Execution.

Several COM Objects Memory Corruption Remote Code Execution Vulnerability

Prevents memory corruption vulnerability remote code execution exploitation of several COM objects.

3rd Parties DescriptionAcrobat reader XSS vulnerability

Vulnerability Anti.dote Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin allows remote attackers to inject malicious JavaScript.

Akamai Download Manager ActiveX Stack Buffer Overflow Vulnerability

Stack-based buffer overflow vulnerability was detected in Akamai Download Manager ActiveX Control. Successful exploitation allows execution of arbitrary code.

AOL SuperBuddy ActiveX Control Code Execution Vulnerability

A vulnerability in America Online (AOL) SuperBuddy ActiveX control was detected, which can be exploited to compromise a user's system.

Baofeng Storm ActiveX Remote Heap Overflow vulnerability

Multiple vulnerabilities in the Baofeng Storm application's ActiveX control may enable an attacker to allow execution of arbitrary code on the attacked system.

Buffer Overflows Description



BlueSkychat ActiveX Remote Heap Overflow vulnerability

Heap-based buffer overflow in the BlueSkychat ActiveX control allows remote attackers to execute arbitrary code.

CA caller dll RCE vulnerability A vulnerability exists in eTrust Intrusion Detection, that can allow a remote attacker to execute arbitrary code.

EnjoySAP ActiveX Controls Memory Corruption Vulnerabilities

A vulnerability has been discovered in EnjoySAP ActiveX control which could allow remote attackers to execute arbitrary code.

Hewlett Packard hpqvwocx.dll Stack Overflow vulnerability

Hewlett Packard 'hpqvwocx.dll' ActiveX control library is prone to a stack-based buffer-overflow vulnerability. Successfully exploiting this issue allows remote attackers to execute arbitrary code.

HP Digital Imaging ActiveX Arbitrary Data Write

A vulnerability has been discovered in HP Digital Imaging ActiveX control, which can be exploited by attackers to overwrite arbitrary files or compromise a user's system.

HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow Vulnerability

The HP Mercury Interactive Quality Center Spider Module ActiveX control contains a stack buffer overflow. Successful exploitation allows execution of arbitrary code when visiting a malicious website.

IBM Access Support (eGatherer) ActiveX Dangerous Methods Vulnerability

eEye Digital Security has discovered a security vulnerability in IBM's signed "eGatherer" activex.

IBM acpRunner ActiveX Dangerous Methods Vulnerability

acpRunner ActiveX allow remote attackers to execute arbitrary code via the (1) DownLoadURL, (2) SaveFilePath, and (3) Download ActiveX methods.

IBM and Lenovo Access Support acpRunner ActiveX

The IBM and Lenovo Access Support acpRunner ActiveX control could allow a remote attacker to execute arbitrary commands on the system.

IE Heartbeat ActiveX Control Unspecified Vulnerability

An unspecified vulnerability exists in the Microsoft Internet Explorer Heartbeat MSN gaming ActiveX control (heartbeat.ocx).

3rd Parties Description



Image ActiveX unspecified Vulnerability

Prevents remote code execution using Image ActiveX.

jetAudio 7.x ActiveX DownloadFomMusicStore RCE vulnerability

A vulnerability in jetAudio can be exploited to overwrite files on the local system by using specially crafted code on a web page.

LinkedIn ActiveX RCE vulnerability

Critical vulnerability exists in LinkedIn ActiveX control which can allow a remote attacker to execute arbitrary code.

McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability

Remote exploitation of a buffer overflow in an ActiveX control distributed with McAfee Security Center could allow for the execution of arbitrary code.

Microsoft DXMedia SDK 6 Remote Code Execution Vulnerability

A vulnerability was reported in Microsoft DirectX in an ActiveX control. A remote user can cause arbitrary code to be executed on the target user's system.

Microsoft Outlook Mailto: Parameter Quoting Zone Bypass Vulnerability

A vulnerability in Microsoft Outlook which causes insufficient filtering of parameters of mailto: URLs which allow remote attackers to execute arbitrary programs.

Microsoft Visual FoxPro 6.0 FPOLE.OCX Remote Stack Overflow vulnerability

Microsoft Visual FoxPro ActiveX control is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Microsoft Visual Studio 6.0 PDWizard RCE vulnerability

This vulnerability in Microsoft Visual Studio can be exploited to execute arbitrary commands on your computer.

Microsoft Visual Studio 6.0 VBTOVSI.DLL Arbitrary Data Write vulnerability

Absolute directory traversal vulnerability in a certain ActiveX control in the VB To VSI Support Library (VBTOVSI.DLL) in Microsoft Visual Studio 6.0 allows remote attackers to create or overwrite arbitrary files on the system.

MS Office RCE vulnerability A remote code execution vulnerability exists in Microsoft Office




NCTAudioEditor ActiveX DLL Arbitrary Data Write vulnerability

Multiple vulnerabilities have been identified in NCTAudioEditor and NCTAudioStudio, which could be exploited by attackers to bypass security restrictions and manipulate arbitrary files

NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow

Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code.

Nesus ActiveX Remote Code Execution Vulnerability

Directory traversal vulnerability in a certain ActiveX control in Nessus Vulnerability Scanner 3.0.6 allows remote attackers to create or overwrite arbitrary files

Norton Anti-Virus 2006 ActiveX Remote Code Execution

Multiple unspecified "input validation error" vulnerabilities in multiple ActiveX controls in Norton Antivirus, Internet Security, and System Works products for 2006, allows remote attackers to execute arbitrary code

PPStream (PowerPlayer .dll) ActiveX Remote Overflow Exploit

Buffer overflow in PPStream allows remote attackers to execute arbitrary code via a long Logo parameter.

Real Player Denial of Service vulnerability

A vulnerability in RealPlayer may allow an attacker to perform a denial of service by using specially crafted web page content.

Sony Network Camera SNCP5 v1.0 ActiveX viewer Heap Overflow

A vulnerability has been discovered in Sony Network Camera viewer ActiveX control which could allow remote code execution.

Sony/First4Internet CodeSupport ActiveX Remote Code Execution Vulnerability

The CodeSupport ActiveX contains methods which allow remote code execution and remote denial of service.

Sony/SunnComm MediaMax AxWebRemoveCtrl ActiveX Remote Code Execution Vulnerability

This ActiveX contains some methods which allow remote code execution and remote denial of service.

Symantec COM Object Security ByPass Vulnerability (CVE-2006-3456)

A vulnerability has been reported in various Symantec products, which can be exploited by malicious people to bypass certain security restrictions.




Symantec NavComUI ActiveX Control RCE Vulnerability

Two vulnerabilities in various Symantec products allow remote attackers to execute code and to compromise affected computers.

Symantec Norton Internet Security 2004 ISAlertDataCOM ActiveX control stack buffer overflow vulnerability

Buffer overflow in the ISAlertDataCOM ActiveX control for Norton Personal Firewall and Internet Security, may allow remote code execution.

VMware multiple vulnerabilities Some vulnerabilities have been reported in several VMware products, which can be exploited by malicious users to cause a DoS (Denial of Service) or bypass certain security restrictions

Windows Media Player RCE Vulnerability

A remote code execution vulnerability exists in windows media player that can be exploited by a web page containing specially crafted malicious code.

Xunlei Web Thunder ThunderServer.webThunder ActiveX multiple Vulnerabilities

Some vulnerabilities have been reported in several VMware products, which can be exploited by malicious users to cause a DoS (Denial of Service) or bypass certain security restrictions

Yahoo Messenger ActiveX Control Buffer Overflows Vulnerability

A vulnerability was reported in Yahoo! Messenger where a remote user can create specially crafted HTML.When loaded by the target user, the HTML will trigger a buffer overflow and execute arbitrary code on the target system.

Yahoo Messenger AudioConf ActiveX Control Buffer Overflow

Yahoo! Messenger is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Yahoo.AudioConf ActiveX control.

Yahoo Messenger CYFT Object Arbitrary File Download vulnerability

This vulnerability in a certain ActiveX control in Yahoo! Messenger allows remote attackers to force download of arbitrary files, and create or overwrite arbitrary files.

Yahoo Widget dll Remote Code Execution Vulnerability

Stack-based buffer overflow in Yahoo! Widgets allows remote attackers to execute arbitrary code




12 End User Messages

This option covers the End-User Messages sent out to end-users as chosen in the Security and HTTPS Rules. It also covers the general End-User message template.

12.1 Block / Warn Messages

The Block / Warn messages are sent to end-users in the event that the URL site they are surfing to has been blocked by Vital Security or designated as a site requiring user approval or coaching action (user approval and coaching messages are referred to collectively as Warn Messages). These messages are chosen for each Block/Coach/User Approval rule in the Security / HTTPS Policies as required. The messages include Place Holders which are replaced with real values when displayed to the end-user.

12.2 Block / Warn Message Details screen

Each message is composed of a mixture of free text and placeholders - which can be moved around to create your own unique message.The following table provides information on the Place Holders:

Yahoo! Messenger ywcupl.dll ActiveX Control Buffer Overflow

Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 could allow remote code execution of malicious code.

Yahoo! Messenger ywcvwr.dll ActiveX Control Buffer Overflow

Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 could allow remote code execution of malicious code.


Place Holder DescriptionBinary Behavior Profile Names

Description of the potentially dangerous binary content operation.

Binary Profile List Active Content List name that appears in a Finjan or customer defined black list.

Binary VAD Description of Binary exploit.Client IP Client IP address.



Container Type Type of container holding the content of this transaction.Container Violation Container condition, such as password protection, or

deep nesting of archives.Content Type Name Name of the Content Type. HTTPS Certificate Validation Mismatch

Defined Certificate Validation errors.

Digital Signature Violation

Type of violation of digital signature.

Direction Direction (Incoming or Outgoing) of the transaction.Domain End-user NTLM domain name.File Extension File extension of the content.File Name File name as extracted from URL. Please note that not all

URLs contain file names (i.e. this placeholder may appear blank).

File size Size of the file (bytes). Currently, the file size appears without the unit after it. Please add the word "bytes" to make it clear to the end-user.

Header Fields Header Field names associated with the transaction.HTTPS Policy Name

Name of HTTPS Policy enforced on the transaction (as shown in Management Console Policies).

ID Unique transaction ID which can be matched in the management console log view.

Identification Logging Policy Name

Name of the Identification Logging Policy enforced on the transaction (as shown in Management Console Policies).

Identification Policy Name

Name of Identification Policy enforced on the transaction (as shown in Management Console Policies).

IM IM method. Logging Policy Name

Name of Logging Policy enforced on the transaction (as shown in Management Console Policies).

McAfee/Sophos/Kaspersky Virus Name

Name of the virus as identified by one of the AV Scanning Engines.

Policy Name Policy name currently set to the User or User Group initiating the transaction.

Script Behavior Profile Names

Description of the potentially dangerous script content operation.

Site domain Domain name of the site that was blocked or coached.Site URL URL name.Size Category Content Size.Spyware name Name of the Spyware as identified by MCRC Spyware

database.

Place Holder Description



12.3 Creating a Block/Warn Message

To create a new Block / Warn message:1. Right-click on the top level heading and select Add Message. 2. Enter in the Message Name.3. In the Message section, enter the required message text. Use the Place-Holders to

provide the end-user with more information.

Spoofing Type Type of spoofed content.Spyware Description

Description of the spyware as identified by MCRC Spyware database.

Static Content List Content found in the Malicious Objects List.Websense Category

Name of the URL category as defined by the URL categorization engine.

Time Frame Time Frame for the defined transaction.Transaction time Time that the transaction was carried out.URL List Name URL List name that appears in a Finjan or customer

defined list.User Name End-user NTLM name.The following Place Holders deal with formatting issues:Bold End Delineates the end of bold format for a word or phrase.Bold Start Delineates the start of bold format for a word or phrase.New Line Delineates a new line in the error message.

Place Holder Description



Figure 5-31: End User Message

4. Click Save. The new message can now be selected from the Rule Details screen, in the End-User Message drop-down list.

5. If you need to modify this message in the future, click Edit and make your changes.

.

The end result of this message page is either a Coach/User Approval (Warning) message or a Page Blocked message sent to the end-user as in the following example.

NOTE: For a full list of the pre-defined Block / Warn Messages that will appear in the Page Blocked/Coach/User Approval messages and their corresponding Security Rule (where applicable), please refer to Appendix B: Block / Warn Messages.



Figure 5-32: Page Blocked Message to End-User

12.4 Message Template

In this screen, you can edit the template for the End-User Message.

To edit a Message page:1. In the Select Action to Edit drop-down list, select either the Block Page or one of the

Warning message pages.2. Click Preview Window to see the actual message that is displayed on the end-user’s

computer.3. Select Back button on the right-hand side of the screen to reveal the code for the

Back button. Next, select Preview in pane to see the actual look of the Back button.4. Select the Redirect button to reveal the code for the Redirect button. Next, select

Preview in pane to see the actual look of the Redirect button.



C H A P T E R

LOGS AND REPORTS

1 Introduction to Logging

The Log Server logs all transactions according to a defined logging policy. The Logs screens incorporates a number of viewing and configuration options, all of which can be used to help you view the logging data in line with your requirements.There are three log types as described in the following table:

Figure 6-1: Logs and Reports Directory

2 Web Logs View

This screen displays all Web-surfing transactions of users assigned to you in your network. The super administrator will see a Web View with logs belonging to all other administrators in Vital Security. System administrators will see those Logs belonging to User groups assigned to them or according to the specific Permissions given.The logs show user transactions that have been blocked or allowed or coached - all

Log Type DescriptionWeb Log Displays all Web-surfing transactions of users in your network.Audit Log Displays all changes made or actions taken from the

Management Console, including tracking the creation of, and changes to, policies, as well as system configuration.

System Log View events that have taken place in the system, for example, updates that have been installed, a module that is not responding, and so on.

Chapter 6 - Logs and Reports 135


depending on the Policy requirements that are assigned to them.

Figure 6-2: Web Logs View

Profile Settings allow you to choose what columns to display here. Please refer to Web Logs - Profile Settings

Time Period: You can view the Web transactions according to the Logs List. This drop-down list displays the available time frames of the transactions. Each date corresponds to the log information stored for that period of time. Profile: You can choose the profile from the drop-down list. The Profile includes the columns for display in the Web Log view as well as filtering specifications for each log entry. These can be set via the Profile Settings tab at the bottom right of the screen.You can search for the transaction using the unique item ID (Transaction ID) number fieldYou can also browse the pages using the Previous / Next at the bottom of the page. Admin Group: You can view the web logs of other administrator groups depending on the permissions granted you in Permissions. The drop-down list displays the logs belonging to the user groups of the administrators; these can be viewed only one at a timeLog Cleanup: you can delete all the log entries in the table for a fresh start by clicking on Log Cleanup. This only appears for Web Logs.

NOTE: Blocked transactions can be allowed (and vice versa) by redefining the appropriate Security Policy. In addition - the current Logging Policy can also be redefined to change the data you see in the Web Logs view.

Chapter 6 - Logs and Reports136


For each transaction, the following options are available by clicking

2.1 Add to URL List

You can add the URL from the Web log entry to a choice of URL Lists thereby allowing it to be blocked or allowed within the end-user’s Security Policy.

2.2 Web Logs - Profile Settings

At the bottom of the Web Logs screen is the Profile Settings button. Clicking on this button takes you to the Profile tab which allows you to create the columns and conditions you want for your Log Entries. The Profile options at the top of this screen allow you to choose the Profile that accurately reflects the columns you want displayed and the type of log entries within. Finjan provides a predefined Profile Default View.

To create a new profile:1. Click on New Profile and add in the required name.2. In the General tab - enter the required seconds to refresh the information in the

Log View.3. Enter the number of items to be displayed.4. In the Displayed Columns section, select the columns you want displayed in the

Log viewing screen.

Option DescriptionDetails Opens up the Transaction Details

screens which provides more information on the transaction.

Details in new window

Opens up a new window with the Transaction Details screens which provides more information on the transaction.

Add to URL list Adds the URL to the required URL list thus allowing it to be blocked/allowed in the Security Policy.

137 Chapter 6 - Logs and Reports


Figure 6-3: Web Logs: Create a new profile

5. Either click OK to save your Profile Settings and return to the Web Log view, or click on the Filter tab and define conditions for the Log retrieval and display. Please see Filter for more information.

GeneralAt the top of the General tab are the following options:

The General tab displays a list of potential column headings that can be displayed in the Log View screen. The following columns can be selected for display in the Web Logs view:

Field Name DescriptionRefresh Interval (in seconds)

Defines the interval between updates of items displayed in the viewer.

