swg easy setup - insight web...
TRANSCRIPT
WHIT
E P
APER: E
NTERPRIS
E S
ECURIT
Y
Extending Malware Detection Utilizing Symantec Protection Suite to its
fullest by deploying Symantec Web
Gateway
Contents
Introduction and Requirements ................................................................................................................ 3
Quick Start ................................................................................................................................................. 4
Download and Deployment of Symantec Web Gateway ........................................................................... 5
Downloading Symantec Web Gateway ...................................................................................... 5
Deploying a virtual Symantec Web Gateway ............................................................................. 6
Configuration of Symantec Web Gateway ................................................................................................. 7
Working with Symantec Web Gateway ................................................................................................... 11
Extending Malware Detection How Symantec Web Gateway can help detect malicious
and unwanted network traffic.
White Paper: Enterprise Security
3
Introduction and Requirements Symantec Web Gateway (SWG) protects organizations against multiple types of Web-‐borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation-‐based malware filtering technology; Web Gateway relies on a global network of more than 210 million systems to identify new threats before they cause disruption in an organization. Symantec Web Gateway can be deployed in different ways to provide detection and protection against threats and to enforce acceptable use policies. This White Paper is focusing on deploying a virtual Symantec Web Gateway in Port Span/TAP mode – a non-‐intrusive, easy to setup, out-‐of-‐band monitoring solution. This method does not require displacement of any existing products in your environment nor can it result in a service interruption or performance degradation. The following list outlines the requirements to operate a virtual Symantec Web Gateway in this mode:
-‐ ESX / ESXi server with enough available resources (the appliance requires 8 GB of RAM and 90 GB of HDD space) -‐ Mirror port / monitoring port / TAP device configured to copy client initiated traffic to and from the internet -‐ Virtual switch on ESX / ESXi which is connected to a NIC connected to the mirrored port / TAP device output -‐ Symantec Web Gateway virtual appliance (OVF file) -‐ IP address for Symantec Web Gateway management interface -‐ Unrestricted internet access for Symantec Web Gateway (tcp ports 80 and 443) -‐ List of internal networks, SMTP hosts and proxy servers -‐ Your Symantec Protection Suite Enterprise Edition license file (SLF)
The time to deploy and configure Symantec Web Gateway should be less than 30 minutes (excluding download time).
White Paper: Enterprise Security
4
Quick Start The table below outlines the high-‐level steps required to successfully deploy a virtual Symantec Web Gateway to ESX / ESXi # Task Details
1 Download virtual appliance https://fileconnect.symantec.com
Use serial number from existing license certificate Extract downloaded archive
2
Gather required network details IP address details for Symantec Web Gateway List of internal networks Proxy server address (all) SMTP server address (all)
3 Prepare mirror / span / tap Setup monitoring close to internet exit
Client initiated traffic most important Connect monitoring cable to a NIC on the ESX / ESXi server
4 Prepare ESX / ESXi Ensure resources are available (8 GB RAM, 90 GB HDD) Create vSwitch using NIC which has monitoring cable connected
5
Deploy virtual appliance (OVF Template) Using vSphere client deploy virtual appliance NIC Assignment 1 -‐> Management Network, connect to proper vSwitch/PortGroup 2 -‐> WAN Network, do not connect 3 -‐> LAN Network, do not connect 4 -‐> Monitor Network, connect to “monitor vSwitch”
6 Change IP address Login to Symantec Web Gateway console: admin / admin1! Select option 5 than 3 to set an IP address
7
Complete Setup Assistant Connect via browser to Symantec Web Gateway Use Symantec Protection Suite license file when prompted (SLF) Create admin account (different than the console admin account) Select Monitor and Port Span/TAP mode Configure outbound proxy if required (unauthenticated)
8
Administration -‐> Configuration tasks Define internal Networks Define Servers (known SMTP and proxy servers at minimum) Define Email relay for alerts and reports Enable Module Application Control Enable Insight Module Configure Reports to ignore DNS/WINS (unless DNS is properly configured)
9
Policies -‐> Configuration tasks Create a new policy Applicable to all computers Monitor active content and spyware Monitor All applications (fine tune if required) Save and Activate Changes
10 Using Symantec Web Gateway Ensure updates are occurring (set to automatic by default)
Create custom reports if required (for example show all file uploads) Schedule automated report delivery via email
The remainder of this document covers the download, installation and configuration in more detail.
White Paper: Enterprise Security
5
Download and Deployment of Symantec Web Gateway
Downloading Symantec Web Gateway The software can be obtained from Symantec’s fileconnect web site at https://fileconnect.symantec.com Browse to the web site and enter your serial number which can be found on the Symantec Protection Suite Enterprise Edition license certificate.
Once logged in, download the two Symantec_Web_Gateway_5.1_vmimage_EN files:
-‐ Symantec_Web_Gateway_5.1_vmimage_EN.part1.exe -‐ Symantec_Web_Gateway_5.1_vmimage_EN.part2.rar
The total download size is around 3.2 GB.
White Paper: Enterprise Security
6
After successfully downloading these two files, execute the Symantec_Web_Gateway_5.1_vmimage_EN.part1.exe to recreate the archive named Symantec_Web_Gateway_5.1_vmimage_EN.zip. Extract the content of the zip file to a location from which you can upload them via the vSphere client to the ESX server (vmdk, ovf, mf).
Deploying a virtual Symantec Web Gateway Launch vSphere and connect to the ESX / ESXi server. Before deploying Symantec Web Gateway, verify that a monitor vSwitch has been created. This vSwitch needs to be configured to use the physical adapter into which the cable from the Mirror / Span destination port or the TAP device is connected. Ensure that promiscuous mode is enabled for this monitoring vSwitch. Another vSwitch / port group is used to connect to the management interface of Symantec Web Gateway.
