Websense 校园上网管理方案 Campus Internet Access Management
学生上网:馅饼还是陷阱? 在中国8700万互联网上网人群中,青少年就占据了80%的比例,北京网吧20%的学生上网主要是查看色情网站内容,20%的学生上网主要是进行聊天和玩游戏,只有10%的学生因需要而上网查阅资料。 来源: 法制晚报 积极作用: 1.快速掌握多方面知识的重要 途径 2.网络是加强交流的有益工具
学生上网:馅饼还是陷阱? 网络是一把“双刃剑”:网上信息的开放性和共同性,迎合了青少年追求新鲜事物,求知欲强的特点;随着网上非主流文化的潜在影响,孩子们可能出现“网恋”行为,或者成为“网络诱骗”的牺牲品,甚至造成网上犯罪,“网瘾”是孩子们最容易进入的陷阱。 不利因素: “黄色”污染如洪水猛兽 网上交友陷阱防不胜防 上网综合征逼近孩子 网络陷阱层出不穷 ……
网络诈骗就在我们身边 04年7月:www.1enovo.com 利用多种IE漏洞种植木马病毒,并散布“联想集团和腾讯公司联合赠送QQ币”的虚假消息,诱使更多用户访问该网站时造成感染。 04年12月:www.bank-off-china.com 12月网上首次出現假冒的中国銀行网站 内蒙古呼和浩特一市民,因登录了一个假的中国银行网站,卡里的2.5万元莫名其妙地不见了。 假冒中国工商银行与中国农业银行网站 www.lcbc.com.cn ( www.icbc.com.cn ) www.965555.com ( www.95599.com ) 05年1月:www.chinacharity.cn.net 假冒中华慈善总会网站骗善款 05年2月 假工商銀行网站再出現 www.banochi.net :假冒的中国銀行网站
挥之不去、除之不尽 假工行网站 www.icbc.com.cn www.lcbc.com.cn 真 假 来源 : 北青网
一些简单的小伎俩 www.lenovo.com vs. www.1enovo.com “李鬼” URL www.lenovo.com vs. www.1enovo.com HTTP URL login ( RFC 1738/2396 ) <user>:<password>@<host>:<port>/<url-path> http://www.trustedsite.com/~.../@hacker.org Internet Explorer address bar URL spoofing flaw announced Dec. 10, 2003 by Sam Greenhalgh patch available Feb. 2, 2004 from Microsoft http://microsoft.com[null character]@hacker.org 导致浏览器显示 http://microsoft.com ?? http url login Internet Explorer address bar
一些简单的小伎俩 Use META to redirect the real web site at the back <META HTTP-EQUIV="Refresh“ CONTENT="0;url=http://www.citibank.com”> 用Meta的方式在用戶連到真網站時, 跳出一個假的視窗, 拐騙用戶輸入自己的帳號與密碼; 前:假的; 後:真的 Now in this example, the attack got a little more complicated as the window in the background is a legitimate Citibank website. It is the pop up window that is originated from a phishing website to capture user information. So the traditional wisdom of checking phishing by looking at the address bar and status bar will not work as people only concern on the page in the background, but not the one on the foreground which has no address bar or status bar at all.
一些简单的小伎俩 Visual Spoofing : Fake menu, status, or URL address bar 整張網頁都是假的… URL address bar 是張假圖, 雖然圖上的網址是真的, 用戶如果點了”走”這個按鈕, 就會被帶到一個詐騙網站; 前面的菜單也是假的, 一不小心, 用戶的資料就被騙到了… In this example, the phishing page embedded a javascript which fake the address bar by overwrite the original URL listed with a fake URL which look to be legitimate. So average user who used to check the address bar for validation will be fool by the trick.