Entries in table Defines the number of items to be displayed. Please note the maximum number of items in the Log table is 120.

Field Name DescriptionTransaction ID Unique ID which identifies the specific transaction.Transaction Time Time and date that the transaction took place.Action Rule Action (Block, Allow, Coach or Block HTTPS, Bypass,

Inspect or User Approval).Active Content List Found

Active Content List that matched the content in this transaction.



Anti-Virus (McAfee, Sophos, Kaspersky)

Virus detected by one of the Anti-Virus engines.

Authenticated Domain

User Domain as provided by NTLM or basic authentication

Vital Security User Name

Name of the user defined in the Users tab who requested the transaction.

Parent Archive Type

Parent Archive Type that matched the content in the transaction

Security Policy Name

Name of the Security Policy used to process the transaction.

HTTPS Policy Name

Name of the HTTPS Policy used to process the transaction.


Name of the Identification Policy used to process the transaction.

Protocol Protocol that was used by the end-user.URL Category (IBM/Websense)

URL Category that matched the content in this transaction

Coach Page Displays the Coach PageRevision Configuration number of the device.Security Rule Name Name of the Security rule used to process the transaction.IM/P2P Protocol Name of the IM/P2P protocol used by the end user.Header Field Header Field that matched the content in this transaction.X-Ray Mode Defines whether or not the transaction was processed in X-

Ray mode. If X-Ray mode is enabled, the log view shows what would have happened to the transaction had the rule/policy been active.

File Name Name of the file specified in the requested URL.File Extension File extension (including Multiple Extension) that matched

the content in this transaction.URL URL that the user browsed to.Coach Bypass Displays Coach Bypass informationSite Displays Internet main domain addressBlock Reason Reason chosen for the Rule that blocked the content and

displayed to end user.Behavior Profile (Binary)

Behavior Profile that matches the blocked transaction

True Content Type True Content Type that matches the blocked transactionAuthenticated User Name

User Name as provided by NTLM or basic authentication.

Client IP Client IP address of the end userScanning Server IP Scanning Server IP address of the end user




2.2.1 FilterUsing the Filter view, you can fine-tune the range of data to be viewed.

To define a filter for the Web view:1. In the Filter tab, click to add a new row.2. From the Field drop-down list, select the required filter, for example Vital Security

User Name.3. From the Operator drop-down list that appears, select the relevant parameter. For

example, Equals. For each log data type selection, different fields are displayed to enable the filter creation.

4. Depending on the log data type selection, either an additional drop-down list or a blank field is displayed. Either select an entry from the drop-down list or enter a numerical value or text definition in the Value field to complete your initial filter selection.

5. A filter selection that includes AND together with OR may need clarification with parentheses as to whether the OR is included or excluded (which sub-expression is to be evaluated first). Enter a left parentheses character ( in the left parentheses box, and then enter a right parentheses character ) at the end of the following added row, after all log data types have been selected.

Figure 6-4: Define a filter for the Web view

6. Continue by using the OR / AND buttons to add additional conditions to your filter selection.

7. Click OK in order to save Profile Settings and return to the Web Log view.

NOTE: The filter will display different fields for the Web view, Audit view and System Log view.



2.3 Transaction Details

For each transaction entry in the Web Logs, there is an option (by clicking on the icon) to view transaction details.Clicking on this option redirects you to the Transaction Details screen which contains the Details screen and the Request and Response part of the transaction entry where relevant. The Details contains the following tabs:Details: TransactionDetails: UserDetails: Policy EnforcementDetails: ContentDetails: Scanning Server

2.3.1 Details: TransactionThe Transaction tab contains the following fields:

2.3.2 Details: UserThe User tab contains the following fields:

Field DescriptionTransaction ID Unique ID which identifies the specific

transaction as displayed in the End User Message and which is useful when following up a blocked transaction for the end user. It is advisable to have the Transaction ID displaying at all times. However, even if you have chosen not to display this column heading, you can still search for it in the Logs.

Transaction Time Time and date that the transaction took place.URL URL that the user browsed to.Protocol Protocol that was used by the end-user.

Field DescriptionVital Security User Name Name of the user defined in the Users tab

who requested the transaction.Client IP Address IP address of the end-user.Authenticated User Name

User Name as provided by NTLM or basic authentication.

Authenticated Domain User Domain as provided by NTLM or basic authentication.



2.3.3 Details: Policy EnforcementThe Policy Enforcement tab contains the following fields:

2.3.4 Details: ContentThe Content tab contains the following fields.

Field DescriptionAction Rule Action (Block, Allow, Coach or Block

HTTPS, Bypass, Inspect or User Approval).X-Ray Mode Defines whether or not the transaction was

processed in X-Ray mode. If X-Ray mode is enabled, the log view shows what would have happened to the transaction had the rule/policy been active.

Security Policy Name Name of the Security Policy used to process the transaction.

HTTPS Policy Name Name of the HTTPS Policy used to process the transaction.


Name of the Identification Policy used to process the transaction.

Block Reason Message sent to the end-user explaining the reason the content was blocked.

Security Rule Name Name of the Security rule used to process the transaction.

Security Rule Description

Text that appears in the Rule Description field.

HTTPS Rule Name Name of the HTTPS rule used to process the transaction.

Identification Rule Name Name of the Identification rule used to process the transaction.

Identification Status If identification succeeded or not.

Field DescriptionFile Name Name of the file specified in the requested URL.Behavior Profile (Binary)

Behavior profile (binary) that matched the content in the transaction.

True Content Type True Content Type that matched the content in the transaction.

Behavior Profile (Script)

Behavior profile (script) that matched the content in the transaction.

Parent Archive Type

Parent Archive Type that matched the content in the transaction.

Active Content List Active Content List that matched the content in this transaction.



2.3.5 Details: Scanning ServerThe Scanning Server tab contains the following fields:

2.3.6 Request and Response PhasesFor each transaction, the content will be scanned on both the request and/or the response phase depending on the nature of the content and the nature of the rule that it triggered.The information displayed in this screens will depend on the nature of the transaction and will be useful in determining why the transaction was blocked.

3 System Log View

The System Log View displays information relevant to the components of the Vital Security Appliance. At the bottom of the System Logs screen is the Profile Settings button. Clicking on this button takes you to the Profile tab which allows you to create the columns and conditions you want for your Log Entries. Please refer to System Logs - Profile Settings

File Extension File extension (including Multiple Extension) that matched the content in this transaction.

Header Field Header Field that matched the content in this transaction.

URL Category (Websense/IBM)

URL Category that matched the content in this transaction.

Anti-Virus (Sophos/Mcafee/Kaspersky)

Virus detected by one of the Anti-Virus engines.

Field DescriptionScanning Server IP IP address of the Scanning Server that

scanned this transaction.Revision Configuration number of the device.

Field Description



Figure 6-5: System Log View

3.1 System Logs - Profile Settings

The Profile options at the top of this screen allow you to choose the Profile that accurately reflects the columns you want displayed and the type of log entries within. Finjan provides a predefined Profile Default View.

To create a new profile:1. Click on New Profile and add in the required name.2. In the General tab - enter the required seconds to refresh the information in the Log

View.3. Enter the number of items to be displayed.4. In the Displayed Columns section, select the columns you want displayed in the Log

viewing screen.



Figure 6-6: System Logs: Create new profile

5. Either click OK to save your Profile Settings and return to the System Logs view, or click on the Filter tab and define conditions for the Log retrieval and display. Please see Filter for more information.

GeneralAt the top of the General tab are the following options:

The General tab displays a list of potential column headings that can be displayed in the System Log View screen. The following columns can be selected for display in the System Logs view.




Field Name DescriptionLog ID Uniquely identifying numberSeverity Either error (when something is wrong) or normal.Sender Affected moduleDevice IP IP of the affected Device




To define a filter for the System Log view:1. In the Filter tab, click to add a new row.2. From the Field drop-down list, select the required filter, for example Device IP.3. From the Operator list that appears, select the relevant parameter. For example,

Equals. For each log data type selection, different fields are displayed to enable the filter creation.

4. Depending on the log data type selection, either an additional drop-down list or a blank field is displayed under Value. Either select an entry from the drop-down list or enter a numerical value or text definition in the Value field to complete your initial filter selection.

5. A filter selection that includes AND together with OR may need clarification with parentheses as to whether the OR is included or excluded (which sub-expression is to be evaluated first). Enter a left parentheses character ( in the left parentheses box, and then enter a right parentheses character ) at the end of the following added row, after all log data types have been selected

6. Continue by using the OR / AND buttons to add additional conditions to your filter selection.

Time Time and date activity took placeMessage Details the action that happened





Figure 6-7: System Logs: Define filter

7. Click OK in order to save Profile Settings and return to the System Log view.

4 Audit Log view

The Audit Log view allows you to keep track of changes all administrators have made to the Vital Security Management Console. The Audit logs all changes made or actions taken from the Management Console, including tracking the creation of, and changes to, policies, as well as system configuration. At the bottom of the Audit Logs screen is the Profile Settings button. Clicking on this button takes you to the Profile tab which allows you to create the columns and conditions you want for your Log Entries. Please refer to Audit Logs- Profile Settings.

Figure 6-8: Audit Log View



4.1 Audit Logs- Profile Settings

The Profile options at the top of this screen allow you to choose the Profile that accurately reflects the columns you want displayed and the type of log entries within. Finjan provides a predefined Profile Default View.

To create a new profile:1. In the Audit Log screen, click Profile Settings.2. Click on New Profile and add in the required name.3. In the General tab - enter the required seconds to refresh the information in the Log

View.4. Enter the number of items to be displayed.5. In the Displayed Columns section, select the columns you want displayed in the Log

viewing screen.

Figure 6-9: Audit Logs: Create new profile

6. Either click OK to save your Profile Settings and return to the Web Log view. Or click on the Filter tab and define conditions for the Log retrieval and display. Please see Filter for more information.

General



At the top of the General tab are the following options:

The General tab displays a list of potential column headings that can be displayed in the Log View screen. The following columns can be selected for display in the Audit Logs view.


5 Reports

Reports are an essential component of the Vital Security Appliance. They enable you to analyze the activity and performance of the system based on data stored in the Reports database.The Reports screen provides many predefined Reports divided into meaningful categories. Please see Appendix A for a detailed list of all Reports.The Reports that you run will only include data from those Users that you are responsible for (as defined in the Permissions tab). Super Administrators will be able to see all Users.




Field Name DescriptionLog ID Unique identifying numberActivity Details what action was takenTime Defines the time and date it took placeAdmin ID Defines which administrator logged inClient IP IP address of the administratorDevice IP IP address of the device that had changes made to it


NOTE: Before generating any report, in order to ensure that log information is being generated, make sure that the Send to Report checkbox is selected in Logging Policy Rule: Logging Action.



Figure 6-10: Reports

The following right-click options are available from the Reports tree:

5.0.1 Schedule ReportsThis is located in the right-click menu from any given Report.Select the Enable Scheduling checkbox at the top of the screen to activate scheduling of Reports. You can schedule the report to run at any or all of the following time options in the Report Schedule section.

Option DescriptionSchedule Reports Opens the Scheduling screen which

enables you to decide for any report, when you want it to be generated, where you want it to be sent to, and in what format. Refer to Schedule Reports, Report Target, Report Format

Available Reports Opens a screen showing all the Available Reports if you have selected Enable Available Reports in Report Target

Field DescriptionDaily at a specific time (hh:mm)

The report will cover all transactions of the previous day.

Weekly on a specific day of the week at a specific time (hh:mm)

This report will cover all transactions from the previous seven days.

Monthly at a specific time (hh:mm)

This will be on the first day of every month at this specified time. This report will cover all transactions from the previous month.

NOTE: A Report time range may span several internal databases - due to size constraints. When this happens, several reports will be created - each relating to a different time frame.



Figure 6-11: Report Schedule

5.0.2 Report TargetReports can be sent to one or more of the targets detailed in the following table.

Field DescriptionEnable Available Reports If this is selected, the report will be stored on the

appliance and will appear in the Available Reports screen. Note that there is a space limitation of 1 GB for locally saved reports and that older reports will be erased once this limit is reached.

Export Report If this is selected, the report is exported to the network location defined in Exported Reports Location

Email Reports can be sent to multiple email addresses. Click on icon to add and delete email addreses.



Figure 6-12: Report Target

5.0.3 Report FormatThe options in this section will display differently depending on the options you have chosen in the Report Editor Wizard. The only constant option in this section is the View As option. Below are some of the most common options displayed..

Field DescriptionVital Security User Name You can select any or all of the Users or User

Groups that you want to run Reports for.Run separately for each group

Allows you to run separate reports for each group.

View As This is the output of the Report. In the drop-down list, you can choose between HTML, PDF, Excel and CSV.

Top results number Enables you to choose a specific number of items to be included in your Report.



Figure 6-13: Report Format

5.1 Available Reports

This screen displays all the Reports that you configured in the Schedule Reports screen provided you selected Enable Available Reports.

5.2 Report Categories

Reports are divided into categories for ease of use.

5.3 Show Report

The Generate Reports Request screen displays whenever a Report is selected from the Reports tree. The following information should be defined..

Field DescriptionName Predefined Name of Report.Description Provides predefined description for the Report.Time Period Select the time period. This is the time for which

there is logs information for the Report. This is defined in Database Granularity

Transaction Time Select a more precise time frame within the Time Period defined above.



The following is an example of a report request screen.

Figure 6-14: Generate Reports - Potentially Malicious Websites

Click Show Report to generate the Report.

Below is an example of generating a potentially malicious website report.

Vital Security User Name Select any number of User Groups that you want to run Reports for.

Report Type (where relevant)

Select the type of report such as pie chart, bar chart etc.

Top Results Number (where relevant)

Select a number to show the top results in that Report

View As This is the output of the Report. In the drop-down list, you can choose between HTML, PDF, Excel and CSV.

Field Description

NOTE: All generated reports are sorted by the first column.



Figure 6-15: Potentially Malicious Websites report example

6 Exported Reports Location

This screen defines the method and location to send the exported Scheduled Reports. Individual reports can be scheduled in the Reports tab to run at various times. The following connection methods are available in the Connection method drop-down list and explained in the table below:

Connection Method DescriptionNone An external Reports location method is not

used. (This is the default option).FTP Connects via regular File Transfer Protocol

methods.



Your selected Connection Method determines the content used to define your Report Location, User to connect with and Password fields.

FTP Passive Connects via File Transfer Protocol; there is a firewall located between the Policy Server and the remote FTP site.

Samba Connects via the Server Message Block (SMB) communication protocol.

SFTP Connects via the Secure File Transfer Protocol

If you selected:

Then:

None No information can be entered.FTP The Report Location must include the server IP address/dir for your

selected location, for example, 10.194.5.104/Sarah_FTP.The User to connect with is the user name used when connecting to the Report Location.The Password should be the password used by the above user.

FTP Passive The Report Location must include the server IP address/dir for your selected location, for example, 10.194.5.104/Sarah_FTP_Passive.The User to connect with is the user name used when connecting to the Report Location.The Password should be the password used by the above user.

Samba The Report Location must include the server IP address and directory for your selected location, in the following format: //address/dir, for example, //192.168.1.10/archive.The User to connect with must include the workgroup name and the user name used when connecting to the Report Location, in the following format: workgroup/user, for example, marketing/nicole.The Password should be the password used by the above user.

SFTP The Report Location must include the server IP address for your selected location, for example, 10.194.5.104/The User to connect with is the user name used when connecting to the Report Location.The Password should be the password used by the above user.

Connection Method Description


C H A P T E R

ADMINISTRATIONThe Administration menu contains various sub-sections which allow you to configure the system components and manage global settings.

Figure 7-1: Administration Menu

The Administration Menu contains the following options:Administrators - Allows you to create administrators and administrator groups and assign permissions on the various configuration options within the Management Console.System Settings - Allows you to configure the following: Finjan Devices, External Devices, Scanning Options, Scanning Engines, Digital Certificates and Console Timeout.Rollback - Used for rolling the system back to a previous stable state. This comprises the Backup and Restore functions.Export/Import - Allows you to export Security Policies, HTTPS Policies, Identification Policies and Identification Logging Policies - as well as their conditions - from one Policy Server and import them into another.Updates - Allows you to configure and upload the various updates for both security and software releases onto your Appliance.Alerts - Allows you to monitor the main modules and components of the system and notify you of system events, application events or update events (via Email or SNMP).

