Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Summary of Contents for Triton RiskVision
- Page 1 ® T R I T O N R i s k V i s i o n Setup Guide ™ v 2 . 0...
- Page 2 The information in this documentation is subject to change without notice. Trademarks Websense and TRITON are registered trademarks and RiskVision is a trademark of Websense, Inc., in the United States and certain international markets. Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.
-
Page 3: Table Of Contents
Introducing TRITON RiskVision ........1... - Page 4 Contents Websense TRITON RiskVision ...
-
Page 5: Introducing Triton Riskvision
TRITON RiskVision monitors TCP traffic by connecting to a SPAN or mirror port on a switch, or to a network tap that supports aggregation. -
Page 6: Positioning Triton Riskvision In The Network
Positioning TRITON RiskVision in the network RiskVision positioned downstream from a web proxy In most cases, it is best to position the RiskVision appliance between clients and the proxy. This ensures that RiskVision components see: Unaltered TCP traffic from clients ... -
Page 7: Riskvision Positioned Upstream From A Web Proxy
In this configuration, because outbound traffic goes through the downstream proxy before being seen by RiskVision, the source IP address of all requests is the web proxy IP address. To address this issue, configure the downstream proxy to add X-Forwarded-For to HTTP headers. -
Page 8: Riskvision And Ssl Decryption
Introducing TRITON RiskVision RiskVision and SSL decryption If your network includes a product that provides SSL decryption, RiskVision can be configured to monitor and analyze the decrypted traffic. Deployment details vary based on the product providing the decryption. In general terms, however, RiskVision analyzes a read-only copy of the decrypted traffic via a monitor or SPAN port. -
Page 9: How Does Riskvision Work
Introducing TRITON RiskVision How does RiskVision work? The RiskVision monitoring and analysis process works as follows: Capture monitors IP packets from a single network interface and stores them in memory. Assembler reads the pcap files provided by Capture and: Identifies HTTP and SMTP transactions ... -
Page 10: Setup Process Overview
Setup process overview Step 1: Set up your V-Series appliance hardware, page 7 Step 2: Set up the RiskVision appliance software, page 8 Step 3: Configure the system, page 11 ... -
Page 11: Installation
TRITON RiskVision Setup Guide | TRITON RiskVision | v2.0 Step 1: Set up your V-Series appliance hardware The diagram below gives a simple overview of TRITON RiskVision deployment. All local RiskVision components, including management and reporting components, reside on the Websense V-Series appliance. -
Page 12: Step 2: Set Up The Riskvision Appliance Software
URLs that the C interface can access. Network interface N connects either to a port mirror on the switch or to a network tap that supports aggregation. This allows RiskVision to monitor and analyze HTTP and SMTP traffic on all ports. - Page 13 Installation Continue with the next chapter of this guide to activate, verify, and configure your RiskVision deployment. TRITON RiskVision Setup Guide ...
- Page 14 Installation Websense TRITON RiskVision ...
-
Page 15: Initial Setup
Initial Setup TRITON RiskVision Setup Guide | TRITON RiskVision | v2.0 Step 3: Configure the system When installation is complete, use the RiskVision Local Manager to enter your subscription key and verify the system. Verify your network interface configuration During installation, the Capture service is configured to use the C interface (eth0) for communication and the N interface (eth1) to monitor traffic. -
Page 16: Enable Riskvision Analysis
Enable RiskVision analysis When you enter your subscription key in the Local Manager, RiskVision connects to Websense servers to validate the subscription. This is required to download analytic databases, connect to the File Sandboxing cloud service, and retrieve reporting information from Websense Security Labs. - Page 17 Initial Setup If C interface traffic from the RiskVision appliance must go through an explicit proxy to access the Internet: Select the Proxy tab. Toggle Enable proxy settings to ON Enter the connection details. Click Apply. Select the Account tab.
-
Page 18: Update The Analytic Databases
Check for system updates RiskVision systems use the Linux yum tool for both operating system and RiskVision software hotfixes, patches, and upgrades. The System > Updates tab in the Local Manager indicates whether updates are available, and offers a single-button mechanism for downloading and installing the updates. -
Page 19: Configure Data Storage
When the system has restarted, log back in to the Local Manager to finish setting up the system. Configure data storage By default, RiskVision is configured to store up to 400,000 incident records and up to 2 million sessions in its database. RiskVision is also configured not to store pcap files for captured traffic. -
Page 20: Enable Traffic Capture
By default, traffic capture starts immediately upon startup. If the appliance interfaces are not properly configured, however, the Capture process may stop. To make sure that traffic capture is enabled: Select the System > Analytics tab in the Local Manager. Make sure Enable traffic capture is ON. Websense TRITON RiskVision ... -
Page 21: Verify The Riskvision Services
Initial Setup Verify the RiskVision services You can monitor the status of the local RiskVision services on the System > Services page in the Local Manager. The Service Manager table should show a status of Running for all services. If a single service is stopped, use the icon in the Service Restart column of the ... -
Page 22: Step 4: Verify Riskvision Monitoring
Initial Setup Step 4: Verify RiskVision monitoring To make sure that TRITON RiskVision is able to monitor traffic from all expected sources: In the Local Manager, click Diagnostics in the toolbar at the top of the page, then select the Sessions tab. -
Page 23: Step 5: Using Triton Riskvision
Initial Setup Step 5: Using TRITON RiskVision Use the Incidents page in the RiskVision Local Manager to track the results of RiskVision file analysis. Tips for using the table: Click on a column header and drag it up one row (into the space that says “Drag a ... - Page 24 Initial Setup Understanding the process of analysis: When RiskVision identifies files in HTTP or SMTP transactions, it sends them to the local, on-box analytics to determine whether the files contain suspicious or malicious content. File content is analyzed by the Data Analysis Engine to identify potentially sensitive information that is being transferred out of your network.
- Page 25 Initial Setup kits and call home traffic), as well as more detailed information about potential data loss violations discovered by RiskVision. TRITON RiskVision Setup Guide ...
- Page 26 Initial Setup Websense TRITON RiskVision ...
Need help?
Do you have a question about the RiskVision and is the answer not in the manual?
Questions and answers