Page 2
Every effort has been made to ensure the accuracy of this document. However, M86 Security makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. M86 Security shall not be liable for any error or for incidental or consequential damages in connec- tion with the furnishing, performance, or use of this manual or the examples herein.
ONTENTS R3000 E ................1 VALUATION UIDE Market Overview......................1 Product Overview......................1 Note to Evaluators......................2 R3000, U ............3 NSTALL THE PDATE IBRARIES R3000 ..............4 ONFIGURE AND EST THE Understand the most common and useful features............ 4 Group setup for different user types on the network..........5 Apply different filtering levels for different types of users ............
Page 4
ONTENTS How to test the Safe Search Enforcement feature ............24 Search Engine Keyword Filtering ................... 25 How to configure Search Engine Keyword Filtering ............25 How to test Search Engine Keyword Filtering ..............26 Attachment filtering ........................ 27 How to configure attachment filtering ................27 How to test attachment filtering ..................
M86 Security offers a wide range of Internet filtering and reporting appliances that not only help companies maintain compliance with laws such as the California Security Breach Information Act (CSBIA) (see http://www.8e6.com/resources/...
R3000 E VALUATION UIDE OTE TO VALUATORS Note to Evaluators Thank you for taking the time to review 8e6’s R3000 Internet Filtering Appliance. Your interest in our company and product is greatly appreciated. This Evaluation Guide Is designed to provide product evaluators an efficient way to install, configure and exercise the main product features of the R3000 Internet Filter.
R3000, U NSTALL THE PDATE IBRARIES OTE TO VALUATORS R3000, U NSTALL THE PDATE IBRARIES To install the appliance, configure the box and to test filtering is operational please refer to the step-by-step instructions found in the Quick Start Guide provided in the shipping carton.
R3000 U ONFIGURE AND EST THE NDERSTAND THE MOST COMMON AND USEFUL FEATURES R3000 ONFIGURE AND EST THE Understand the most common and useful features One of the advantages of a hardware appliance, in addition to its compatibility and extremely low profile on the network, is its ease of use. Configuration of the R3000 can seem disarmingly simple at times, but when the hardware and software are designed to work together, the levels of complication decrease and robust power and efficiency significantly increase.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK Group setup for different user types on the network Apply different filtering levels for different types of users Description: There are two primary Groups to understand when administering the R3000.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK there are system settings required that must be initiated prior to establishing the groups in these environments, and it will be helpful and save time to work with a Solutions Engineer the first time these settings are initiated.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK Rules and Profiles: Creating and using each Description: Rules and Profiles may seem confusing as it often appears that they are used interchangeably. And, while the administrative windows controlling the creation of Rules and Profiles are very similar, they each serve two distinct purposes.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK How is a Profile used? A Profile defines the particular filtering parameters assigned to a group or indi- vidual. There are two kinds of Profiles. The first is the Global Group Profile. Category Profile tab The default for the Global Group Profile is set up under the Category Profile tab of the Global Group’s administrative controls.
Page 13
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK NOTE: * Different doesn’t necessarily mean that a group is no longer filtered by the library Categories in the Global Group Profile. In fact, different may mean the group is filtered by several categories in addition to those in the Global Group Profile.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK How to create a new Rule 1. From the top level administrator console, select GROUP. 2. Click Global Group and select Rules. 3. In the Rule Details frame click New Rule to populate the Rule # field with the next consecutive rule number available.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK Global Group Profile Global Group Profile Category tab The Global Group Profile window displays when Global Group Profile is selected from the Global Group menu. Set the Global Group Profile The Category Profile displays by default when Global Group Profile is selected from the Global Group menu.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK • Double click the Allow column to move the library category to the always allowed column. 3. Choose Pass, Warn or Block to specify whether Uncategorized Sites should pass, warn the user, or be blocked.
R3000 G ONFIGURE AND EST THE ROUP SETUP FOR DIFFERENT USER TYPES ON THE NETWORK Selecting the library categories to be in the Pass, Allow, Warn or Block columns is just like configuring the Global Group Profile library Categories. Create, edit a list of selected Categories for a Group Profile To define which categories will be passed, warned, always allowed or blocked in the Global Group Profile: 1.