Chapter 7 - Administration 157


System Information - Provides a simple way for the administrator to view the status of the system with respect to license and module informationChange Password - Allows an administrator to change his/her password.

1 Administrators

The Management Console can support multiple administrators working within the system. This function provides administrators with different permissions on classes (such as Policies or Logs) and on specific items (such as a specific security policy or URL list). This granularity addresses two issues relating to administrator management:Roles – In a typical organization, different administrators have different roles, for example one administrator can be responsible for security settings, another administrator is responsible for system settings and a third administrator requires only a monthly view of the system. This functionality is achieved by providing the different administrators with different permissions on the functions. i.e. the security administrator will have full permissions on Policies and Condition Settings and read permission on Logs and Reports, the System administrator will have full permission on System functionality and no permission on all other functionality, etc. Separate management – There are deployments where the system supports multiple departments or companies, each having its own administrators and there is no data sharing. This scenario is addressed using administrator groups. An administrator group is associated with one or more user groups it manages and the actual data which is relevant for them, for example, a security policy. Within an administrator group, administrators can be defined, each with its own role, as previously explained.The data relevant to the user group, such as a specific security policy or URL white list is managed by the relevant administrator group. Therefore, each administrator group is granted permissions to each of the data objects such as security policy, URL list, etc. As a consequence all administrators within an administrator group share the same permissions on all data objects, even though they will have different roles.Administrators from different Groups can be granted permissions to see elements such as Policies, Logs etc belonging to other Administrator Groups.Super Administrators are not limited by the above constraints and can see all the Management Console options for all user groups.

1.1 Default Permissions

This screen displays the baseline defaults for administrators in the Management Console. These defaults are preconfigured by Finjan for easy permissions assignment and cannot be edited.

Chapter 7 - Administration158


The Permissions grid on this screen contains the following information

Field Description ExampleClass Class is any entity

within the Management Console. It can be a stand-alone entity or it can contain other objects within it.

Header Fields, Import/Export, Security Policies

Sub-Class Group with permissions for the objects.Finjan = default permissionsMy = My administrator group or any administrator group I am responsible forOther = Any administrator group outside of my jurisdiction

N/A

Object Object within a class (Header Fields) Media Players,

Default Values Default Permissions which are granted when no other permissions have been defined

Update = can make changes, create new objects, etcView = can view classes/objects onlyNone = has no permissions to this object/class

159 Chapter 7 - Administration


Figure 7-2: Default Permissions

1.2 Administrator Group Details

Click Edit to change the values in this screen. Use Save after editing this screen. The administrator group details screen contains the following information:

Field DescriptionGroup Name Name of the Administrators Group (e.g.

Finance, Marketing)Notes You can write here a description of the

group.Password expiration after x days

Select the required number of days after which the administrators in this group will be forced to replace the password

Enforce secure password If checked, the passwords must use at least 3 of the the follwing criteria:contains [A-Z]contains [a-z]contains [0-9]contains one of the following [!@#$%^&*()]



Figure 7-3: Administrator Group Details

1.3 Administrator Details

Click Edit to change the values in this screen. Use Save after editing this screen. The administrator details screen contains the following information:

Require password change on first login

If checked, then a new administrator in this group will need to change the password on first login

Permissions definition Refer to Permissions for more information.

Field Description

Field DescriptionAdministrator Name Name of the AdministratorNotes You can write here a description of the

group.Email Enter the administrator’s email addressPermissions definition Refer to Permissions for more

information.Password Change



Figure 7-4: Administrator Details

1.4 Permissions

The Permissions scheme is based on inverted hierarchy. If at any level no permission (update, view, etc.) is specified, then the default is the setting one level up. If that is not specified, the next level is used, etc. The hierarchical level is both on an administrator level and on a data level. For administrators - permission given for each level can be overridden by the next level - with Administrator being the highest level:Default Permissions Administrator Group AdministratorFor data, permission given for each level can be overriden by the next level with Objects being the highest level:Class Sub-class Object

New Password Enter the password for the administrator.Confirm Password Reenter the password to confirm it.

Field Description



The Permissions Definition grid is divided as follows:

Field Description ExampleClass Class is any entity

within the product. It can be a stand-alone or it can contain other groups within it.

Header Fields, Import/Export, Security Policies

Sub-Class Group with permissions attached.Finjan = default permissionsMy = My administrator group or any administrator group I am responsible forOther = Any administrator group outside of my jurisdictionNote that each individual administrator can have different permissions on the groups that his/her group is responsible for

N/A

Object Object within a class (Header Fields) Media Players,



The Super Administrator group, which is a default administrator group and can contain one or more administrators, has permissions on all objects within all classes.

Default Default Permissions as defined by a previous hierarchical level

Inverted Hierarchy - Each level can override the one above in this order:Administrator Administrator Group Default Permissions

Access Permissions to be granted

Update = can make changes, create new objects, etcView = can view classes/objects onlyNone = has no permissions to this object/classDefault = whatever is written in the Default column to the left of this one will be the granted permission

NOTE: Select Web Logs and the administrator groups under Others with the View Access to allow administrators to view Web Logs for Users belonging to other administrator groups.

Field Description Example



Figure 7-5: Default Permissions - Super Administrators

2 System Settings

The System Settings menu allows you to configure the following:Finjan DevicesExternal DevicesScanning OptionsScanning EnginesConsole TimeoutDigital CertificatesLicenseDebug Logs



Figure 7-6: System Settings

2.1 Finjan Devices

In the Main Tool bar, navigate to Administration System Settings Finjan Devices to display the Devices tree in the left pane. The Devices tree includes a list of device IPs defined in the system.

Figure 7-7: Devices Tree

Each device can be allocated with the following device role:



Policy Server: An administration point for system configuration and security policy settings. The settings defined in the Policy Server are pushed to all Scanning Servers such that the system is always updated.Scanning Server: Scanning servers scan content and enforce the predefined policy for that content.Log Server: A short-term centralized repository for transactional information. The transactional information is generated by the Scanning Servers and queued in Log Relays, after which they are aggregated to the centralized repository. By default, the Log Server is installed together with the Policy Server.Authentication Device: Acts as an HTTP server for requests redirected from Scanning Server. The Authentication Device authenticates the redirected requests according to Identification Policy and redirects back to Scanning Server. Scanning Server can also act as an Authentication Device and can self-redirect if necessary.

In addition, there is the Report Server which generates and distributes reports based on transactional information. By default, the Report Server is installed together with the Policy Server and does not have any configurable settings.You can add devices to your system as well as configure existing ones.

2.2 Available Device Tree Options

The Devices tree includes a list of device IPs defined in the system.The following right-click options for Policies tree are available:

NOTE: In order for each device to function in the device role you have assigned to it, you need to define initial system settings for each device. Please refer to the Setup and Configuration guide for more information.

Action DescriptionAdd Device Available from top-level folder only.

Allows you to add a new Device to your deployment.

Add Device by Range Available from top-level folder only. Allows you to add a new Device (in a certain IP Range) to your deployment.

Delete Device Available from Device IP. Set As Default Available from Module or Module

elements. Sets the values defined here for the Module and/or its elements as the default values - which will be displayed under Scanning Server Default Values folder.



2.3 Device IP

Clicking on any Device IP address displays the Device IP screen. This screen displays the selected device IP and device type and includes two tabs: the Status tab and the Access List tab. The following fields are available:

The Status tab provides status information on the device such as connection and activity status. The Access List tab enables defining specific IPs or IP ranges controlling access to the Management Access List, the User Access List and access to Vital Security system ports.

2.3.1 StatusThe Status tab provides status information on the device such as connection and activity status.

Apply Default Values Available from Module or Module elements. Applies the default values as displayed under Scanning Server Default Values folder to the module and/or elements here.

Import Root Certificate (HTTPS only)

Enables importing a root certificate. Refer to Import Root Certificatefor further details.

Reset all with Default Values

Available from Default Scanning Server Values only. Resets all Scanning Servers with the default values displayed here. Refer to Default Values for more information

Reset <Name of Module> with Default Values

Available from Default Scanning Server Values. Resets all the specific modules with the defaults values displayed here. Refer to Default Values for more information

Field DescriptionDevice IP Defines the IP address of the current

device.Type Allows you to choose between the

available types (e.g Policy Server, All in One)

Action Description



Figure 7-8: Device IP - Status

The following table provides information on the Device IP Status screen:

2.3.2 Access ListThe Access List tab enables defining specific IPs or IP ranges controlling access to the following:

The Management Access List refers to the Management Console, SSH and SNMP for administrators. For example, in order to block access to the Management Console for other specific administrators, specify only the relevant IP addresses of authorized administrators. When enabled, this list must have at least one IP filled in so that access is not totally blocked to the Management appliances.

Field DescriptionSync Status Defines whether the Device is synchronized with the Policy Server.Connection Status Defines whether the device is connected to the Policy Server.

Whenever the Connection Status is Not Active, the relevant Server will be displayed in yellow.

Committing Status Defines whether the device is undergoing a Preparing to Commit status, Committing Changes status or is Stable.

Last Connection Time Defines the last time this device was connected to the Policy Server. When connected, displays the current time.

Activate Select to activate the Device Role. Use Select All to select all the devices.

Device Role Displays the roles which belong to that Device.Activity Status Defines whether it is Active or not.



The User Access List refers to end-users browsing through the appliance, and is based on the Scanning Server IPs. Using this option, you can allow only specific ranges of end-users to brows through Vital Security, and block other users.Access to Vital Security system ports refers to a list of device IPs that have access to the Vital Security system.

To enable and edit the Access List feature:1. Click on the IP address of the device and select the Access List tab.2. Click Edit on right pane.3. Select the Use Access List checkbox. 4. Once enabled, you must define AT LEAST one Management Access List (preferably

containing the IP of the machine accessing the Management Console).

5. Click and select Add Row from the drop down menu. Define the ranges from the

smallest IP number to the largest IP number.6. Similarly, define ranges for any additional User Access lists or Vital Security system

ports.

7. To delete an entry, select it and click on in the same row. Select Delete Row

from the drop down menu to remove the list.

Figure 7-9: Enable and Edit Access List




2.3.3 Troubleshooting: Access ListIf the Access List is enabled, then modifying the Device IP, the Appliance role or adding an additional device to the topology, among other things, might cause a possible loss of connection with the modified device. Connection loss may also influence the connection with other devices in this cluster and also for administrators.In order to avoid this, please perform the following procedure on the device you want to make changes to:

When changing roles, IPs or adding additional devices to the tree:1. Disable Access List through the Limited Shell using the disable_al command.2. Perform the change of role, IP or device addition.3. Enable Access List through the Limited Shell using the enable_al command.

In situations where the connection to the device is lost or the Access List has not been disabled, Administrators can connect to the device via serial port console and disable the access list.

2.4 Network Roles

Expand the device IP in the Devices tree to display all the network roles for the specific device.The following network roles are available:

Log ServerScanning ServerAuthentication DevicePolicy Server

2.5 Log Server

The Log Server creates log entries to be sent to the Policy Server for viewing via the Management Console.The Log Server contains the following module:

Log Properties

Figure 7-10: Log Server



2.5.1 Log PropertiesThe Log Properties screen displays the log server for the specified device. This screen contains the following tabs.

Collect Logs FromSyslogLog ArchivingDatabase Granularity

To edit the Log Properties screen, click Edit.

2.5.1.1 Collect Logs FromThe Log Relay Device section is reserved for situations where there are several devices in your configuration. In this case, the Relay Device IPs are displayed in order to gather log information from the log relays of these devices.The Active checkbox indicates if the device is active or not.The Secured checkbox should be enabled to ensure that messages are sent encrypted for maximum security.

Figure 7-11: Collect Logs From

2.5.1.2 SyslogThe Syslog tab includes Syslog Configuration options.The following table provides information on the Targets Configuration fields:

Field Name DescriptionPrimary Syslog IP

Defines the target address and enables/ disables sending information to the Primary Syslog Server.

Secondary Syslog IP

Defines the target address and enables/ disables sending information to the Secondary Syslog Server.

Send System Log Messages

If checked, System Log messages are sent to Syslog.



Figure 7-12: Syslog

2.5.1.3 Log ArchivingThe Log Archiving tab includes Log Archiving Location and Log Archiving Scheduling. This tab allows you to send Log information to an external archive location and to schedule when the archives should be sent. Please refer to How to Use Log Archiving feature description for further information.

Send Scanner Messages

If checked, information from each Log Rule in the dedicated Logging Policy, which has Sent to Syslog checked, will be sent to Syslog.

Send Audit Messages

If checked, Audit messages (all changes made or actions taken from the Management Console) are sent to Syslog.

Facility Mode Select one facility mode from the drop-down list which is operational for all message types. The facility option enables you to differentiate between Finjan logs and other platform’s logs on the remote Syslog server.




Figure 7-13: Log Archiving

Log Archiving Location - The Log Archiving feature enables sending large amounts of information to an external archive location. There are two formats: Basic and Extended. The information is displayed with comma separated values and sent in a Gzip file format. This information can then be imported into an external database for viewing or running reports. The Basic file contains most of the current Log fields available, displayed in the following way:

In order to send the log archives to an external storage location, you must select the Connection Method to be used for connecting to the required location. In addition, you must create the required Logging Policy with the Send to Archive option ticked and have this assigned to the User Group.The following connection methods are available in the Connection method drop-down list and



explained in the table below:

Your selected Connection Method determines the values used to define your Archive Location, User to connect with and Password fields.

When you click the Test button, an attempt is made to send a test file to the archive location. If the attempt failed, a message pops up. If the operation is successful, the

Connection Method DescriptionNone An external archive is not used. (This is the

default option).FTP Connects via regular File Transfer Protocol

methods.FTP Passive Connects via File Transfer Protocol; there

is a firewall located between the Policy Server and the remote FTP site.

Samba Use the Server Message Block (SMB) communication protocol.

SFTP Use the Secure File Transfer Protocol.

If you selected:

Then:

None No information can be entered.FTP The Archive Location must include the server IP address/dir for your

selected location, for example, 10.194.5.104/Sarah_FTP.The User to connect with is the user name used when connecting to the Archive Location.The Password should be the password used by the above user.

FTP Passive The Archive Location must include the server IP address/dir for your selected location, for example, 10.194.5.104/Sarah_FTP_Passive.The User to connect with is the user name used when connecting to the Archive Location.The Password should be the password used by the above user.

Samba The Archive Location must include the server IP address and directory for your selected location, in the following format: //address/dir, for example, //192.168.1.10/archive.The User to connect with must include the workgroup name and the user name used when connecting to the Archive Location, in the following format: workgroup/user, for example, marketing/nicole.The Password should be the password used by the above user.

SFTP The Archive Location must include the server IP address for your selected location, for example, 10.194.5.104/The User to connect with is the user name used when connecting to the Archive Location.The Password should be the password used by the above user.



message Archiving Operation Succeeded, displays in the bar on the bottom left of the screen. When everything is configured correctly, click Save to activate your changes.Log Archive Scheduling - you can choose to send the data to the archive location either at a fixed time every day or every number of hours as required.

2.5.1.4 Database GranularityThe Database Granularity tab is used to set how often the report data is stored: Weekly basis or Monthly basis (i.e. this tab allows you to store Report data at certain defined periods).

Figure 7-14: Database Granularity

Report Database Granularity - This section allows you to store Reports information on either a weekly basis or a monthly basis. The default is monthly. The time field you choose here will directly affect the Reports information that you generate in the Logs and Reports menu. In other words, if you choose to store information on a weekly basis here, then you will only be able to run Reports spanning a 7 day period in the Reports menu. Once the database is full, old information is automatically deleted to make room for new information. This means that if you have chosen to store monthly reports, the information deleted will be in months.

2.6 Scanning Server

The Scanning Server is responsible for analyzing and checking all content passing through the system in accordance with the Security Rules.The Scanning Server contains the following modules:

GeneralHTTPAuthenticationICAP

NOTE: You cannot analyze information between the time periods. In other words, each week or month is a separate, discrete information period which cannot be run in a Report in conjunction with other time periods. In order to analyze large amounts of information, it is recommended to use the Log Archiving feature.



FTPWCCPHTTPS

2.6.1 GeneralThe Scanning Server General screen displays the general definitions for the specified device. This screen contains options to configure Downloads, Timeout and Transparent Proxy Mode. To edit the Scanning Server Proxy screen, click Edit on right pane.

2.6.1.1 DownloadsThe Downloads tab allows you to configure the maximum scannable size for files downloaded or uploaded via the proxy (in megabytes).

