|
Finjan Vital Security™ Web Appliance
New Version 8.5 Release Update and Benefits Introduction This document describes the new features introduced with Vital Security - Version 8.5 and their benefits for customers upgrading from previous versions as well as for new clients. Vital Security Version 8.5 new features is announced on June 4th, and scheduled for availability on June 20th, 2007 for existing and new customers who are interested in purchasing Finjan solution with any of these new features; and on August 8, 2007 for Finjan existing customers with the automatic update on the features that do not require additional licensing and price. Integrated HTTPS As illustrated in the following diagram, HTTPS scanning is now integrated into Vital Security Web Gateway without the need for a dedicated SSL appliance, as in previous versions.
The only requirement is to purchase an SSL license in addition to Vital Security. The immediate benefits of such an integrated solution are: SSL traffic remains encrypted over the network Unified setup and management console, including authentication / identification and HTTPS rules Reduced physical layout (no need for dedicated SSL scanning devices) Reduced total cost of ownership
Once an SSL license is entered in the system, SSL traffic scanning can be activated on all gateways defined in the policy server. HTTPS scanning is performed by all the Vital Security engines and can be configured by defining a dedicated SSL policy based on the following processes: Certificate Validation –handling a list of pre-defined errors related to SSL Certificates (e.g., invalid certificate structure and non-trustful sources) URL Categorization – of HTTPS URLs. This functionality can ensure that content like banking sites will not be decrypted for scanning, safeguarding end users privacy. Other HTTPS URLs might be forbidden by the organization and can be blocked upfront. URL Lists – Similar to the previous process but based on custom URLs.
Scalable Authentication/Identification The new Vital Security Authentication Device introduces an additional security measure that applies specially to organizations with distributed remote sites and a sophisticated authorization system. Topologies including multiple sites, different authentication methods and several Active Directory Servers or Domains are the natural environment for the introduction of a dedicated Authentication Device. The ability to identify users against MS Active Directories enables the enforcement of specific security policies for each user or group and helps isolating threats. Identification methods include originating IP address, username-password and URL/port. The Authentication Server can be configured in a dedicated Appliance (any model), named Authentication Device, attached to the LAN, in the Militarized Zone (MZ). This secures communication with the Scanning Servers located in the De-Militarized Zone (DMZ). Identification Policies can be defined to enforce the desired authentication criteria. However, user credentials are not verified any more against the Scanning Server, as in previous Vital Security versions, but rather against the Authentication Server, increasing the overall system security and performance. The ability to identify and/or authenticate users can depend on network layout, security rules used in the network and the capability to integrate with an external Authentication Device. Authentication and identification procedures support multiple isolated MS Active Directory domains.
Organizations with high-availability requirements will be happy to know that redundancy is also supported by the Authentication Server. Reporting Enhancements Reporting is a fundamental feature of Finjan Vital Security Web Appliance, as it allows the administrator to monitor the traffic and react promptly to security incidents and other events occurring on the network. Reports can now be scheduled, saved, exported or automatically delivered by the system via email. In addition, reports have been improved both in their visual presentation and in their content. The system can generate in several formats, including PDF, CSV, Excel and HTML. A rich library of new pre-configured reports is now available. Skype Blocking Vital Security can be configured to detect and block Skype traffic. Data Leakage Prevention A Security rule has been configured to monitor and eventually block MS Office documents dispatched via Web mail.