即时聊天软件又如何 ? 国内最流行的即时聊天软件--腾迅QQ 利用QQ木马盗取私人信息 使用他人的QQ号码进行网络诈骗 其它程序密码 利用已有联系人传播病毒最 新的QQ木马病毒 “QQ尾巴”(Troj.QQTail.a) (2005.9.10) “QQ小木马”(Troj.PSWQQ.v)盗号木马 (2005.9.16 其它即时聊天软件msn,yahoo messenger) 有使用MSN的請舉手 性感雞病毒(國內+變種) - URL 圖片, user已為是朋友傳來搞笑的檔案, 點進去之後就下載了木馬程式, 並開始感染其他PC… Why IM ? Again, it is the file transfer capability that is being used to spreading virus Address book or buddy list in IM also make it a perfect channel for wide spread ( of virus ) and also being used in social engineering tricks. Imagine if you got a flash, an executable file or a URL from someone on your buddy list – will you click on that just like you receive an email from someone you know ? And we have seen a tremendous increase of viruses using IM as one of the channel for spreading. And the latest one is the W32. Bropia which is a blended attack begin with a URL. Anyone click on the URL will first seen the bikini chicken picture ( as you can see here ) but then also inflect with the virus and start sending the same URL to everyone on your buddy list. The virus will also open back door for the Rbot trojan which could hijack your computer for future attack. Other issues
点对点(P2P)又如何 ? 目前最流行的BT,eMule,PP点点通 设计上可穿透大部份防火墙,打破传统CS文件下载方式 黄色视频和图片安全传输地带 传档案与网址的功能 通过点对点交换的档案可能带有 viruses, worms, Trojan horses, 及 spyware 无经验的用户可能通过点对点交换机密数据而不自知 1) 無經驗, ie. OL在使用FTP去下載文件的同時, 不小心將自己C Drive open 出來 2) P2P的原始設計, 為了上傳下傳的方便, 多數都可以通過firewall The file transfer capability of P2P program make it a perfect tool for spreading viruses Also, we are seeing an increasing number of inexperienced user using P2P to share music file and even TV series recorded. But the problem is – these inexperienced, mostly first time P2P users don’t know what they are using and sometime they will open more files they want to share than they anticipated. Just did a quick check on any P2P network and you will see someone’s Outlook inbox file or even system files are open for download. Also, P2P program are design on day one to be able to by pass most corporate firewall. Because this is the only way they can get popular – for users to use it both at home and at work P2P cause other issues, for example Bandwidth loss – people tend to leave P2P program running unattended, even after work, in order to get as much as it possibly can. That not only increase the total use of bandwidth but also competing for bandwidth with mission critical application as most P2P protocol are blended into standard http traffic which can not be controlled separately by most protocol and traffic shaping product as well. Legal liability is definitely true as the audio and recording industry as well as the movie industry are not going against P2P community with legal actions. And by the way, 42% of all searches on P2P network in US last year was adult related which could lead to sexual harassment issue and in process of child porn materials, including digital pictures in corporate PC is also a criminal offend.
管理学生上网面临的挑战: 管理学生“绿色”上网 网页访问的管理 (Internet Access) 带宽的控制: 流媒体使用 (Streaming Media) 网络收音机(Internet radio) 有选择的开放 即时聊天 (Instant Messaging) P2P传输 (Peer-to-peer file sharing) 避免学生访问 间谍软件 (Spyware) 恶意代码 (Malicious Mobile Code) 网络诈骗 (Phishing Attack) 企业自从开放网际网路的自由使用之後,开始遇到一系列管理上的问题,包含网路资源的误用,非但没有提升营运效率,反而因为员工任意浏览与工作无关的网站而降低生产力。而频宽虽然越来越便宜,但是企业发现不管如何提升频宽,总觉得速度还是很慢,主要的原因是员工会使用大量与工作无关的网路应用(如串流媒体使用 ,网路收音机 , P2P非法软体,色情影片传输, MP3传输) ,进而将频宽占用。 更重要的是,越来越多的攻击,是藉由网路传播来达到的。尤其目前Spyware间谍软体、被植入木马、有毒网站甚至诈骗网站等,更是大家困扰的资讯安全议题。 严格控制 学生黑客行为(Employee Hacking) 不良信息的传播