Figure 7-15: Scanning Server - Downloads

2.6.1.2 TimeoutThe Vital Security system acts as a Proxy device which handles connections coming from the client to the server. Client Side Timeout is defined as the time between consecutive requests within the client-proxy connectionServer Side Timeout is defined as the time between consequent content pieces received from server. It is highly recommended not to modify these timeout options.

Figure 7-16: Scanning Server - Timeout

2.6.1.3 Transparent Proxy ModeThe Vital Security Appliance can work as a transparent proxy. If enabled, FTP and HTTP requests are intercepted by the appliance transparently and passed on to the server (Web



or FTP). When multiple scanning servers are used, a layer 4 load balancer appliances should redirect the Web and FTP traffic to the scanning servers using transparency.Transparency in Vital Security works at the IP layer. Traffic must be routed to the Vital Security appliance in order for it to be scanned. For example, the Vital Security scanning server could be specified as the default gateway for client machines.

Select Enable Transparent Proxy Mode to enable FTP and HTTP requests to be intercepted.

Once you select this checkbox, you can configure the FTP and HTTP ports. Only traffic destined for the ports defined in the HTTP Ports and FTP Ports fields are scanned. Traffic on other ports will be passed through.To scan FTP transparently, select the Enable FTP for device checkbox located in Administration System Settings Finjan Devices Scanning Server FTP. In environments with multiple scanning servers, it is possible to leave some as explicit proxies while configuring others as transparent proxies.

Figure 7-17: Transparent Proxy Mode

To add/delete HTTP Ports and FTP Ports:1. Click Edit on the right hand pane.2. Select Enable Transparent Proxy mode.

3. In the HTTP/FTP/HTTPS Ports section, click to add a new row.

4. Enter the Port Range values in the From and To fields.5. Repeat for as many times necessary. To delete entries, click on the same row as

the entry and select Delete Row6. Click Save to apply changes. Next, click .



2.6.2 HTTPThe Scanning Server HTTP screen displays the HTTP settings for the specified device.To edit the Scanning Server HTTP screen, click Edit.This screen includes the option to Enable HTTP for Device. When HTTP is enabled, you can disable HTTPS (and vice versa), thus closing the unused ports and tightening up security.

2.6.2.1 HTTP ServiceThe HTTP Service tab contains HTTP Service settings.

Figure 7-18: HTTP Service

The following table provides information on the HTTP Service:

2.6.2.2 AdvancedThe Advanced tab contains HTTP Advanced settings.

Field Name DescriptionListening IP Defines the IP address for HTTP listening. If this field is left

empty, then HTTP listens on all interface cards configured in the system.

Listening Port Defines the port (The default port is 8080).



Figure 7-19: HTTP Advanced

The following table provides information on the HTTP Advanced Setting fields:

Field Name DescriptionMAX HTTP Transactions Backlog Defines the maximum number of queued

pending connections waiting to be accepted.

Always try FTP Passive Mode Connection to Server

Check this option in order to enable passive FTP mode when connecting to an FTP server. This is the default mode. If you uncheck it, FTP works only in Active Mode.



Enable Connection-Based Authentication Protocols through Proxy

If an HTTP proxy is used between the client and server, it must take care not to share authenticated connections between different authenticated clients to the same server. If this is shared, then the server can easily lose track of security context associations. A proxy that correctly preserves client to server authentication integrity will supply the "Proxy-support: Session-Based-Authentication" HTTP header to the client in HTTP responses from the proxy. The client must not utilize the SPNEGO HTTP authentication mechanism through a proxy unless the proxy supplies this header with the "401 Unauthorized" response from the server.So when this option is turned on, proxy injects the above header to tell client it is allowed to authenticate with the web server. This header can only be injected if there are no other proxies between client and server.

Prevent Content Caching by all Downstream Nodes

Enables/disables incoming content from being cached locally. This is disabled by default.

Block Tunneled Protocols (HTTPS)

Blocks tunneling through the proxy (CONNECT requests). When enabling HTTPS, both HTTPS scanning and HTTP tunneling on port 443 are enabled on this device. To disable HTTP tunneling, select the Block Tunneled Protocols (HTTPS) checkbox.

Enable Trickling During download of a large file, enables small chunks of data to be sent periodically to the user in order to prevent timeouts. (Default: enabled)

Client Wait Time (in seconds) Defines the amount of time, in seconds, between trickling portions from the Proxy to the Client. The default value for this is 5 (Do not change this default).

Client Side - Version - Persistent Enables/disables a persistent connection (using HTTP 1.0/1.1) from the end-user.

Server Side - Version - Persistent Enables/disables a persistent connection (using HTTP 1.0/1.1) to the web server.




2.6.2.3 Upstream ProxyThe Upstream Proxy tab provides settings for upstream proxy configuration.

Figure 7-20: Upstream Proxy

The following table provides information on the HTTP Upstream fields:

2.6.2.4 HeadersThe Headers tab allows you to manipulate Request or Response Headers in the HTTP transaction.

Field Name DescriptionClient IP Header Header information for user identifiers

supplied by an upstream proxy.User Name Header Specifies the User Name in the Header

Field.ProtocolProtocol - IP Address - Port - Active

For each protocol - HTTP, HTTPS, FTP click Active and add the required IP address. To use the same proxy for all protocols, select Use for all protocols



Figure 7-21: HTTP Headers

The following table provides information on the fields.

To add a Header:1. Click Edit on right pane.

2. In the HTTP Request Headers section, Click to add a new row.

3. In the HTTP Response Header section, Click to add a new row.

4. Enter the required Header Name, corresponding Value / Source Header, and Action in both sections.

5. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row.

6. Click Save to apply changes, Next, click .

2.6.2.5 Allowed Server Ports The Allowed Server Ports screen allows you to configure ports that the proxy is allowed

Action drop-down list option

Description

Add Header Adds the header to the HTTP Request.

Remove Header Removes the header from the HTTP Request.

Copy Value to New Header

Creates a new header with the information from the Value/Source Header contained within.



to connect to for each protocol listed - HTTP, HTTPS, FTP over HTTP.

Figure 7-22: Allowed Server Ports in URI

To add/delete a specific port:1. Click Edit on right pane.2. Select Enable HTTP for Device.

3. In the Enable HTTP for Device section, Click to add a new row to Specific Ports

for HTTP, Specific Ports for HTTPS, and Specific Ports for FTP over HTTPS respectively.

4. Enter the required ports in the From and To range.5. Repeat for as many times necessary. To delete entries, click on the same row as

the entry and select Delete Row.6. Click Save to apply changes. Next, click .

2.6.3 HTTPSThe Scanning Server HTTPS screen displays the HTTPS configuration for the specified device. HTTPS Scanning is a license based feature (i.e. fields are active only if user has the license) which enables decrypting HTTPS traffic and inspecting it for malicious code. It then re-encrypts the communication and sends it through to the end-user, ensuring clean content. Administrators can also set Bypass, Inspect Content and User Approval policies for encrypted traffic in order to ensure greater control over the content passing through the system.This screen includes the option to Enable HTTPS for Device. When HTTPS is enabled, you

NOTE: These ports are not relevant if you are working in the Transparent Proxy Mode.



can disable HTTP (and vice versa), thus closing the unused ports and tightening up security.

This screen contains the following tabs:HTTPS ServiceAdvancedAllowed Server Ports

You can import a root certificate by right-clicking on the HTTPS node. Refer to Import Root Certificate for more details.To edit the Scanning Server HTTPS screen, click Edit on right pane.

2.6.4 Import Root CertificateThis option allows you to import a new root certificate. This root certificate is uploaded and displayed to users browsing HTTPS sites and is done globally for all scanning servers.

To import a root certificate:1. Right-click on HTTPS and select Import Root Certificate from the drop-down

menu.2. In the Certificate field, enter a certificate in PEM or DER format.3. In the Private Key field, enter the private key in PEM or DER format (Browse to

select).4. In the Private Key Password field, enter the password.5. Click Upload. If the root certificate has been imported successfully, a message is

displayed on the bottom of the screen.

2.6.4.1 HTTPS ServiceThe HTTPS Service tab allows you to configure the HTTPS Service settings.

NOTE: When enabling HTTPS, both HTTPS scanning and HTTP tunneling on port 443 are enabled on this device. To disable HTTP Tunneling, select the Block Tunneled Protocols checkbox in the HTTP Service section of the HTTP screen.

NOTE: The HTTPS Certificates guarantee the security of the content. The task of verifying the certificate can be broken down into two parts: Validating each certificate and Ensuring that the chain goes back to a trusted authority. A list of trusted Certificate Authorities is maintained by the system and used for SSL Certificate validation.



Figure 7-23: HTTPS Service

This table provides information on the HTTPS Service fields.

2.6.4.2 AdvancedThe HTTPS Advanced tab allows you to configure the protocol settings.

Figure 7-24: HTTPS Advanced

Field Name DescriptionListening IP Defines the interface on which HTTPS traffic will be

received.Listening Port Defines the port that will be listening to incoming HTTPS

requests.



The following table provides information on the fields.

2.6.4.3 Allowed Server Ports The HTTPS Allowed Server Ports tab allows you to configure ports allowed for each protocol. For example, the end-user sends the request to the proxy on port 8443, which is the port Finjan is “listening” for HTTPS, but the original server listens on port 444.

Field Name DescriptionAllow SSLv2 Enables support for SSLv2 protocol. This option is

disabled by default. This protocol is non-secure and should not be used unless there are some compatibility problems.

Allow SSLv3 Enables support for SSLv3 protocol. This option is enabled by default.

Allow TLSv1 Enables support for TLSv1 protocol. This option is enabled by default.

Use Diffie-Hellman Enables the use of Diffie-Hellman as the key exchange mechanism between the client and the proxy. This is enabled by default.

Allow weak cipher suites

Allows the choice of weak (non-secure) cipher suites while performing an SSL handshake between Vital Security and the HTTPS server. This option is disabled by default.

Allow Certificate Wildcards

Allows support for Certificate Wildcards. The Certificate Wildcard works in conjunction with an existing Certificate Validation rule. This means that only if there is a policy with a Certificate validation rule will the wildcard support be relevant

SSL Handshake Timeout

Defines the amount of time (in seconds) after which the SSL Handshake is timed out if not responsive.

Max HTTPS Transactions Backlog

Defines the maximum number of outstanding connection requests to be served by the system. After this number is reached, the system is timed out. The default value is 36.

HTTPS Timeout Defines (in seconds) the amount of time after which an idle connection is timed out.

NOTE: If the Allow SSLv2 protocol is selected, a message appears stating that this protocol is a less secure protocol than the SSLv3/TLSv1 protocols and may compromise your encrypted data. To confirm selection you must click OK.



Figure 7-25: Allowed Server Ports

.

To add/delete a specific port:1. Click Edit on right pane.2. Select Enable HTTPS for Device

3. In the Enable HTTPS for Device section, Click to add a new row.

4. Enter the required port in the From and To range.

5. Repeat for as many times necessary. To delete entries, click on the same row as

the entry and select Delete Row.6. Click Save to apply changes. Next, click .

2.6.5 ICAPThis section covers the ICAP server settings required to enable communication between a third party ICAP client with the respective Finjan ICAP server service/device. It is necessary to set these settings before configuring the ICAP client services in order to enable automatic ICAP client setup (BlueCoat: Sense Settings function). Detailed information can be found in the Setup and Configuration Guide.The Scanning Server ICAP screen displays the ICAP configurations for the specified device. This screen contains the following:

ICAP ServiceICAP Clients




OptionsAdvancedHeaders

This screen includes the option to Enable ICAP for Device. When ICAP is enabled, you can disable HTTP (and vice versa), thus closing the unused ports and tightening up security.

To edit the Scanning Server ICAP screen, click Edit on right pane.

2.6.5.1 ICAP ServiceThe ICAP Service tab displays various ICAP Service settings.

Figure 7-26: ICAP

The following table provides information on the fields:

2.6.5.2 ICAP ClientsThe following table provides information on the fields:

NOTE: If there is no direct Internet access, in order to perform prefetching of Java classes for Applet scanning, ALL Scanning Servers must have the next proxy configured. If you are using ICAP, ensure that the Vital Security Appliance Scanning Server appears on the Access List.

Field Name DescriptionListening IP Defines the listening IP for the ICAP protocol handler.Listening Port Defines the binding port. (|Default is 1344)



Figure 7-27: ICAP Clients

To add/delete a new ICAP client:1. Click Edit on right pane.2. Select Enable ICAP for Device.

3. Click to add a new row.

4. Choose the Type from the drop-down list.5. Enter the Source IP address of the new client and add the weight. Note that the

weight is in percentage. If there is only one ICAP client, enter 100 in the weight field.


the entry and select Delete Row.


The following resources are applicable. For more information please refer to Setup and Configuration Guide.For request mode:icap://servername:port/Finjan_REQMODFor example: icap://192.168.120.150:1344/Finjan_REQMODFor response mode:icap://servername:port/Finjan_RESPMOD

Field Name DescriptionType Defines the ICAP client.Source IP Defines the IP address of ICAP client.Weight Defines the percentage of resources for this client. (Note:

this field does not support a zero value.)



for example: icap://192.168.120.150:1344/Finjan_RESPMOD

2.6.5.3 OptionsThe Options tab controls the response to a special Options request that an ICAP client periodically sends to an ICAP server.

Figure 7-28: ICAP Options


2.6.5.4 AdvancedThe Advanced tab allows you to define various connections.

Field Name Description DefaultPreview Size (Bytes) Defines the requested preview size in bytes of

the content to be scanned.4096

Options Time to Live (Seconds)

Defines the time in seconds that the Options response is valid. After this time period the ICAP client is expected to send the OPTIONS request again.

3600

X-Client-IP The ICAP client is expected to send the client IP address in each ICAP request

N/A

X-Server-IP The ICAP client is expected to send the web server IP address in each ICAP request

N/A

X-Authenticated-User The ICAP client is expected to send the authenticated user credentials in each ICAP request.

N/A



Figure 7-29: Advanced


2.6.5.5 HeadersThe Headers tab allows you to manipulate Request or Response Headers in the HTTP transaction. Use the Edit buttons followed by Save/Cancel to make settings changes.

Field Name Description DefaultMaximum TCP/IP Connections Backlog

Defines the Maximum TCP/IP connections backlog.

256

Enable Trickling By enabling trickling, you are allowing small chunks of data to be sent periodically to the user in order to prevent timeouts. Trickling refers only to the Status Page and is only available from NetApp.

N/A

Enable HTTP 1.1 Connection from Browser

Enables HTTP 1.1 for self-constructed HTTP messages

N/A



Figure 7-30: Headers

The following table describes the actions available in more detail:

To add a Header:1. Click Edit on right pane.2. Select Enable ICAP for Device.3. In the ICAP Request / Response Headers sections, click to add a new row.4. Enter the required Header Name, corresponding Value / Source Header, and

Action.5. Repeat for as many times necessary. To delete entries, click on the same row

as the entry and select Delete Row6. Click Save to apply changes. Next, click .

2.6.6 AuthenticationThe Scanning Server Authentication screen displays the Authentication configuration for the specified device. This screen contains the following tabs:

Configuration

Action DescriptionAdd Header Adds the header to the HTTP

Request.Remove Header Removes the header from the

HTTP Request.Copy Value to New Header

Creates a new header with the information from the Value/Source Header contained within.



AdvancedDomain

To edit the Scanning Server Authentication screen, click Edit on right pane.

2.6.6.1 ConfigurationThe Configuration tab enables configuration of the required authentication settings.The Authentication Retention Methods section allows authenticated user credentials to be cached so as to reduce the number of authentication sessions.

Figure 7-31: Authentication Configuration


Field Name DescriptionIdentification Policy Identification Policies define whether and how the end-

user will be identified or authenticated by the system. Proper identification allows the system to enforce the proper Security Policy for the end-user. Finjan provides several predefined Identification Policies:*Source IP Only*Read Headers*Get User Credentials*Authentication

Identification Logging Policy

Identification Logging Policies log the transactions carried out by the Identification Policies. Finjan provides predefined Identification Logging Policies *Identification Logging Policy:



To set up a device to perform user authentication:1. Click Edit on right pane.2. Select the Identification Policy that the device should enforce from the drop-

down list.3. Select the Identification Logging Policy that the device should enforce from the

drop-down list.4. Select the Authentication Cluster Name that this device will use as Part of

Authentication Cluster from the drop down list.