Email Alerts The Email Alert feature enables administrators to monitor the system and stay informed about three categories of Vital Security events as soon as they occur, at their choice: system events (e.g., memory and hard disk usage), application events (e.g., logging and scanning processes) and update events (e.g., new OS or security update availability and completion). Email Alerts include detailed information about the reported event, like server IP address, version, event type, severity, time, proposed action. Alerts are available also as SNMP traps. Security Enhancements Improved scanning of Cascade Style Sheets (CSS) content Improved scanning of dynamic content with Java Script effect simulation Byte Distribution Analysis – Enable recognition of malicious content using byte statistic distribution in GIF, JPG, MP3 and RA files Enhanced security for binary content (Binary VAD) - Add Vulnerability Anti.Dote™ (VAD) rules and optionally other new features specifically targeted towards scanning of binary content
LDAP Import Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to look up information from a server. Vital Security supports now import of OpenLDAP, Sun Open Net Environment (or Sun ONE) and IBM Tivoli Identity Manager. Vital Security LDAP Import works both with predefined servers and with custom manual configuration of OpenLDAP variables. Multiple LDAP servers can be configured in Active (Primary) or Standby (Backup) status. Import operations are recorded by the system, including time of import and the number of imported users and groups. Finjan SNMP MIB A new Vital Security Management Information Base (MIB) has been introduced to improve application and system status monitoring of Finjan Web Appliances via Simple Network Management Protocol (SNMP). SNMPv3 Support Simple Network Management Protocol (SNMP) is the most widely-used network management protocol on TCP/IP-based networks. Previous versions of SNMP lack security features -- like authentication, privacy and access control -- and SNMPv3 corrects this deficiency. Finjan Vital Security software version 8.5 supports SNMPv3, enabling the configuration of several SNMPv3 attributes, like Context Name, Security Level, Authentication Mode and Encryption Mode. This new feature addresses the need of many prospects and customers requiring SNMPv3 support, especially in the government and public administration sectors. Admin Password Management The following security enhancements have been added to the configuration of the Management Console password: Prompt new users to reset their passwords upon their 1st login Password can be set to expire after X days – Super Admin can decide for how long a password is valid Password length enforcement
Limited Shell Enhancements Traceroute - tracing hops between a local host and a remote host TCPdump – allowing interception and display of packets being transmitted or received over a network (screen mode only) Change network interface speed Complementary add-on in “Webmin” enabling fetching of files created through the shell Enable configuration of a regular connection without the need for a cross cable
Web Distributed Authoring and Versioning (WebDAV) Protocol Vital Security supports WebDAV -- a platform-independent extension of HTTP that allows users to collaboratively manage files on Web servers -- and scans content generated by Outlook Web Access (OWA). Secure File Transfer Protocol (SFTP) Export As part of enhanced overall system security, log files, configuration files and reports can now be exported also using the SFTP for backup and rollback purposes. File Name Place Holder in User Response Action A “file_name” placeholder has been added to the user response action list. This enables showing the file name in the “Block Page” pop-up window when content is blocked. License Information Display License information is now displayed on the management console, including the device serial number, list of licensed modules and versions, expiration date, and more. Advanced “Allow” Action The Allow action, which allows content through without scanning, has been improved by introducing partial scanning and is now articulated into the following three possible choices: Bypass scanning – Allows content through upon request. Policy enforcement is not invoked until the end of the transaction. This is useful for sites that contain HTTP-based streaming. Allow content upon response, including container files, such as zip or rar files. Files contained in container files are not scanned. Allow content upon response, excluding container files. Container files and contained files are scanned.
Multiple Device Configuration This feature simplifies the configuration of multiple scanning devices. In fact, while until now configuration was done per scanner, with 8.5 an updated configuration can be applied globally to all the system scanners at once, to selected scanners or only to a single, local scanner.
Rule Editor GUI improvements An enhanced GUI of the policy editor has been introduced with 8.5, including rule numbering for easier reference, separation between User Response Action and conditions for usability, and the possibility to save, export or print a policy. User Response Actions and Logging Actions have been separated from the Condition tab and are now always visible while defining a rule. Visible Update Mechanism and Improved Update Mechanism The update mechanism has gone through major improvements. Additional information is displayed in the update progress page giving the administrator a clear picture of the status during the operation.
Once the update is completed, a new mechanism checks the integrity and validity of the system and enables system recovery in case of update failure, notifying the administrator.
|