Deploy the virtual appliance to the ESX / ESXi server. Please do not change the hardware configuration of the template – the hard drive size is fixed to 90 GB and four network cards are present. The virtual image can be deployed thin or thick provisioned – with thick provisioned being recommended. Configure the network connections as followed:
-‐ Network Card 1 -‐> This is the Management interface and must be connected to a vSwitch / port group where the IP address resides -‐ Network Card 2 -‐> This is the WAN interface and is NOT used in this deployment mode, please DISCONNECT this card (do not
remove the card) -‐ Network Card 3 -‐> This is the LAN interface and is NOT used in this deployment mode, please DISCONNECT this card (do not remove
the card) -‐ Network Card 4 -‐> This is the Monitoring interface and must be connected to the vSwitch which receives the copied traffic
White Paper: Enterprise Security
7
After successfully deploying the template, power the virtual appliance on and launch the console – the next step is to assign the IP address to Symantec Web Gateway. In the console window, login to the appliance with the following credentials: admin / admin1! Select option “5 – Change/Test IP configuration” and then option “3 – set IP/disable DHCP”. Enter the following network details:
-‐ IP address assigned to Symantec Web Gateway -‐ Netmask -‐ Default Gateway -‐ Primary DNS -‐ Secondary DNS (optional)
Symantec Web Gateway should be accessible by its IP address at this point. Continue with configuring the appliance in the next section.
Configuration of Symantec Web Gateway Launch a browser (Firefox or Internet Explorer) and connect to the IP address assigned to Symantec Web Gateway to start the setup assistant. The setup assistant consists of 5 simple steps:
-‐ Welcome: Click Next -‐ License Agreement: Select the checkbox to agree to the terms and conditions and click Next -‐ Install License: Enter the company name and browse to the Symantec License File (SLF) for your organization, click Next -‐ Server Type: Use the default “Web Gateway” and click Next -‐ User Information: create an administrative account used to access the web interface and click Next -‐ Server Information: Provide a name for the Web Gateway and accept the default mode “Monitor, Port Span/TAP”, network
configuration has been completed via the console already, select the right time zone at the bottom of the page, if a proxy server is required to connect to the internet, enter the details at the bottom as well (un-‐authenticated access is required), click Next
Once the setup assistant is completed, the login screen will appear and the configuration can be completed.
White Paper: Enterprise Security
8
Login to Symantec Web Gateway, click on Administration -‐> Configuration -‐> Network to define internal networks. Symantec Web Gateway requires knowledge which IP address ranges are considered internal to correctly identify and report on possible problems. Add all internal networks (or use class full / supernets like 10.0.0.0 / 8 or 192.168.0.0/16) and click Save
Select Administration -‐> Configuration -‐> Servers to add IP addresses of known proxy servers and systems which are expected to generate SMTP traffic. Only add internal networks based on the Mirror / Span / TAP source configuration. For example, you could add 10.0.0.0 / 255.0.0.0 to include all RFC1918 addresses in this network range.
White Paper: Enterprise Security
9
Select Administration -‐> Configuration -‐> Email to configure SMTP server settings for email notifications and alerts. Click Save
Select Administration -‐> Configuration -‐> Modules to enable Application Control. Content Filtering (URL filtering) requires an additional license. Click Save
Select Administration -‐> Configuration -‐> Insight and enable Insight, leave the default values. Click Save
White Paper: Enterprise Security
10
Select Administration -‐> Configuration -‐> Reports and uncheck the name resolution boxes. Click Save
Create a default policy which will monitor all client activity. Select Policy -‐> Configuration -‐> Create a New Policy
-‐ Provide a Policy Name -‐ Ensure that the policy applies to “All Computers” -‐ Scroll down to Spyware Default and select “Monitor” -‐ Scroll down to Application Control Categories and select “Monitor All” -‐ Select Save
Activate the newly created policy by clicking on “Save and Activate Changes”
White Paper: Enterprise Security
11
At this point Symantec Web Gateway is configured with a basic policy and automated updates enabled to ensure the latest definitions are used to inspect traffic.
Working with Symantec Web Gateway Symantec Web Gateway comes with many pre-‐defined reports allowing administrators to detect problems and interesting events easy. Filters such as date and time, source hosts or detection types can be applied to most reports. The Executive Summary report displays summaries about traffic processed, detections of malware and applications as well as appliance status details. By default, no filter is applied and the summary will include all detection types.
White Paper: Enterprise Security
12
The Botnet Report contains details about suspect and active botnet clients. Detection of possible botnet activity in the network is one of the greatest features of Symantec Web Gateway.
A Suspect botnet client has communicated to an IP address which is a known Command and Control server; however there is no further evidence of an actual infection just yet. An Active botnet client has shown atypical behavior in the network in addition to communicating with known command and control systems, such as performing port sweeps to multiple hosts, and Symantec Web Gateway will flag this client as an active botnet client. The Client Applications report displays information about detected applications in the network traffic. Symantec Web Gateway is able to detect more than 90 different applications based on network fingerprints that allow an administrator to identify clients that run potentially unwanted applications.
Symantec Web Gateway contains many other reports such as Infected Clients or File Uploads. The Custom Report allows an administrator to retrieve detailed events including details such as protocol type or destination ports.
About Symantec Corporation
Symantec is a global leader in
providing security, storage and
systems management solutions to
help businesses and consumers
secure and manage their
information. Headquartered in
Mountain View, California,
Symantec has operations in 40
countries. More information is
available at www. symantec. com.
For specific country offices and
contact numbers, please visit our
Web site.
Symantec World Headquarters
350 Ellis St.
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www. symantec. com
Symantec helps organizations secure and manage their information-‐driven world with security management, endpoint security, messaging security and application security solutions. Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 12/2012 21155056