Part of Authentication Cluster

Vital Security devices can be used in clusters for capacity and redundancy by using a load balancer. When required, different clusters of Authentication devices can be used in different subnets and perform different User Identification Policies.The Authentication Cluster is defined in Policies Condition Settings Condition Settings: Authentication Clusters.

Authentication Retention MethodsNo Retention If selected, the authentication data is not kept and

authentication is requested for each call (i.e. there is repeated authentication/no caching).

IP caching If selected, each call from a cached IP uses the same authentication data. The authentication data is kept for the specified timeout (1-600 seconds range).

Cookie If selected, the browser’s cookie mechanism is used for identifying different HTTP calls. In general the Cookie is sent unencrypted inside the HTTP protocol.If required, it is possible to tighten the security by encrypting the cookie. To do this, select the Use Encryption checkbox. If selected, an encryption key is auto-generated and used by all scanning servers.Select the Persistent checkbox to store the cookie until the defined Timeout expires.

NOTE: By default, the Authentication Retention Method is set to Cookie, when the system is installed from a CD. If Transparent Proxy Mode is selected, the Cookie retention method is the only valid and possible configuration.




2.6.6.2 AdvancedThe Advanced tab enables advanced configuration of the required authentication settings.

Figure 7-32: Authentication Advanced


Field Name DescriptionEnable Challenge Token Reuse (NTLM Settings)Enable Challenge Token reuse

A client authenticating with a proxy is provided with a Challenge Token which is a random token that must be generated each time the NTLM protocol is performed. Select this option to enable the NTLM Settings. Enabling the NTML Settings option decreases the system security level

Random Challenge Token reuse number

To save authentication time and proxy resources, the same token can be reused several times before a new random token is generated. This section defines the number of times a Challenge Token can be reused (large values weaken the security level)

Challenge Token Lifetime (in seconds)

Challenge Token lifetime cannot exceed the configured limit

SMB Connection to Authentication ServersConnection Timeout This is the timeout in seconds for connecting to an

Authentication Server.



To set the NTLM Settings:1. Click Edit on right pane.2. Select Enable Challenge Token Reuse.3. Define the number of times a Challenge Token can be reused (large values

weaken the security level).4. Define a lifetime in seconds for the Challenge Token.

5. Click Apply to save the changes. Next, click .

2.6.6.3 DomainThe following table provides information on the fields:

Try Reconnect After When the server is not accessible it is marked as dead and can be checked again for revival according to the defined time (in seconds).

Forward Upstream Proxy Authentication

Enabling this option allows for a non-standard situation where an upstream proxy can authenticate users through Vital Security. This means that Vital Security will not perform authentication but will forward proxy authentication from the downstream client. In this case, all Vital Security authentication mechanisms must be disabled.

Field Name DescriptionUse all Active Authentication Servers

This enables the Authentication or Scanning Server to use all Active Authentication Domains (i.e. use the Authentication Domains defined in System Settings

External Devices Authentication Server).Default Domain Enter the Default Domain used when Vital Security tries

to get user credentials. This section appears for backwards compatibility




Figure 7-33: Authentication Domain

2.6.7 FTPThe Scanning Server FTP screen displays the FTP definition for the specified device. The FTP area allows you to configure your organization's FTP settings. The FTP screen contains the following tabs:

FTP ServiceUpstream ProxyAllowed Server Ports

To edit the Scanning Server FTP screen, click Edit on right pane.Select Enable FTP for Device to enable using the FTP protocol in conjunction with the Vital Security appliance.

2.6.7.1 FTP ServiceThe following table describes the FTP Service fields:

Field Name DescriptionListening IP Defines the IP address used by the FTP proxy.

If this field is left empty and the machine has multiple IP addresses, the FTP proxy listens on all IP addresses (interfaces).

Listening Port Defines the ports used by the FTP proxy.



Figure 7-34: Scanning Server FTP Service Screen

2.6.7.2 Upstream Proxy The following table explains the Upstream Proxy fields:

Figure 7-35: Scanning Server FTP Upstream Proxy

2.6.7.3 Allowed Server PortsThe Allowed Server Ports tab is used to define the ports used by the FTP Protocol.

Field Name DescriptionEnable Next Proxy If Vital Security is in a proxy chain, then

check the Enable Next Proxy box. This refers to an upstream proxy.

Next Proxy IP Address

Defines the IP address used by the next proxy.

Next Proxy Port Defines the port used by the next proxy.



Figure 7-36: Scanning Server Allowed Server Ports Screen

To add/delete a specific port:1. Click Edit on right pane.2. Select Enable FTP for Device.

3. Click to add a new row.

4. Enter the required ports in the From and To range.


the entry and select Delete Row.


2.6.8 WCCPThe Web Cache Communication Protocol (WCCP) is a protocol which enables WCCP enabled routers (and switches) to redirect traffic to other WCCP enabled servers, without the need for the users to configure their browsers or any other proxy settings. When you send a request, this request is sent to the original server and the WCCP router (or switch) redirects the request to the Scanning Server, which then inspects the request. The Scanning Server then generates a new request and sends the request to the original server. The reply is sent back to the end-user after it was scanned by the Scanning ServerThe WCCP protocol limits the number of ports per service to 8. If more than 8 ports are configured, a warning will be issued, and an arbitrary 8-port subset of these ports will be




serviced by the WCCP.

Figure 7-37: Scanning Server WCCP Screen

To edit the WCCP screen, click Edit on right pane.Select Enable WCCP V2 to enable using the WCCP Version 2 protocol in conjunction with the Vital Security appliance.The following table describes the WCCP Configuration fields:

For more information on WCCP, please refer to the WCCP Technical Brief.

2.7 Default Values

These contain default settings for Device Modules and other settings.

NOTE: Transparent proxy must be enabled for WCCP to work.

Field Name DescriptionForwarding Method This is used to determine the communication

protocol between the WCCP enabled router and the Scanning Server, namely Layer2 or GRE (Generic Router Encapsulation). When the Scanning Server is connected to a switch, the return method must be Layer2. For a router, the return method must be GRE. If Layer2 is selected, the Scanning Servers and WCCP enabled router must be on the same network.

Password This is an optional authentication password. Routers This defines the IP address of the router. Click

and select Add Row to add IP address for cases where there is more than one router.



2.7.1 Device General SettingsThe following settings are for Access List.

2.7.2 Access ListThe Access List default settings are listed here. You can choose to apply the default settings displayed here to all the Access Lists.

2.7.3 Device SettingsThe Default Scanning Server Values node contains device modules with their default settings supported by Vital Security. These screens look exactly the same as the screens displayed for each device in the Devices tree.

You can choose to reset the values for a specific device or all modules to the default values shown under Default Values as follows:

To reset all Devices and their modules with default values:1. Right-click on the Default Scanning Server Values main folder and select Reset all

with default values.2. Click OK on the confirmation message that appears. The devices together all their

modules are now reset with the default values listed here as the Default Values.

To reset specific Device modules with default values:1. Right-click on the Scanning Server module, for example, HTTP, and select Reset all

HTTP Devices with Default Values.2. Click OK on the confirmation message that appears. The specific module is now

reset with the default values listed in the Device Default Values for the Scanning Server.

2.8 Authentication Device

An Authentication Device provides a means to identify and authenticate users in the LAN when Scanning Servers are installed in the DMZ. The Authentication Device acts as an HTTP server for requests redirected by Scanning Servers. It sends the redirected request according to the Identification Policy assigned to it to the Authentication Servers and then redirects the response back to the Scanning Server.The Authentication Device includes the following modules:

HTTP

NOTE: When creating a new device under Administration System Settings Devices, the default settings shown here are automatically applied to the new device. The unique setting for the device can then be edited as required in the Devices tree.



Authentication

2.8.1 HTTPThis screen includes the option to Enable HTTP for Device. When HTTP is enabled, you can disable HTTP (and vice versa), thus closing the unused ports and tightening up security. This screen contains the following tabs:

HTTP Proxy IP and PortProxy Chain

To edit the Authentication Device HTTP screen, click Edit on right pane.

2.8.1.1 HTTP Proxy IP and Port

Figure 7-38: HTTP Proxy and IP Port


Field Name DescriptionProxy IP Address Defines the IP address for HTTP Service. If this field is left

empty, then HTTP listens on all interface cards configured in the system.

Proxy Port Defines the port (The default port is 8080).MAX HTTP Transactions Backlog

Defines the maximum number of queued pending connections waiting to be accepted.



2.8.1.2 Proxy ChainThe following table provides information on the fields:

Figure 7-39: HTTP Proxy Chain

HTTP ProtocolEnable HTTP 1.1 Connection from Browser

Enables HTTP 1.1 at the end-user side (Web browser).

Field Name DescriptionHTTPS The HTTPS traffic is directed to the Authentication Device

which acts as a corporate HTTPS proxy, instead of the Scanning Server. The Scanning Server is used as the next proxy.

FTP Over HTTP The FTP Over HTTP traffic is directed to the Authentication Device which acts as a proxy instead of the Scanning Server. The Scanning Server is used as the next proxy. This IP Address field holds the IP address of the FTP Over HTTPS Proxy.

IP Address The IP Address field holds the IP address of the HTTPS/FTP Over HTTP Proxy.

Port The Port field holds the Port used by the HTTPS/FTP Over HTTP Proxy.

Active Select the Active checkbox to activate the HTTPS/FTP over HTTPS protocol.




2.8.2 AuthenticationThe Authentication Device Authentication screen displays the Authentication definition for the specified device. This screen contains the following tabs:

ConfigurationAdvancedDomain

To edit the Authentication Device Authentication screen, click Edit on right pane.

2.8.2.1 ConfigurationThe Configuration tab enables configuration of the required authentication settings.

Figure 7-40: Authentication Configuration

The Authentication Retention Methods section enables configuration of how authentication data is managed within a session between subsequent HTTP calls.




Field Name DescriptionIdentification Policy Identification Policies carry out the classification of an

end-user to determine whether the end-user should browse through the system or not. The Identification Policy also enables the system to enforce the proper Security Policy for the end-user. Finjan provides several predefined Identification Policies (refer to Identification Policies Tree):Source IP OnlyRead HeadersGet User CredentialsAuthentication

Identification Logging Policy

Identification Logging Policies log the transactions carried out by the Identification Policies. Finjan provides a predefined Identification Logging Policy (refer to Identification Logging Policies Tree):

Identification Logging PolicyPart of Authentication Cluster

Vital Security devices can be used in clusters for capacity and redundancy by using a load balancer. When required, different clusters of Authentication devices can be used in different subnets and perform different User Identification Policies.The Authentication Cluster is defined in Policies Condition Settings Condition Settings: Authentication Clusters.

Authentication Retention MethodsNo Retention If selected, the authentication data is not kept and

authentication is requested for each call (i.e. there is repeated authentication/no caching).

IP caching If selected, each call from a cached IP uses the same authentication data. The authentication data is kept for the specified timeout (1-600 seconds range).

Cookie If selected, the browser’s cookie mechanism is used for identifying different HTTP calls. In general the Cookie is sent unencrypted inside the HTTP protocol.If required, it is possible to tighten the security by encrypting the cookie. To do this, select the Use Encryption checkbox. If selected, an encryption key is auto-generated and used by all scanning servers.Select the Persistent checkbox to store the cookie until the defined Timeout (set in minutes) expires.



To set up a device to perform user authentication:1. Click Edit on right pane.2. Select the Identification Policy that the device should enforce from the drop

down list.3. Select the Identification Logging Policy that the device should enforce from the

drop down list.4. Select the Authentication Cluster Name that this device will use as Part of

Authentication Cluster from the drop down list.


2.8.2.2 AdvancedThe Advanced tab enables advanced configuration of the required authentication settings.

Figure 7-41: Authentication Advanced


NOTE: By default, the Authentication Retention Method is set to Cookie, when the system is installed from a CD. If Transparent Proxy Mode is selected, the Cookie retention method is the only valid and possible configuration.

Field Name DescriptionEnable Challenge Token Reuse (NTML Settings)Enable Challenge Token reuse

A client authenticating with a proxy is provided with a Challenge Token which is a random token that must be generated each time the NTLM protocol is performed. Select this option to enable the NTML Settings.



To set the NTLM Settings:1. Click Edit on right pane.2. Select Enable Challenge Token Reuse.

3. Define the number of times a Challenge Token can be reused (large values weaken the security level).

4. Define a lifetime in seconds for the Challenge Token.


Random Challenge Token reuse number

To save authentication time and proxy resources, the same token can be reused several times before a new random token is generated. This section defines the number of times a Challenge Token can be reused (large values weaken the security level)

Challenge Token Lifetime (in seconds)

Challenge Token lifetime cannot exceed the configured limit

SMB Connection to Authentication ServersConnection Timeout This is the timeout in seconds for connecting to an

Authentication Server.Try Reconnect After When the server is not accessible it is marked as dead

and can be checked again for revival according to the defined time (in seconds).

Forward Upstream Proxy Authentication

Enabling this option allows for a non-standard situation where an upstream proxy can authenticate users through Vital Security. This means that Vital Security will not perform authentication but will forward proxy authentication from the downstream client. In this case, all Vital Security authentication mechanisms must be disabled.

NOTE: Enabling the Challenge Token Reuse option decreases the system security level.

NOTE: A Challenge Token can only be reused if the time period between subsequent challenges is shorter than the number defined here




2.8.2.3 DomainThe following table provides information on the fields:

Figure 7-42: Domain

2.9 Policy Server

The Policy Server includes the following modules: VSOS UpdatesHigh Availability

2.9.1 VSOS UpdatesYou can choose to update selected scanning servers with the latest Operating System update instead of sending the update to all the scanning servers at the same time. The option to update selected scanning servers ensures greater stability of the system and allows you greater control over the individual scanning servers in your configuration.Having the means to select specific scanning servers is also useful when updating a Policy Server with a new VSOS in a High Availability configuration. In this scenario, some scanning servers can be left untouched, so that if the Update fails, the Policy Server will still be able to control the selected Scanning Servers. All scanning servers will continue to

Field Name DescriptionUse all Active Authentication Servers

This enables the Authentication or Scanning Server to use all Active Authentication Domains (i.e. use the Authentication Domains defined in System Settings

External Devices Authentication Server).Default Domain Enter the Default Domain used when Vital Security tries

to get user credentials. This section appears for backwards compatibility



function normally and logs will be retrieved from all of them; however they will not receive security updates or configuration changes.

Figure 7-43: VSOS Updates

To edit the VSOS Updates screen, click Edit.Select Update selected Scanning Servers and check the Scanning Servers in your configuration that should be updated. Alternatively, Select All to update all the Scanning Servers.

2.9.2 High AvailabilityVital Security supports both an Active Policy Server and a Standby Policy Server for cases of malfunction. Having a standby Policy Server means that there is no single point of failure and this in turn prevents cases of both hardware and software failures. You can switch from the Active Policy Server to the Standby Policy Server, guaranteeing continuous operation of the system.Before using this feature, another appliance needs to be configured as a Policy Server with the same VSOS as the Active Policy Server. Both appliances must be configured as Policy Servers, and not as an All in One.The High Availability screen contains the following tabs.

Configuration

NOTE: Policy Servers are only able to configure and send security updates to Scanning Servers which have the same VSOS. Any scanning server which has a different VSOS update to the Active Policy Server will have their corresponding icon displayed in yellow.

NOTE: Scanning Server VSOS Updates does not apply to Maintenance or Hot Fix releases.



Synchronization

Figure 7-44: High Availability

To edit the High Availability screen, click Edit on right pane.Select Enable High Availability Policy Server to enable the High Availability Policy Server feature.

2.9.2.1 ConfigurationIn this tab you can define the Standby Policy Server IP which will be switched over to if required. You can only switch over once there has been an initial synchronization which is reflected in the Last Switch Time field.Both active and standby Policy Servers have to have the same VSOS update installed. If this is not the case, an error message will appear on the screen.

The VSOS Update checkbox is used to ensure that the latest Version Software is sent automatically from the active Policy Server to the Standby Policy Server after an update.

To define the Standby Policy Server and switch Policy Servers:1. Click Edit on the right pane.2. Enable the High Availability Policy Server and define the Standby Policy Server

IP.

NOTE: If, for any reason, the Active Policy Server fails, it is possible to change the Standby Policy Server to become an Active Policy Server through the Limited Shell. This procedure is detailed in the Setup and Configuration Guide.



3. Click Save.4. Right-click on High Availability node in tree on left hand pane and select Switch Now

from the drop-down menu. 5. You will be automatically redirected to the other Policy Server which is now working in

Active mode.