R3000 G ONFIGURE AND EST THE ROUP SETTINGS TESTS Group settings tests Test the Rules and Profiles feature To test the Rules and Profiles feature, first define a Rule. Rules window 1. Select Rules under Global Groups. 2. Click New Rule (the Rule # will reflect the next sequential number available for a rule).
R3000 G ONFIGURE AND EST THE ROUP SETTINGS TESTS Test the Rule To test the Rule, apply it to an IP Group. IP group profile window with rule applied 1. Select AllUsers from the IP Groups. 2. Select Group Profile. 3.
R3000 C ONFIGURE AND EST THE USTOM ATEGORIES Custom Categories Create and configure a Custom Category Description: The R3000 allows an administrator to create a new category not listed among the 100+ options in the Library Categories. With literally tens of millions of URLs researched and screened among those existing categories, it might seem like a case of overkill to create a new one, but many of the most useful and powerful features of the R3000 depend on the creation of Custom Categories.
R3000 C ONFIGURE AND EST THE USTOM ATEGORIES 3. Type in a URL you want to add. 4. Click Add. Wait for a moment while the R3000 searches through all URLs in its Library database (including IP addresses) to find URL and IP matches. Matches are listed in the window.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Filtering profile features Time Profile feature Description: The Time Profile feature lets the administrator set up a profile for any user or group to run at a scheduled time period. A user or group can have multiple time profiles, and these can be set to run at various intervals of time throughout a day, week, month, or year.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Adding Time Profile window 5. Click the Rule tab. 6. Double click the Society/Lifestyles Category to open it. 7. Find Alcohol, double click in the Block column, and click OK. NOTE: In order to perform the test that follows, be sure the Alcohol category isn’t blocked in any other profile for this group.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Quota feature Description: The Quota feature restricts the amount of time a user can spend in a passed category. When the user reaches 75 percent of time in a quota-designated category, the quota notice page pops up to warn the user about this information. If 100 percent of quota time is attained, the user receives a quota block page and cannot access that category until quotas are reset.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Test the Quota feature 1. From an IP address within the Sales group, access countless sports-related Web sites on the Internet for a five-minute period—espn.com, sportsillus- trated.cnn.com, tennis.com, soccer.com, etc. During the course of the five minute period, you should receive a Quota Notice page informing you that 75 percent of quota time has been attained.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES White List feature Description: White lists are effective when a particular group requires tight control over content options. For example, rather than spend hours determining what employees in shipping shouldn’t be viewing, it is much easier to define only the things they can view.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Test the White List After completing steps 1-8 above, then: 1. From an IP address contained within the Global Group range, attempt to access any of the URLs included in the Evaluation Category. Access is allowed. 2.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Google/Bing/Yahoo!/Ask/AOL Safe Search Enforcement Description: Google, Bing, Yahoo!, Ask, and AOL have very effective safe search features that can be activated to ensure search results do not contain sexually explicit material. Unfortunately, safe search can be deactivated in the preference settings of each search engine.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Search Engine Keyword Filtering Description: There are a number of words and phrases that clearly won’t be used to find business-related content on the Web. With Search Engine Keyword Filtering administrators can stop a search before it even starts (to cause trouble). The R3000 allows administrators to add words or phrases, up to 75 characters long (alphanumeric), to shut down access to restricted content right at the point an employee clicks search.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES 9. Activate the Search Engine Keyword Filter Control checkbox. 10. Click Apply. Adding Search Engine Keywords How to test Search Engine Keyword Filtering 1. Create a custom category called Keyword Filtering, using the keywords playboy, sex and porn.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Attachment filtering Description: Unchecked and unmanaged, the download of attachments can bring a network to its knees. The R3000’s Attachment Filtering feature identifies the download of a file as soon as it’s initiated, and blocks the download. Attachment filtering setup in URL Keywords How to configure attachment filtering 1.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES Attachment filtering setup in Filter Options tab How to test attachment filtering 1. Configure the File Extensions custom category. 2. Enable URL Keyword Filter Control in the Global Group Profile. 3. Access the Internet from an IP address within the Global Group range. 4.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES not be able to access http://www.sports.cnn.com, since direct URL entries take precedence over wildcard entries. Wildcard filtering How to configure wildcard filtering 1. Go to LIBRARY in the top level administrator navigation. 2.