Websense 校园上网管理方案
Websense Enterprise® v5.5 校园上网管理的领导品牌与解决方案 方便灵活的管理学生对使用Internet资源 落实上网策略,管理学生对Internet的健康使用 管理 即时通讯(Instant Messaging)的使用政策 防止 点对点(peer-to-peer) 档案分享 管理流媒体及其他高频宽应用 制定公共 Web-based Email 使用政策 阻止 Spyware 及各种网页诈骗、恶意代码、木马程序 监控学生黑客和恶意程序的情况 降低因为暴露在Zero Day所造成的安全威胁 提供完整的: 策略管理、纪录、分析报告 全球超过 22,800 家企业和机构采用
多层式侦测与保护 桌面 阻止应用 程序激活 网络 通过协议和 带宽管理 网关 阻止网站 存取
Websense 主数据库 URLs 超过90种网站的分类 超过50种语言 已分类的网站超过1千1百万个 WebCatcher™ 增值组 (PGs) 3个增值组 (PGs) 14个增值组类别 每日扫描18,000,000个域,检查是否存在恶意代码 协议 超过60种协议的分类 P2P, IM,流媒体, 远程接入的协议 One of Websense’s core competencies is in classification and categorization of massive amounts of data, such as the internet. Websense provides a number of databases that are updated daily to customers based on subscription licenses. (click) At the core, Websense enables web filtering through it’s URL database, which consists of more than 6 million web sites categorized into 88 categories. Policies can be created for users or groups in your environment using those categories. (click) Next we have the Premium Group modules. Websense has three premium group modules that enhance the categories in their core URL database. Each premium group includes a various categories that add additional value to Websense’s core offering. Premium Group categories include groupings for peer-to-peer, instant messaging, spyware and streaming media sites. (click) Next we have our protocol database. Using the protocol database, administrators can set policies to allow or disallow use of an application that uses network resources to communicate. Websense includes protocols for P2P, instant messaging and streaming media application protocols. (click) Lastly, we have the Websense application database. The application database enables policy-based security and blocking at the desktop. Using CPM, organizations can define policies for acceptable PC executables or applications in their environment. No other vendor today offers as high integrity a classification of all applications in the PC universe. 应用程序 超过50种应用程序的分类 超过485,000 分类的执行档 Network access behavior of applications AppCatcher™/ProtocolCatcher™
通过数据挖掘收集Websense主数据库
Websense专设“蜜网”收集流行安全威胁
Websense Master URL Database 支持中文类别资料库 堕胎 ‧ 母亲选择权 ‧ 胎儿生存权 倡导团体 成人资料 ‧ 成人内容 ‧ 女士内衣与泳装 ‧ 裸体 ‧ 性 ‧ 性教育 商业与经济 ‧ 金融数据与服务 药物 ‧ 滥用药物 ‧ 大麻 ‧ 处方药 ‧ 补充与非管制 合成药物 另加增值组 ! 教育 ‧ 文化机构 ‧ 教育机构 ‧ 教育资料 ‧ 参考资料 娱乐 ‧ MP3 博彩 游戏 政府 ‧ 军事 ‧ 政治组织 健康 非法或可疑 信息科技 ‧ 计算机安全 ‧ 黑客入侵 ‧ 代理回避 ‧ 搜索引擎与门户 ‧ URL 转换网站 ‧ Web 托管 因特网通讯 ‧ 网上聊天 ‧ 基于 Web 的电子邮件 求职 暴力冲突与极端主义 新闻与媒体 ‧ 可选期刊 种族歧视 宗教 ‧ 非传统宗教、 秘朮与民间传说 ‧ 传统宗教 购物 ‧ 网上拍卖 ‧ 房地产 社会组织 ‧ 职业与工人组织 ‧ 服务与慈善组织 ‧ 社会与附属组织 社会与生活时尚 ‧ 烟酒 ‧ 同性恋或双性恋 ‧ 爱好 ‧ 个人网站 ‧ 征婚与交友 ‧ 餐饮 特殊事件 体育运动 ‧ 狩猎运动与射击俱乐部 庸俗 旅行 交通工具 暴力 武器
弹性的Internet资源使用策略的设定和管理 可根据UserID、IP 、 IP 范围、Group(部門),制定使用策略 「按时段」、「按工作日」制定相应的使用策略 支持「Limit by Quota」、「Continue」先提醒再放行的使用策略 Websense has the only EIM solution that offers adaptive filtering. First, We have 8 different filtering options, giving IT administrators maximum flexibility. In addition to just blocking and permitting sites, we have many other options. You can set up policies by time of day. For example, you can allow access to certain categories before 8am and after 5pm. One of our newest features is called ‘time-based quotas’ With time-based quotas, you can choose to allow employees to do limited amounts of personal surfing at work. For example, allow employees to do online banking and check stocks for 1 hour each day.