2.9.2.2 SynchronizationSelect the Scheduled Synchronization checkbox to synchronize the configuration changes with the Standby Policy Server at a predefined time. That is, any change to Policy Server settings which involve pressing Save and Commit Changes. This also includes Security updates.Select scheduled synchronization to run either daily (hh:mm) or hourly and enter the required values.

Figure 7-45: High Availability - Synchronization

You can also choose to manually synchronize information between the Policy Servers at any time.This information includes the latest VSOS (Software Version) if it has been selected in the VSOS Update field in the High Availability Configuration tab.The Last Synchronization Time refers to the last time any synchronization was made, whether automatic or manual.

NOTE: Please refer to the High Availability Policy Server Feature Description for a detailed explanation on this feature.



To manually synchronize Policy Servers:1. Right-click on High Availability node in tree on left hand pane and select

Synchronize Now from the drop-down menu.2. Click OK to confirm, else Cancel.

2.10 External Devices

The Authentication Server is used to store username and password information that identify the users logging on. The Authentication Server validates this information and specifies whether or not user access is granted. For access to specific network resources, the server may itself store user permissions and company policies or provide access to directories that contain the information.Vital Security supports authentication against Microsoft Active Directory authentication servers. Multiple domains can be supported at the same time by defining a global list of authentication realms. Each realm is identified by the NetBIOS domain name and a list of redundant domain controllers given by IP or DNS name.

2.10.1 Authentication ServerIn this screen, you can Add or Delete Authentication Servers and Edit the server user information. This screen shows a list of the Authentication Servers including the Realm/Domain, address and status (active or not).

The following table provides information on the Authentication Server fields:

Up

NOTE: Up to 10 Authentication Servers can be defined serving many trusted domains. The authenticate action will not perform real authentication unless there is at least one Authentication Server defined.

Field Name DescriptionRealm/ NETBIOS Name

This refers to the Authentication Server’s name in the authentication process between the browser and the Scanning Server / Authentication Device. When using Active Directory you should specify the domain NetBIOS name.

Domain Controller

This is the hostname. (It should be written without periods.)

Trusted Domains These are domains that are trusted for authentication by the primary domain controller (specified in Realm/Domain)

Server Type The system supports the Microsoft Active Directory authentication server.

Active Select to activate the Authentication Server.



Figure 7-46: Authentication Servers

To add an Authentication Server:1. Right-click on the top-level heading and select Add Server.2. Enter an appropriate Realm/NETBIOS name.3. In the Domain Controller section, click to add a new row. Enter a new Domain

name.4. In the Trusted Domain section, click to add a new row. Enter a new Domain

name.


same row as the item and selecting Delete Row.


7. If you need to modify these fields in the future, select Edit and make your changes.

2.11 Scanning Options

In the Main Tool bar, select Administration System Settings Scanning Options. This screen is used to enable the HTML Repair feature; caching of results of scanned files and a Status page. To edit the Scanning Options screen, click Edit on right pane.HTML Repair: Select the Automatic removal of suspicious code checkbox on the Scanning Options screen to enable the HTML Repair feature. By selecting this option, malicious scripts on an HTML page are automatically detected and repaired and the HTML page is sent on to the end-user in a transparent manner. Logging rules in the Finjan logging



policy Log All Protective Actions enable you to display this information in the Web Log View.

Enable Caching: Select the Enable caching checkbox to enable caching of results of scanned files. This improves system performance by reducing scanning time.The system is configured such that the largest CPU and time-consuming Scanning engines will make use of this feature accordingly.Status Page: When files are being downloaded from the Internet, a status page can be displayed to the end-user in the browser window. This provides important information while the end-user waits for the download to finish, as the file must be scanned by Vital Security before it reaches the browser. The status page can be configured and activated accordingly.The Status Page is disabled when working with HTTPS.This section includes the following tabs:

General SettingsActivate

2.11.1 General SettingsBy selecting Enable Status Page, you can configure the options listed in the following table:

2.11.2 ActivateWhen files are being downloaded from the Internet, a status page can be displayed to the end-user in the browser window.

NOTE: The HTML Repair feature is enabled by default.

Field Name DescriptionSize Threshold for Immediate Activation (KB)

Configures the download file size threshold that activates the status page.

Immediate Activation for Downloads taking more than (in seconds)

Configures the number of seconds into a download after which the status page is activated.

Progress Bar Update Interval (in seconds)

Determines the frequency at which the progress bar shown in the status page is updated during the download.

Completed Download Lifetime (in seconds)

Configures the amount of time that the downloaded content remains on the Vital Security proxy before it is removed.

Downstream Proxy Compatibility

When checked, enables working with ISA Server.



To edit options in Status Page:1. To edit the Activate tab on the Status Page, click Edit.2. Select Enable Status Page.

3. In the On User Agents/Activate When/Unless sections, click to add new rows.

4. Enter appropriate User Agent and Values.


same row as the item and selecting Delete Row.


You can choose to activate or deactivate the Status Page based on the following:User Agent: The User Agent is an HTTP header field by which the browser is identified by the Server. Most browsers, including Internet Explorer, specify Mozilla as part of the User-Agent field. Rows can be added or deleted using the plus icon.Content Type: Content type can be an extension type or a Mime type. Specific extensions and Mime types can be added or deleted using the plus icon.The Extensions displayed are provided as default Extensions. For example, you can choose not to activate the Status Page if the file is a PDF file (i.e. its value is defined as pdf). Mime Type is an example of an HTML header field. For example, an HTML page can be sent with Content Type: text/html. The substrings that are displayed in the screen are given as default content types.

2.12 Scanning Engines

In the Main Tool bar, select Administration System Settings Scanning Engines. The Scanning Engines screen displays an Engines tree on the left pane which includes third-party engines that work together with the Vital Security system. Third-party engines can be used only if you have obtained the appropriate license.

Figure 7-47: Scanning Engines



Scanning Engines include the following:Anti-SpywareAnti-Virus (Kaspersky)Anti-Virus (McAfee)Anti-Virus (Sophos)URL Filtering (IBM)URL Filtering (Websense)

2.12.1 Anti-SpywareSelect the Anti-Spyware Finjan-proprietary engine to display the following information on the right pane:

Spyware Home Black List: refers to a black list of URLs known to accommodate SpywareKnown Spyware: refers to a list of spyware with known Class IDs (CLSID)Spyware Profiles. refers to spyware that are picked up by the Active Content List CP

These lists are continuously updated by Finjan’s MCRC. The information in these lists cannot be configured or deleted.The Anti-Spyware profile appears as a built-in behavior profile in the Script Behavior Profiles in the Rule Conditions.

Figure 7-48: Anti-Spyware

2.12.2 Anti-Virus (Kaspersky)Kaspersky includes preconfigured profiles generated by the software manufacturers.Version numbers and signature/DAT file numbers are displayed.You can add the amount of time, in seconds, after which the Anti-Virus engines will stop scanning a large file. The maximum time allowed is 300 seconds. This option reduces the possibility of system time-outs.

NOTE: This time limit refers to one single item - so in cases where there are containers containing many items - this time limit will be extended.



2.12.3 Anti-Virus (McAfee)McAfee engine includes preconfigured profiles generated by the software manufacturers.Version numbers and signature/DAT file numbers are displayed.You can add the amount of time, in seconds, after which the Anti-Virus engines will stop scanning a large file. The maximum time allowed is 300 seconds. This option reduces the possibility of system time-outs.

For the McAfee Anti-Virus engine alone, Vital Security offers the following capabilities:Enable Macro Scanning: Ability to scan macros in Office documents.Enable Heuristics: Ability to use generic methods to scan for potentially unknown threats.

2.12.4 Anti-Virus (Sophos)Sophos engine contains preconfigured profiles generated by the software manufacturers.Version numbers and signature/DAT file numbers are displayed.You can add the amount of time, in seconds, after which the Anti-Virus engines will stop scanning a large file. The maximum time allowed is 300 seconds. This option reduces the possibility of system time-outs.

2.12.5 URL Filtering (IBM)For IBM Proventia Web Filter, there are preconfigured profiles generated by the software manufacturers. Version numbers and signature/DAT file numbers are displayed

2.12.6 URL Filtering (Websense)For Websense, there are preconfigured profiles generated by the software manufacturers. Version numbers and signature/DAT file numbers are displayed..


NOTE: These 3rd party anti-virus engines can be used only if you have obtained the appropriate license.


NOTE: Third-party URL Filtering engines can be used only if you have obtained the appropriate license.

NOTE: Third-party URL Filtering engines can be used only if you have obtained the appropriate license.



2.13 Console Timeout

In the Main Tool bar, select Administration System Settings Console Timeout. The Console Timeout screen allows the administrator to configure the amount of idle time, in minutes, after which the current session times out. This is useful for security purposes as it stops someone unauthorized from using the Management Console. The administrator must re-log in to the Management Console if the session times out. To edit the setting, click Edit, make changes and then click Save.

2.14 Digital Certificates

Digital Signature-based technology helps with the risk factor when downloading ActiveX controls, and other executables over the Internet. It identifies the publisher of signed software and verifies that the code hasn't been tampered with, before you download software to your computer. Digital certificates use a cryptographic technology called public-key cryptography to sign software publications and to verify the integrity of the certificate itself.In the Main Tool bar, navigate to Administration System Settings Digital Certificates. The digital certificates comprise authorized and certified active content, thus adding another layer of security for your organization.

Figure 7-49: Digital Certificates

2.14.1 Importing Certificates into Customer Certificate Lists

To import certificates into the customer certificate lists:1. Right-click on the Digital Certificate in the left pane and select Import Component

from the drop-down menu. The Import Digital Certificate screen is displayed on the right pane.



2. Browse to the required file location and then Import the file, making sure that the file has the correct PEM extension. The imported certificate appears in the Digital Certificate list.

Figure 7-50: Import Digital Certificate

2.14.2 Certificate Details ScreenUse the Edit and then Save/Cancel buttons to make any changes in this screen - such as deleting certificates. The following information is contained in this screen.

The following lists are available:Customer Certificate Revocation List: This contains a list of certificates which have been cancelled. This is an external list. If you want to update this list, you must subscribe to the Certificate Revocation List and thereby receive pre-defined files which can be

Field DescriptionName Name of the Digital Certificate listIssued By Name of the Certificate Authority who

issued the certificateIssued To Name of the organization who the

certificate is issued to (In the case of root certification authorities or self-signed certificates, the names are the same.)

Expiration Expiration date of the certificateFriendly Name Name of certificate presented externally



imported into the Policy Server. All files must be in a PEM format before imported. PEM is a Base-64 encoded X.509 certificate text file format.Customer Trusted Publishers (code signing only) and Customer Untrusted Publishers: These two lists contain certificates from trusted/untrusted publishers. Again, these files are received from an external source and must be in a PEM format with a PEM extension before being imported. Each file to be imported may contain a number of certificates, but Finjan only displays the first one in the file.Customer Trusted Root CA: Root Certificate Authorities (CA) refer to “self-signing” certificates, that is, certificates which were issued on their own authority.Finjan Certificate Revocation List: This list is non-editable. This contains a list of certificates which have been cancelled.Finjan Trusted and Untrusted Publishers: These two lists are non-editable and contain Finjan predefined lists of trusted and untrusted publishers respectively. These are regularly updated via Finjan Security Updates.Finjan Trusted Root CA: This list is also non-editable. Root Certificate Authorities (CA) refer to “self-signing” certificates, that is, certificates which were issued on their own authority.

Figure 7-51: Example of Digital Certificate Screen

2.15 License

Every customer has a license from Finjan which is either an evaluation license or a permanent license. A single license key can be used for multiple Policy Servers. It can also be re-used for situations where the administrator needs to reinstall the system.



Evaluation License: When entering the Management Console for the first time, an installation Wizard will run and the administrator must enter a license key. An evaluation key entitles you to a 30 day evaluation period with full Vital Security functionality. Once the 30 days evaluation period has passed, Vital Security will start forwarding Internet content through without scanning it. The Management Console will be disabled until the administrator enters a permanent license key.

Ten days before the evaluation license is about to expire, an informative message will be displayed. Permanent License: A permanent license is generated by Finjan and sent to the customer. Its expiration date is based on a service agreement with the customer. Starting three months before the expiration date, the administrator will receive notifications that the license needs to be renewed. Once the license has expired, you will be treated to a thirty day grace period where traffic will be scanned but administrators will have very limited access to the Management Console. After the grace period is complete, Vital Security will no longer function as required.

To enter your new License Key:1. Enter the license key provided by Finjan and click Continue.2. Read through the license agreement and check the I accept checkbox.3. Click OK to finish.

2.16 Debug Logs

These options are reserved for Finjan Support personnel only.

3 Rollback

The Rollback feature is used for rolling the system back to a previous stable state. The Backup consists of all data that an administrator can customize in the Management Console (including Policies, settings etc). Information that is not included in the backup includes the Log Server database, Report Server database and Updates.This capability is useful for the following reasons:

Before applying major configuration and settings changes, the administrator can back up the current settings.The administrator may choose to have periodical backups of the system to guarantee against unknown catastrophes.

NOTE: The Policy Server will update Finjan Headquarters as to the status of the License. This information is confidential and will be kept at the Finjan Financial offices.



In rare cases where failed updates may cause the system to function incorrectly.In rare cases of system hardware failure, for example the hard disk of the Policy Server has stopped working.

The Rollback feature consists of three parts: Rollback SettingsBackup NowRestore (Rollback)

Figure 7-52: Rollback Screen

3.1 Rollback Settings

During the Backup process the Policy Server settings are saved to an external network location. Exporting the data to an external location enables a smooth restore process in the case of hardware failure.To perform backup, the Rollback settings must be filled in as detailed below:

NOTE: You must disable the High Availability Policy Server feature before performing Rollback. See section on High Availability.

Connection Method

Description

None Does not perform the backup operation. If this option is selected, scheduled backup is disabled.

FTP Connects via active File Transfer Protocol using the common active mode of operation.

FTP Passive Connects via File Transfer Protocol using a passive mode of operation; this is useful if a firewall is located between the Policy Server and the remote FTP site.



Your selected Connection Method determines the content used to define your Backup Location, User to connect with and Password fields.

You can choose to perform backups at specific times every recurring number of days by selecting Enable Scheduling and defining the times.

Samba Uses the Server Message Block (SMB) communication protocol, which enables connection to Windows shared folders.

SFTP Use the Secure File Transfer Protocol.

If you selected:

Then:

None No information can be entered.FTP The Backup Location is the server IP address/dir for your selected

location, for example, 10.194.5.104/Sarah_FTP_PassiveThe User to connect with is the user name used when connecting to the Backup Location.The Password should be the password used by the above user.

FTP Passive The Backup Location is the server IP address/dir for your selected location, for example, 10.194.5.104/Sarah_FTP_Passive.The User to connect with is the user name used when connecting to the Backup Location.The Password should be the password used by the above user.

Samba The Backup Location must include the server IP address and directory for your selected location, in the following format: //address/dir, for example, //192.168.1.10/archive.The User to connect with must include the workgroup name and the user name used when connecting to the Backup Location, in the following format: workgroup/user, for example, marketing/nicole.The Password should be the password used by the above user.

SFTP The Backup Location is the server IP address/dir for your selected location, for example, 10.194.5.104/Sarah_FTP_PassiveThe User to connect with is the user name used when connecting to the Backup Location.The Password should be the password used by the above user.

NOTE: The fields in this screen are enabled only after a connection method has been selected.

Connection Method

Description



3.2 Backup Now

Once you have defined the appropriate settings, you can perform a manual backup by selecting Administration Restore Backup Now.You can add a description to the Backup in this screen. For example, Backup for May 2008. Then click Backup. The Backup file details will appear in the Restore screen.

3.3 Restore (Rollback)

During the Restore process the settings are read and uploaded back on to the disk. The Restore screen displays the scheduled or manual Backups with the following information.

The Restore process consists of the following steps:

To restore settings:1. To edit the Restore screen, click Edit on right pane.2. Make sure you have selected a Connection Method and collected some backups.3. Click on the icon adjacent to the required backup and select Restore from the

drop-down menu. A confirmation message is displayed.


4 Export/Import

The Export/Import menu allows you to export Security Policies, HTTPS Policies, Identification Policies and Identification Logging Policies from one Policy Server and import them into another. This feature provides added flexibility by allowing you to choose whether to overwrite existing Policies and Conditions or to save them on the destination Policy Server under a different name on the Management Console.