R3000 F ONFIGURE AND EST THE ILTERING PROFILE FEATURES How to test wildcard filtering 1. Create a custom category called Wildcards. 2. Add the following URLs (or any three URLs) per the previous configuration instructions: a. *.playboy.com b. *.myspace.com c. *.8e6.com 3.
R3000 C ONFIGURE AND EST THE ONFIGURE TEST BLOCK SERVICES Configure, test, block services Anonymous proxies Description: Web-based anonymous proxy services provide a method to bypass Web filters. Administrators can block the Web-Based Proxies/Anonymizer library Category to keep employees away from sites that offer free anonymous proxy services.
R3000 C ONFIGURE AND EST THE ONFIGURE TEST BLOCK SERVICES How to test anonymous proxies 1. From an IP address in the Global Group range, go to http://proxy.org and click on Free Proxy Form. 2. Enter any URL and select GO. The request is routed through anonymous proxies and is blocked.
R3000 C ONFIGURE AND EST THE ONFIGURE TEST BLOCK SERVICES Block IM, P2P applications and streaming media Description: The R3000 provides Peer-to-Peer (P2P) and Instant Message (IM) blocking. Peer-to-Peer and Instant Messaging pose significant challenges to administrators due to the risks of content type that can be passed on via these tools (images and video), as well as the ease by which these enable malicious code and viruses to circumvent many networks.
R3000 C ONFIGURE AND EST THE ONFIGURE TEST BLOCK SERVICES How to test for IM 1. From an IP address in the Global Group range, activate an IM program such as Yahoo! IM or AIM. 2. Attempt to send an instant message to another user. The attempt is blocked. How to test for P2P From an IP address in the Global Group range, attempt to access a P2P site such as Limewire.com.
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING Real Time Probes and X-Strikes Blocking Real Time Probes feature Description: Real time probes allow an administrator to monitor an employee’s Internet usage in real time to determine if that user is accessing appropriate Internet content.
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING How to test Real Time Probes 1. Configure a Real Time Probe with the following criteria: • Maximum Probes to Run/Schedule Simultaneously: 10 • Maximum Probes that can be Scheduled: 5 •...
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING X-Strikes feature Description: The X-Strikes feature is a very powerful administrator tool that enables both the lockdown of users engaged in severe policy violations, as well as, remote notification of the violations, as they occur. X-Strikes is designed to identify and terminate Internet access of users who are frequent violators of policy, e.g.
Page 42
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING X Strikes Blocking Next, the actual parameters of the X-Strike feature need to be configured. 1. Select SYSTEM from the top level administrator console. 2. Click X Strikes Blocking. 3. Make the following settings: a.
Page 43
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING d. Set the Flood Tolerance Delay (in seconds) to determine the maximum delay that will occur before a user who accesses the same URL will receive another block page. If a user receives a block page and attempts to flood the filter through rapid refresh of the page, the X-Strikes feature will not log a strike for every attempt but instead log a strike for each Flood Tolerance Delay threshold that reached.
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING X Strikes testing How to test X-Strikes 1. Set up X-Strikes with the following settings: a. Configuration: • Reset X-Strike Count Upon Authentication: ON • Maximum Strikes Before Locking the Workstation: 3 •...
Page 45
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING 4. After 2 minutes, access will be available again. 5. In approximately 1-2 minutes (the nuances and security settings of the email server will impact the speed of delivery, as well) a notification should be received at the email address noted in the Email Alert field.
Page 46
R3000 R ONFIGURE AND EST THE ROBES AND TRIKES LOCKING M86 S , R3000 E ECURITY VALUATION UIDE...