完整报表机制 侦测企业內潜在的威胁 Websense Enterprise Real-Time Analyzer™ 完整报表机制 侦测企业內潜在的威胁 Websense Enterprise通过报表界面提供风险评估和威胁鉴定的高级能力 Websense Enterprise Real-Time Analyzer™ Real-Time –使Websense管理员能实时监控网络行为 Websense Enterprise Explorer Forensics & Analytics – 利用细查功能提供基于浏览器的员工上网行为, 适用于任何部门, 包括HR和法律部门 Websense sets the bar in the industry for providing organizations with a full breadth of monitoring and reporting tools to understand their environments better. Websense offers 3 interfaces for threat discovery: Real-Time Analyzer – is installed directly with Websense Enterprise and offers IT admins a way to monitor their networks in ad-hoc fashion. Let’s say my network was slow and I wanted to check on internet activity that might be slowing it down. Websense Enterprise Explorer – this is a new interface in version 5 that takes IT out of the reporting loop for business users. HR managers, and legal staff can use this tool directly to analyze employee internet activity and look for problem users or activity. (If showing the demo: In a few minutes, I’ll show you this tool and the power and simplicity with which it provides this key information). Websense Enterprise Reporter – This is Websense’s classic reporter, built on Crystal Reports and offering over 80 pre-defined report templates, customers can use this to generate batch reports on internet activity or network use. It also includes a special report known as Internet Browse Time which estimates how much time end-users are spending on the internet over specific periods of time. All of Websense’s reporting products are free with the base subscription in the product. Websense Enterprise Reporter Batch – 包括80多个预定义报表模板,可以按照需要进行自定义
风险等級分析 Web-based module bundled with Websense Enterprise WEBSENSE ENTERPRISE: EXPANDING EIM Web-based module bundled with Websense Enterprise Intercepts and displays log stream from Websense Real-time display Great sales evaluation tool with drill-down capability Blows away the RTM from SurfControl
通讯协议的分析 Web-based module bundled with Websense Enterprise WEBSENSE ENTERPRISE: EXPANDING EIM Web-based module bundled with Websense Enterprise Intercepts and displays log stream from Websense Real-time display Great sales evaluation tool with drill-down capability Blows away the RTM from SurfControl
Websense Enterprise Explorer 详细分析可能造成成企业安全风险 的员工上网行为 Here is an Explorer screen shot that demonstrates the power of this valuable sales tool! WS Explorer clearly illustrates the security risks and their severity -- and in doing so, clearly highlights the need for Websense. Now, here is verifiable, hard evidence of the scenarios that your customers or prospects already think that they are protected from through their purchase of firewalls, intrusion detection, and AV solutions!~ What’s remarkable is that WS Explorer not only points out the security threat, but also suggests which Websense module can be use to mitigate that threat! We repeatedly find that Partners, who are able to install WS Explorer with prospects during the evaluation of Websense, close the sale. One Partner recently advised us of an accelerated close. The Partner turned on WS Explorer while their prospect of 8,000 users evaluated WS Enterprise in a monitor-only mode. Explorer showed over 12,000 hits for Spyware in the Security PG category shown above. The surprised and horrified prospect thought that they were protected by another product. This partner logged the sale before the end of the month. Bottom line is that Websense Explorer can mean more money in your pocket!
使用者浏览细节查询
Websense Reporter
中文化的 BlockPage/可以自訂內容(HTML)
Websense Security Labs 服务 Security Labs Alerts SiteWatcher –如果学校的网站被植入MMC的话,会主动通知。 BrandWatcher –当学校的网站或名称关键字被作为钓鱼诈欺或键盘侧录的攻击目标时,可以主动发出警示。 Slide 16- Websense Security Labs™ and Services Websites and Brands are being targeted daily for attack. Websense Security Labs provides research and delivers timely product and information updates to the security community and Websense customers about malicious web sites, phishing-based attacks, and other emerging threats. Websense has been mining the internet for malicious code for over 3 years, and daily we scan over 37 Million websites. Websense Security Labs Alert is a value-added service that provides security warnings on malicious internet events, including spyware and phishing. Alerts are sent directly to customers via email as they are discovered by the WSL team. Websense Security Labs SiteWatcher is a value-added service that alerts customers if their company website has been infected with MMC (note- does not address “defacing” activities). This allows customers to take immediate measures to prevent the spread of MMC to customers, prospects, and partners visiting their website. Websense Security Labs BrandWatcher is a value-added service that alerts customers if their company website has been hacked into or spoofed by a phishing attack. Customers are notified via email of the security event by WSL allowing them to take immediate action. SiteWatcher: Websites are being used to