Column Heading

Description

Date Date the backup was performedType Manual – Backups created manually

Scheduled – Backups scheduled for specific timesAutomatic – Backups created automatically prior to a VSOS update

Version VSOS version in use when backup was created Description Description of the backup file



4.1 Export

The first step is to export the Policies from a source Policy Server. The settings are exported in an encrypted file and saved to a location of your choice (such as the local disk or network drive). This only refers to Policies, Rules and Conditions that the administrator has created; Finjan default Policies, Rules and Conditions will not be affected.

To export Policies, Rules and Conditions:1. From the source Management Console, navigate to Administration Export/

Import Export. The File Download message appears.

Figure 7-53: Saving file dialog box

2. Click Save and choose the location to save this file.

4.2 Import

This screen shows the imported Policy Databases in the destination Policy Server. You can choose to import selected items, overwrite selected items or save imported items under different names to avoid potential conflicts.

To import the Policies, Rules and Conditions:1. In the destination Management Console, navigate to Administration Export/

Import Import.

NOTE: This feature is dependent on the role defined for the administrator. In other words, items which the administrator does not have write permissions for will not be exported.



2. Right-click on the top level Import Policies heading and select Add import DB from the drop-down menu.

3. In the Import Policy screen, click Browse and select the file to be imported.4. Click Import. The Folders for import appear in the Import Policies tree in the left

hand pane.

Figure 7-54: Export/Import - Interim Stage

4.2.1 Imported Policies TreeOnce you have imported the back-up file, the following folders appear in the left hand pane

NOTE: The settings have not, as yet, been imported into the destination Policy Server. This is an interim stage allowing you to resolve potential conflicts.



in the Imported Policies tree:PoliciesRulesConditions

The Policies appear with the rules and conditions that they are comprised of displayed underneath. The items will be displayed in one of the following colors:

In order to view information on each Policy, Rule and Condition to assess whether or not to import it left click on the required object.

4.2.1.1 Security Policy Details - ImportPlease refer to Security Policy Details for information on this screen.

4.2.1.2 Security Rule Details - ImportPlease refer to Security Rule Details for information on this screen.

4.2.1.3 Security Condition Details - ImportPlease refer to Condition Details for Security Policy Rules for information on this screen.

4.2.1.4 HTTPS Policy Details - ImportPlease refer to HTTPS Policy Details for information on this screen.

4.2.1.5 HTTPS Rule Details - ImportPlease refer to HTTPS Rule Details for information on this screen.

4.2.1.6 HTTPS Condition Details - ImportPlease refer to Condition Details for HTTPS Policy Rules for information on this screen.

Color Items Affected DescriptionRed Policies, Conditions Item to be imported exists already on the

destination Policy Server. Note that the conditions will only display as red under their respective folders and not under the Policies folder.

Yellow (folder icon)

Policies Policy to be imported does not exist on the destination Policy Server. (i.e., no conflict)

White Conditions Conditions to be imported do not exist on the destination Policy Server. (i.e., no conflict)



4.2.1.7 Logging Policy Details - ImportPlease refer to Logging Policy Details for information on this screen.

4.2.1.8 Logging Rule Details - ImportPlease refer to Logging Rule Details for information on this screen.

4.2.1.9 Logging Condition Details - ImportPlease refer to Conditions for Logging Policy Rules for information on this screen.

4.2.1.10 Identification Policy Details - ImportPlease refer to Identification Policies Tree for information on this screen.

4.2.1.11 Identification Rule Details - ImportPlease refer to Identification Rule Details for information on this screen.

4.2.1.12 Identification Condition Details - ImportPlease refer to Condition Details for Identification Policy Rules for information on this screen.

4.2.1.13 Identification Logging Policy Details - ImportPlease refer to Identification Logging Policy Details for information on this screen.

4.2.1.14 Identification Logging Rule Details - ImportPlease refer to Identification Logging Rule Details for information on this screen.

4.2.1.15 Identification Logging Policy Details - ImportPlease refer to Conditions for Identification Logging Policy Rules for information on this screen.

4.2.2 Importing Policies and Rule ConditionsIn order to import Policies, Rules and Conditions, expand the tree on the left pane and right-click on the respective Policies, Rules and Conditions and select Import.



Choosing to import a Policy displays the following information.

Figure 7-55: Import - Rename Policy

Field DescriptionPolicy Name Name of the PolicyAction You can select from a drop-down list to:

Add as is: This action imports the Policy to the Management Console as is.Overwrite: This action imports the Policy to the Policy Server thereby overwriting the Policy that exists with the same name.Rename: This action allows you to rename the Policy so as not to overwrite an existing Policy with the same name.

New Name If you have chosen Rename in the Action above, then enter the new name for the Policy in this field.

Conditions Conditions attached to this Policy also can be chosen to add as is or rename to avoid potential conflicts.



Choosing to import a Condition Component displays the following information.

Figure 7-56: Import - Overwrite Condition

4.2.3 Export/Import TroubleshootingWhen importing a Condition from one Policy Server to another, and one of the components in the Condition does not exist on the target Policy Server, you will receive an error message. There are two possible reasons for this issue and hence two possible ways to solve it:

One of the Finjan predefined lists has had a component added. In this situation, make sure you have the latest Security Update Version installed on the target Policy Server and repeat the Import process.One of the Customer defined lists has had a component added. In this situation, save the list in the source Policy Server under a different name.

5 Updates

Updates includes both Updates Management options and Management Configuration

Field DescriptionCondition Component Name

Name of the Condition Component

Action You can select from a drop-down list to:Add as is: This action imports the Condition Component to the Management Console as is.Overwrite: This action imports the Condition Component to the Policy Server thereby overwriting the Condition Component that exists with the same name.Rename: This action allows you to rename the Condition Component so as not to overwrite an existing Condition Component with the same name.

New Name If you have chosen Rename in the Action above, then enter the new name for the Condition Component in this field.



options. allowing you to configure and upload Updates.

Figure 7-57: Updates

5.1 Updates Management

In the Main Tool bar, navigate to Administration Updates Management to display the Updates Management options. This screen allows you to upload the various updates for both security and software releases onto your Appliance. This screen contains three tabs:

Available UpdatesInstalled UpdatesUpdate Key

5.1.1 Available UpdatesThe Available Updates tab displays all currently available updates and provides options for uploading local or remote updates to be installed.

Figure 7-58: Available Updates

NOTE: In order to provide you with the correct update for your system, while contacting the update site Finjan will automatically receive information on the current software release you are using.



The following information is displayed:

To upload local updates:1. Click Import Local Update. An Import Local Update screen appears.2. Click Browse to navigate to the local location containing the required updates

(provided to you by Finjan), and then click Import.Or,

3. If you have been provided with a URL, enter this URL in the URL field, and then click Import.

Field DescriptionPlus Sign Click to expand. The Available

Update will display the relevant Release Information. Click on the link to view the associated Release Notes (if applicable).

Drop-down menu Icon Left click on this icon to display drop-down menu.Install Now - Select this option to install the Available Update.Delete - Select this option to delete the Available update.

Status This column indicates the retrieval status of the available update.A tick indicates that the available update has been retrieved successfully.An hourglass indicates that the the available update is in the process of being installed/uploaded.A cross indicates that the install/upload has failed.

Type This column indicates what type of update is available, for example, security update, software release update, maintenance update.

Release Date This column indicates the date that this release became available for update (YYYY:MM:dd HH:mm:ss).

Description This column provides a brief description of the available update.



4. Wait several minutes for the updates to be uploaded. A message will display telling you the Upload is in progress.

5. Next, follow the procedure described in To install an available update:

To upload remote updates:1. If you are working remotely, click on Retrieve Updates.2. Wait several minutes for the updates to be uploaded.

3. Next, follow the procedure described in To install an available update:

To install an available update:

1. Click next to the required update and select Install Now from the drop-down

menu. The tick icon will change to an hourglass icon.2. You will receive messages from the system updating you on the progress of the

installation. If the icon turns into a cross – this means the upload has failed. 3. Once the update has been installed – it will disappear from the Available Updates

screen and will display on the Installed Updates screen.

To delete an available update:

1. Click next to the update and select Delete from the drop-down menu.

2. The update is deleted.

5.1.2 Installed UpdatesThe Installed Updates tab displays the updates both automatically and manually installed.

NOTE: A successful retrieval of an update is indicated by a tick in the status column of the available updates tab.

NOTE: An update cannot be deleted once an installation has started.



Figure 7-59: Installed Updates

The following information is displayed:

5.1.3 Update KeyThe Generate Update Key is primarily designed for customers who are using the appliance in an isolated network that is not connected to the Internet. Using this key, you

Field DescriptionPlus Sign Click to expand. The Installed

Update will display the relevant Release Information. Click on the link to view the associated Release Notes (if applicable).

Type This column indicates what type of update is available, for example, security update, software release update, maintenance update.

Release Date This column indicates the date that this release became available for update (YYYY:MM:dd HH:mm:ss).

Install Date This column indicates the date that this release was installed (YY:MM:DD HH:MM:SS).

Description This column provides a brief description of the available update.



can download updates using an Offline Updates application.

Select Copy to Clipboard to copy the key to a clipboard.

Figure 7-60: Update Key

5.2 Update Configuration

The Update Configuration screen allows you to define the location from which updates will be retrieved, as well as when the downloads should begin and the frequency at which they should take place. You can also configure which of the updates should be automatically installed.To edit the Update Configuration screen, click Edit.

NOTE: This feature requires a special license. For more information on Offline Updates, please contact your Finjan representative and/or refer to the Offline Updates Technical Brief.



Figure 7-61: Updates Configuration

In the Update Configuration, the following types of updates can be automatically installed:SecurityVSOS Version Update

The following information is displayed in this section:

The Proxy Configuration section is used when the Internet connection is blocked for the

Field DescriptionURL Define the location from which updates will be retrieved.Automatic Install - Security

These updates include the following:*Security updates released by MCRC which contain updates and new rules relating to proprietary Finjan engines such as the Vulnerability Anti.dote and the Behavior-Based Engine.*Third party software updates (Anti-Virus and URL Categorization engines).*Database updates for the data elements behind the system including the 3rd party security engine updates such as Anti-Virus signatures and URL categorization.*All Maintenance Updates.

Automatic Install - VSOS Version Update

These updates include Major and Minor Software Releases.

NOTE: By default, only the Security updates are automatically installed. This is because these do not interfere with system performance.



Vital Security appliance and information is routed through a next proxy so that you will still receive Updates.The following information is displayed in this section:

In the Scheduling section, you can change schedule for downloading the update configuration (i.e. the Download Interval).The following information is displayed in this section:

6 Alerts

The Alert menu allows you to monitor the main modules and components of the system. Vital Security will notify you of system events, application events or update events. There are two different channels of Alerts communication (in addition to System Log messages): Email messages and SNMP notification.

6.1 Alert Settings

Settings can be set for Email messages and SNMP notification. For each of the event types (System, Application and Update Events), select the corresponding SNMP checkbox, or email alert checkbox and specify the email addresses to which the alert will be sent. Use the plus icon to add or delete rows of email addresses.

Field DescriptionProxy Server This is the IP address for your organization's next proxy.Port This is the port for your organization's next proxy.User Name This is the User Name required to access that proxy.Password This is the Password required to access that proxy.

Field DescriptionStart Date This defines the start date (YYYY:MM:dd). Start Time This defines the start time (HH:mm:ss).Download Every...days / hours / minutes

This defines the download frequency (dd:hh:mm).

Do not retrieve updates automatically

You can also choose not to retrieve the updates automatically. This refers to all types of updates: Security, VSOS version and third party. This option can be used in conjunction with the Offline Updates option or on its own.

NOTE: The Email option is enabled only if the Enable Sending Email checkbox in Administration Alerts Email screen is enabled. The SNMP option is enabled only if the Enable Trap Sending checkbox in Administration Alerts

SNMP screen is enabled.



Figure 7-62: Alerts

The following table details the alerts available for each system event.

SNMP and Email AlertsSystem EventsHard Drive ThresholdSystem LoadMemory Usage ThresholdApplication EventsEmergency Policy SelectedArchive Upload FailedBackup FailedLog Handler DownScanning Process is Unexpectedly DownLicense ExpiryLicense Modification or UpdateActive / Standby Policy ServerNo Connection to Policy Server for Past Hour. Security Updates are Not Installed! Connection to Policy Server RestoredAuthentication Device is Unexpectedly Down or Not RespondingConnection to Email Server FailedUpdate EventsOS Update AvailableSecurity Update AvailableSecurity Update FailedOS Update FailedSecurity Update Successfully InstalledOS Update Successfully InstalledCould Not Download the Update FileError in Validating ChecksumUpdate Failed due to Internal Error



Below is an example of an email alert for a System Event:

Figure 7-63: Example of Email Alert

After making any changes in the Alerts screen, click Save to apply changes, else Cancel.

Received Update with Unsupported VersionUpdate Exceeded Maximum Installation TimeCould not find the Update FileThe Update File was not Created ProperlyUpdate Installed SuccessfullyOS Update AvailableSecurity Updates AvailableUpdate Added to Available UpdatesUpdate already InstalledUpdate already ExistsA Later Version of Update ExistsInstalling UpdateUpdate Dependence ProblemAll Scanners in the topology must have the same VSOS as Policy Server before you start Update ProcessUpdate Installer - Cannot install OS Update when Standby Policy Server VSOS is different from Active Policy Server Version

SNMP and Email Alerts



6.2 Email

The Email Settings screen refers to the Simple Mail Transfer Protocol (SMTP) Server information which controls sending of emails for the following: system events, application events, software updates.To edit the Email Settings screen, click Edit on the right hand pane.

Figure 7-64: SMTP Server Settings

The table below provides an explanation of the fields:

Field Name DescriptionEnable Sending Email Enables Emails to be sentHostname/IP This is the IP address of the SMTP Server you

are using (e.g. mail.finjan.com).Port Defines the port that the SMTP Server uses; this

is usually Port 25.User Name User name for SMTP Authentication (e.g.

VS_NG. This is optional - depending on your SMTP requirements).

Password Password for SMTP Authentication (optional - depending on your SMTP requirements).

Originating Domain The email alerts originate from this pre-defined user and domain name, using the machine name in the email alias name (e.g. CustomerDomain.com).

Test Recipient This is a test email address to validate that the messages are being received. For example, [email protected]



Click on Test to send a sample email alert to the test recipient email address.

6.3 SNMP

The Simple Network Management Protocol (SNMP) is an application-layer Internet protocol designed to facilitate the exchange of management information between network devices.The SNMP Settings screen allows you to monitor the main modules and components of the system. Vital Security supports both SNMP v2.c and SNMP v3.

SNMPv2.c revises SNMPv1 and includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. SNMPv2.c adds and enhances some of the SNMPv1 protocol operations.SNMPv3 provides secure access to devices by a combination of authentication and encryption over the network (i.e. it includes authentication, privacy, and access control).

The SNMP Settings screen comprises two tabs:GeneralSNMP Version

6.3.1 GeneralThe General tab allows you to configure the SNMP protocol for MIB monitoring / Trap sending, as well as the ports. This section also enables configuration of the Hostname/IP destination servers for receiving the SNMP traps.

To configure the SNMP settings:1. To edit the SNMP Settings screen, click Edit.2. Check Enable MIB monitoring such that Vital Security management system can be

queried to get the MIB information and define the corresponding Listening Port (i.e. perform SNMP queries against specified port number, port 161 is default).

3. Check Enable Trap Sending to enable Vital Security to send traps and define the corresponding Trap Port (port 162 is default).

4. The Community field (enabled for SNMPv2.c only) is the group that the devices and management stations running SNMP belong to. It should be defined as required. The default string is “public”.

5. Three possible destination servers have been provided; you can configure the traps to be sent to any or all of these servers. If the checkbox next to the IP is unchecked, the remote server will not receive the SNMP trap. The trap destination is usually defined by an IP address, but can be a host name, if the device is set up to query a Domain Name System (DNS) server.



Figure 7-65: SNMP - Configure Settings

6. The Test button allows you to test that the traps are successfully sent to the SNMP servers. A test message will be sent to the defined server with the SNMP name, IP and Vital Security Software Version.


6.3.2 SNMP VersionThe SNMP Version tab is used to define which version of SNMP the system works with: SNMPv2.c or SNMPv3.

Figure 7-66: SNMP Version

If you select SNMPv2.c you need to enter a community name.SNMPV3 - SNMP MIB Monitoring: The Management Information Base (MIB) is a database of objects that can be monitored by the network management system (SNMP). This collection of information is organized hierarchically and comprises managed objects identified by object identifiers. (For more information on MIB, please refer to the How to use SNMP Monitoring feature description.).



Figure 7-67: SNMP MIB Monitoring

The Monitoring parameters define the security protocol and encryption methods used to obtain information from the SNMP agent on the machine. The information retrieved is part of a MIB. The table below provides detailed explanation of the fields:

SNMPv3 - SNMP Traps: SNMP traps are deployed as a means of notifying the management station of specific events by way of an SNMP message. SNMPv3 mandates that trap messages are rejected unless the SNMPv3 user sending the trap already exists in the user database. The user database in a SNMPv3 application is referenced by a combination of the user's name (Security Name) and an identifier for the given SNMP application (engineID).

Field Name DescriptionSecurity Name SNMP user name. If the Security name in the

SNMP MIB Monitoring section is the same as in the SNMP Traps section, then the rest of the parameters must be the same as well.

Authentication Key Authentication is performed by using the user’s authentication key to sign the message being sent.

Security Level Messages can be be sent unauthenticated, authenticated, or authenticated and encrypted.

Authentication Protocol

Either MD5 or SHA (verification checksums)

Encryption Key Authentication is performed by using the user’s encryption key which encrypts the data portion of the message being sent.

NOTE: The authentication / encryption options are enabled only when the corresponding Security Level is selected. The encryption mode or privacy protocol used is DES (encryption algorithm).



Figure 7-68: SNMP Traps

The table below provides an explanation of the fields:

7 System Information

The System Information screen provides a simple way for the administrator to view the status of the system with respect to license and module information such as available modules, versions, license expiration date etc. The System Information screen comprises three tabs:

Field Name DescriptionSecurity Name SNMP user name. If the Security name in the

SNMP MIB Monitoring section is the same as in the SNMP Traps section, then the rest of the parameters must be the same as well.

Authentication Key Authentication is performed by using the user’s authentication key to sign the message being sent.

Encryption Key Authentication is performed by using the user’s encryption key which encrypts the data portion of the message being sent.

Security Level Messages can be be sent unauthenticated, authenticated, or authenticated and encrypted.

Authentication Protocol

Either MD5 or SHA (verification checksums)

EngineID This is an identifier for the given SNMP application.

NOTE: The encryption mode or privacy protocol used is DES (encryption algorithm).



GeneralLicensed ModulesInstalled Components

7.1 General

The General tab includes the Appliance Serial Number (eth0 interface of the Policy Server), the number of licensed seats (system users) and the license expiration date.

Figure 7-69: System Information - General

7.2 Licensed Modules

The Licensed Modules tab includes Finjan and third party engine licenses.

Figure 7-70: System Information - Licensed Modules



7.3 Installed Components

The Installed Components tab displays information per component and includes the Component name (i.e. the VSOS, update, engine and data file) together with the corresponding Version, Release date and Install date.

Figure 7-71: System Information - Installed Components

8 Change Password

The Change Password screen allows the administrator to change passwords when necessary.



Figure 7-72: Change Password


C H A P T E R

HELP

1 Help

The Help menu contains the following options:

Figure 8-1: Help Menu

HelpManualsExternal LinksAbout

1.1 Help

The Online Help is composed of detailed information and procedures per screen designed to help you navigate your way around the Management Console and to help you perform configuration and monitoring tasks. In addition to the Online Help found here, it is possible to press on the Help icon (or F1) at the top of each screen to receive a page-sensitive screen highlighting just the information relevant to that screen.

1.2 Manuals

Three core manuals are provided with the Vital Security Management Console:Management Console Reference Guide (this manual): This Reference Guide provides an expansive and thorough navigation through the Vital Security Policy Server Management Console, with detailed examples and tutorials to aid administrators in their

Chapter 8 - Help 249


daily tasks. Security Policies In-Depth: The Finjan predefined Security Policies for HTTP and HTTPS are detailed in this manual. Rule demonstrations, courtesy of Malicious Code Research Center (MCRC), provide the administrator with hands-on material with which to validate the Security Rules. Setup and Configuration Guide (Limited Shell): This Guide provides detailed procedures on all aspects of setup and configuration for the Vital Security System, and includes interoperability details with third-party clients.

1.3 External Links

The following links are supported:MCRC: Directs you to the MCRC subsite on Finjan.com. Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet and email applications as well as other popular applications. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worm and viruses. MCRC researchers work with the world’s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for Finjan’s proactive secure content management solutions.Finjan web: Directs you to the Finjan Website.Access Finjan Support: Directs you to the Support site on the Finjan website where you can choose among the many options including opening a Case Form and looking through helpful articles on the Vital Knowledge Portal.

1.4 About

Contains information about the Vital Security product.

Chapter 8 - Help250

A P P E N D I X

REPORTSThe following table contains a list of the Reports for 9.0 designed to provide ease-of-use and flexibility.

Report DescriptionAnti-VirusTop Viruses A summary report, displaying the most

frequent viruses found by the Sophos/McAfee/Kaspersky anti-virus engine, sorted by the number of viruses found.

ComplianceSecurity Policy Violations This report displays all security policy

violations. It counts the number of violations per policy rule. Use this report to review your company's compliance with the defined security policy.

Transaction Usage by Hour This report displays the specific hours that users are surfing the Internet, and thereby showing productivity by time, traffic peaks, etc. The information in the Report is dependant on the Logging Policy.

User Transactions with Legal Liability by Users (Websense/IBM Proventia)

This report displays blocked websites that might have exposed the company to legal liability issues.The information in the Report is dependant on the Logging Policy.

Potential Disclosure of Confidential Information

This report displays all blocked upload attempts of Microsoft Office documents.

IT OperationInfected Users Machines This report displays the IP addresses of

computers detected trying to send malicious code, and hence showing which computers need treating. The information in the Report is dependant on the Logging Policy.

Appendix 9 - Reports 251


Traffic Analysis by Content Type This report displays traffic analysis details by content type, e.g. how many images were sent, how many exes were downloaded, etc. The information in the Report is dependant on the Logging Policy.

Traffic Analysis by Hour This report displays the traffic analysis according to the specific hour of the day, thereby showing when the highest load occurs. The information in the Report is dependant on the Logging Policy.

Traffic Analysis by User This report displays the traffic analysis details according to the most active users. The information in the Report is dependant on the Logging Policy.

Client Computers With Trojans This report displays the IP addresses of computers with Trojans installed on them, detected trying to communicate over the Internet. The information in the Report is dependant on the Logging Policy.

Instant Messaging and P2PInstant Messaging Activity This report provides in-depth details as to how

many users are Instant Messaging and what specific applications and operations they are using. The information in the Report is dependant on the Logging Policy.

Use of Instant Messaging by User

This report displays Instant Messaging Activity per user name.The information in the Report is dependant on the Logging Policy.

ProductivityMost Visited Website Domains This report displays the most visited URLs by

usersRisk Assessment - Business usage (Websense / IBM Proventia)

This report allows you to assess Web usage for business reasons by users. The information in the Report is dependant on the Logging Policy.

Most Visited Website Categories (Websense / IBM Proventia)

This report displays the most visited website categories by users, thereby showing the type of content users are looking at. The information in the Report is dependant on the Logging Policy.

Risk Assessment - Employment (Websense / IBM Proventia)

This report allows you to assess the employment risk based on the number and frequency of employment websites visited by users. The information in the Report is dependant on the Logging Policy.

Report Description

Appendix 9 - Reports252


Risk Assessment - Legal Liability (Websense / IBM Proventia)

This report allows you to assess the legal risks based on the type and frequency of websites visited by users. The information in the Report is dependant on the Logging Policy.

Risk Assessment - Productivity Loss (Websense / IBM Proventia)

This report allows you to assess the productivity risk based on the type and frequency of websites visited by users. The information in the Report is dependant on the Logging Policy.

Website Categories Violating Policy (Websense / IBM Proventia)

This report displays website categories that violated the security policy, indicating potentially malicious site categories that users requested to visit. The information in the Report is dependant on the Logging Policy.

Web SecurityAdware Sites Accessed by User This report displays the number of adware

sites accessed by the user.Anti-Virus (Sophos / Kaspersky / McAfee)

This report displays the name and amount of viruses detected and blocked by Kaspersky /Sophos / McAfee with their original URL.

Known Threats - Signature Based

This report displays the malicious code detected by Vital Security's third-party engines and lists.

Policy Rules Violations This report displays the number of violations for each Security rule.

Potentially Malicious Websites (Websense / IBM Proventia)

This report displays the websites according to URL categories that were blocked for being potentially malicious.

Security Policy Violations - (Script Behavior)

This report displays the URLs that were blocked due to script behavior policy violations.

Security Policy Violations - (Binary Behavior Profile)

This report displays the URLs that were blocked due to binary behavior policy violations.

Repaired Pages with Suspicious Code

This report displays the list of URLs that were repaired by the HTML Repair feature. (Note that the HTML Repair feature must be enabled for this report to display the relevant information.)

Security Policy Violations by URL

This report shows and counts all URLs that were blocked per Security rule

Report Description

253 Appendix 9 - Reports


Spyware Sites Accessed by User

This report shows and counts the number of spyware sites accessed by the user.

Unknown Threats - Behavior Based

This report displays all threats that were detected by Vital Security behavior based proprietary technology.

Report Description

Appendix 9 - Reports254

A P P E N D I X

END USER MESSAGESThe following Message Texts are used in the Page Blocked End User Messages sent when a URL is blocked (or coached)

End User Message

Page Block Message Text

Security Policy Rule it applies to (if any)

Active Content List Blacklisted active content: <binary_profile_list>. Transaction ID is <ID no.>

Block ActiveX, Java Applets and Executables by ACL

Application Level Vulnerability Detected

The page you requested was blocked because it attempts to exploit an application level vulnerability. Transaction ID is <ID no.>

Block Application Level Vulnerabilities

Archive Assembly Error

The item you requested contained a forbidden object. Transaction blocked. Transaction ID is <ID no.>

Binary VAD Violation Binary content was blocked due to discovered exploit. The violation is <binary_vad>. Transaction ID is <ID no.>

Block Binary VAD Vulnerabilities

Blacklisted URL Access Denied! Access to this URL: <site URL> is forbidden. Transaction ID is <ID no.>

Block Access to Blacklisted Sites

Blocked Adware URL

Access Denied! The requested URL is an Adware site.Transaction ID is <ID no.>.

Block Access to Adware Sites

Blocked Binary Exploit In Textual File

Potential Binary Exploit detected! An attempt was made to download a textual file with binary content. Transaction ID is <ID no.>

Block Binary Exploits in Textual Files

Appendix 10 - End User Messages 255


Blocked since AV could not scan

The file you are trying to download could not be scanned by AV. Transaction ID is <ID no.>

Block Unscannable (Sophos/McAfee/Kaspersky)

Blocked Spyware URL

Access Denied! The requested URL is a Spyware site. Transaction ID is <ID no.>

Block Access to Spyware Sites

Blocked URL Category

Forbidden URL. URL Category is <Websense_category>, <IBM Proventia>. Transaction ID is <ID no.>

Block Access to High-Risk Site Categories (Websense)

Certificate Validation Mismatch

The detected certificate validation mismatch is <certificate_validation_mismatch>.Transaction ID is <ID no.>

Block Certificate Validation Errors

Container Type Forbidden container type: <container_type>. Transaction ID is <ID no.>

Container Violation Container Violation: <container_violation>. Transaction ID is <ID no.>

Block Potentially Malicious ArchivesBlock Illegitimate Archives (Including Password-Protected Archives)

Corrupted Container The file you are trying to download is corrupted. Transaction ID is <ID no.>

Digital Signature Violation

Active content was blocked due to digital signature violation. The violation is <digital_signature_violation>. Transaction ID is <ID no.>

Block Binary Objects without a Digital CertificateBlock Binary Objects with Invalid Digital Certificate

Emergency Policy Active

Due to an elevated security risk, only access to specified sites is currently allowed. Transaction ID is <ID no.>

Fatal Error The service is unavailable, please try again later. If the problem persists, please contact the administrator.

End User Message



Appendix 10 - End User Messages256


File Extension Forbidden file extension: <file_extension>. Transaction ID is <ID no.>

Block Blacklisted File ExtensionsBlock Files With COM Extension

File Spoofed as Archive Detected

An attempt was made to spoof an ordinary file as an archive file. Transaction ID is <ID no.>

Forbidden Content Size

Forbidden content size: <size_category>. Transaction ID is <ID no.>

Forbidden Direction Forbidden direction: < direction>. Transaction ID is <ID no.>.

Forbidden Header Field

Forbidden header field: <header_fields>. Transaction ID is <ID no.>.

Hash Scanner Known malicious content found in list <static_content_list> was stopped. Transaction ID is <ID no.>

Block Known Malicious Content

Instant Messenger Detected

Access Denied! Use of IM is not allowed. Transaction ID is <ID no.>

Block IM Tunneling

Internal Error The service is unavailable, please try again later. If the problem persists, please contact the administrator.

Malicious Behavior Detected

Malicious Behavior Detected! The page or file you requested contains malicious code. Transaction ID is <ID no.>

Block Malicious Scripts by BehaviorBlock Malicious ActiveX, Java Applets and ExecutablesBlock Unscannable Web Pages and Scripts

Mobile Malicious Code: Binary

Active content violation. The violation is <binary_behavior_profile_names>. Transaction ID is <ID no.>

End User Message



257 Appendix 10 - End User Messages


Mobile Malicious Code: Scripts

Found behavior blocking violation. The violation is <script_behavior_profile_names>. Transaction ID is <ID no.>

Multiple Extensions Forbidden file extension: multiple extensions. Transaction ID is <ID no.>

Block Files with Suspicious Multiple Extensions

Old or Unsafe Browser

An old or unsafe browser is used. Transaction ID is <ID no.>.

Outgoing Microsoft Office File Detection

Transmission of Office Documents is blocked. File type: <file_extension> <content_type_name>.Transaction ID is <ID no.>

Block Outgoing Microsoft Office Documents

Partial Download Detected

Access Denied! Partial download detected. Transaction ID is <ID no.>.

Policy Violation Policy Violation. Transaction ID is <ID no.>.

Potential Shellcode Detected

Potential shellcode exploit detected. Transaction ID is <ID no.>.

Service Stopped Service is stopped. Transaction ID is <ID no.>.

Spoofed Content Detected

An attempt was made to download a spoofed file. The spoofing type is: <spoofing_type>. Transaction ID is <ID no.>

Block Spoofed Content

Spoofed Executable Detected

Spoofed executable detected! An attempt was made to download a disguised executable file. Transaction ID is <ID no.>

Spyware Behavior Detected

Spyware Behavior Detected! The requested file or page contains Spyware: <spyware_name>. Transaction ID is <ID no.>

Block Known Spyware (CLSID)

Suspected Trojan Traffic Detected

Suspected Trojan traffic detected. Access to the Internet is blocked.

Detect Known Trojan Network Activity

End User Message



Appendix 10 - End User Messages258


Spyware Object Detected

Spyware Detected! An attempt to download a forbidden Spyware program has been blocked. <spyware_name>. Transaction ID is <ID no.>

Block Known Spyware (ACL)

Suspicious File Type Detected

Forbidden File Type! An attempt was made to download a forbidden file type. Transaction ID is <ID no.>

Block Microsoft Office Documents containing Macros and/or Embedded FilesBlock Suspicious File Types

Temporary Error The service is unavailable, please try again later. If the problem persists, please contact the administrator.

Time Frame Forbidden time: <time_frame>. Transaction ID is <ID no.>.

Type Detector Forbidden data type. The data type is <content_type_name>. Transaction ID is <ID no.>

Block Unscannable ArchivesBlock Potentially Malicious Packed Executables

Unscannable Content Detected

Unscannable content detected! The page or file you requested contains unscannable ActiveX, Java Applets or Executables. Transaction ID is <ID no.>

Block Unscannable ActiveX, Java Applets and Executables

URL List Found item in a forbidden URL list. The URL is <url_list_name>. Transaction ID is <ID no.>.

Virus Detected Virus Detected! The page or file you requested is infected with the following virus <McAfee_virus_name> <Sophos_virus_name> <Kaspersky_virus_name>. Transaction ID is <ID no.>

Block Known Viruses (Sophos/McAfee/Kaspersky)

Wrong Configuration Error

The service is unavailable, please try again later. If the problem persists, please contact the administrator.

End User Message



259 Appendix 10 - End User Messages