spread malicious code as new attack vectors IIS, Apache, PHP, and other technologies have several vulnerabilities which are being exploited Every day we still see more than 5,000 sites which have been hacked into that are still online This should not be your only defense, but is an additional notification system to inform you Note- this is notification only- it is the organizations responsibility to fix How does SiteWatcher work? Websense Security Labs mines companies main website (only one site per customer), as part of our daily mining. WBSN match heuristics and signatures of code for MMC, and then notify registered user via email. BrandWatcher: We have more than 1,500 reports of Phishing attacks daily We have more than 200 brands that are being targeted Ecommerce sites are started to be targeted Small regional banks are being targeted Key Logging malicious code is becoming more and more popular How does BrandWatcher work? Websense Security Labs researches Phishing, Fraud, and Malicious code on a daily-basis. If Websense identifies a website or malicious code attack that includes a registered brand we will notify the registered users with “attack specifics”. BrandWatcher can NOT be sold alone (without Web Security Suite)
Client Policy Manager™ 桌面安全的策略管理 零漏洞攻击(Zero Day)之安全防护 Application Lockdown Network Access Lockdown Outbreak Mode 阻止危险及与工作无关的应用程序使用 IM, P2P, Games, Hacking Tools, Spyware Viruses, worms and trojan horses 侦测和分析桌面安全漏洞和恶意程序是否 有传播 Explorer for CPM CPM Reporter Inventory Manager The proactive solution to these problems is the new Client Application Manager module, available as a separately-licensable module to v5. This exciting new offering will allow IT managers to actively manage all software applications at the client level by name or category, from Solitaire to Loftcrack or from games to hacking tools . With code that is automatically installed at each employee desktop, managers can prevent unauthorized or unproductive applications from launching in the first place. Additionally, desktops can be “locked down” to maintain tight control over the users software image. And because CAM is managed from our central Websense Server, IT managers can quickly and easily set policies by user, work group, department or network – much like Websense Enterprise today. As examples, IT managers would be able to block all desktop gaming applications – such as Doom or Solitaire. Or prevent rogue applications that are delivered via e-mail from executing until IT can validate the application. The recent bugbear worm is a great example of this. Even if an employee had received the e-mail with the bugbear worm the application would not have been able to execute as CAM would have stopped it in its tracks. (Click) • Centrally managed from Websense server & rules base • Desktop resident code Lastly, Websense CAM provides you with the ability to sell installation and deployment services. At the desktop, these services are even expected in many instances.
通过CPM获取客户端硬件資产信息
通过CPM分析客户端应用程序使用信息 “公司网络中不知有多少 Spyware ?” This particular screenshot shows spyware applications that existed in a small environment. This list is not representative of the full list of spyware applications that are contained in the Websense application database. It is merely representative of the applications existing in this environment.
设定客户端的应用软件使用策略
CPM管理移动存储介质 允许管理者便携式存储介质,如 USB, FireWire, CD/DVD 刻录机, 以及移动硬盘的使用策略 可以根据策略需求禁止所有便携式存储介质的使用,或者仅仅禁止可写入的介质. Key benefits: Improves control over desktops in order to prevent the theft of intellectual property Mitigates risk of malicious code being transferred through removable media Problem example: Proliferation of USB data storage devices, and protecting data against unauthorized copying Potential Solutions: Prevent the unauthorized devices from functioning at all Prevent data from being copied to unauthorized devices 3. Encrypt all data so that unauthorized users can't use the copied data CPM addresses items 1. and 2.
个人电脑启动被禁止使用的程序时的报警页面
案例分析
King George V School 建校已超过100年的KGV,是香港顶尖的国际中学。 解决在提供完整网络教学资源的同时,避免学生有意、无意地利用学校资源浏览与学业无关甚至不健康的网站与网页(如游戏、赌博、成人网站等)的难题已迫在眉睫 校园网络需要面对越来越多的恶意行动代码(MMC)、特洛伊木马病毒、蠕虫及其他网络安全威胁。
Websense 具体解决方案 避免访问一些不正当的网站,例如:游戏网站、成人网站等 通过在Websense Master Database中设置阻挡游戏、成人、求职等类别 管理控制使用即时聊天软件和BT类的软件 1.通过 协议数据库的特征代码 分析流量,封锁相关即时聊天软件的通讯协议 避免访问含有 spyware, keylogging and MMC的网站 通过管理 Websense Security PG 增值组避免客户无意访问上述站点 网络资源使用情况报表 使用 Websense Reporter 可以生成Top users, Top URL 类别等报表,并可以找出异常的网络资源使用情况;使用 Websense Explorer 可以让管理人员即时的了解到其所属的学生Internet资源使用情况
“Websense®拥有最完整的网站类别资料库,有效防止学生接触不适当的网站与内容,协助本校提供更完善的网络学习环境……” 客户使用后的感想 “Websense®拥有最完整的网站类别资料库,有效防止学生接触不适当的网站与内容,协助本校提供更完善的网络学习环境……” ——Daniel Cheong,KGV系统经理
“No other product equals Websense Enterprise.” — PC Magazine “员工上网管理”的领导品牌 “When you’re ready to buy, we recommend Websense…” — ZDNet “No other product equals Websense Enterprise.” — PC Magazine
部分用户名单 Taiwan customers: TSMC, PowerChip, Winbond, Coastal Guard Post Office, Far Eastone Telecom, Fubon Life Insurance
立即从www.websense.com下载一个免费的全功能的30天测试版!