Product Information Bulletin - Clearswift · 2020-02-17 · Product Information Bulletin Clearswift...

Clearswift Public

Product Information Bulletin

Clearswift SECURE ICAP Gateway v4.2

Version 01

28/07/2015


Clearswift Public Page 1 of 16

Copyright

Version 1.0, July, 2015

Published by Clearswift Ltd.

© 1995–2015 Clearswift Ltd.

All rights reserved.

The materials contained herein are the sole property of Clearswift Ltd unless otherwise

stated. The property of Clearswift may not be reproduced or disseminated or transmitted in

any form or by any means electronic, mechanical, photocopying, recording, or otherwise

stored in any retrievable system or otherwise used in any manner whatsoever, in part or in

whole, without the express permission of Clearswift Ltd.

Information in this document may contain references to fictional persons, companies,

products and events for illustrative purposes. Any similarities to real persons, companies,

products and events are coincidental and Clearswift shall not be liable for any loss suffered

as a result of such similarities.

The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All other

trademarks are the property of their respective owners. Clearswift Ltd. (registered number

3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington

Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they

comply with all national legislation regarding the export, import, and use of cryptography.

Clearswift reserves the right to change any part of this document at any time.



Contents

1 Overview ....................................................................................................... 3

1.1 Clearswift Content Inspection Engine ........................................................ 4

1.2 Adaptive Redaction .................................................................................. 7

1.3 ICAP Server ............................................................................................. 8

1.4 Management ......................................................................................... 11

1.5 Reporting .............................................................................................. 13

1.6 Threat Protection ................................................................................... 14

2 Availability ................................................................................................... 15

3 Packaging .................................................................................................... 15



1 Overview

Clearswift is excited to introduce version 4.2 of the Clearswift SECURE ICAP

Gateway. This fully featured gateway extends the connectivity and coverage of the

existing products by providing an ICAP interface to integrate Clearswift’s unique

inspection and remediation technology with a client’s existing infrastructure.

Typical deployments are integrated with a forward proxy to inspect users’ browsing

traffic, or in a reverse proxy environment to analyze content being downloaded from

or uploaded to the corporate web servers.

In any of these cases, the devices acting as a forward or reverse proxy are typically

providing a wide range of network related functionality. However, they lack of the

ability to perform deep content inspection of the information being exchanged to

enforce the information security policy. By complementing them with Clearswift,

clients can take advantage of the features of both products, protecting corporate

systems at network and information level.

Clearswift has signed technology alliance partnerships with the market leaders in

each of these sectors. With this release, F5 BIG-IP is included as a supported

platform to integrate with. F5 Networks has more than 50% share of the Application

Delivery market.

Similarly, Blue Coat is leader of the Secure Web Gateway market. Clearswift is also a

Data Loss Prevention technology alliance partner of Blue Coat.

It is also quite common in mid or low-sized organizations to find the open source

product Squid deployed as a proxy. With this release, Squid is also an officially

supported product to integrate with Clearswift SECURE ICAP Gateway.

All of these platforms provide an interface to expand their functionality through

other solutions such as anti-virus and Data Loss Prevention products connected via

the Internet Content Adaptation Protocol (ICAP).

By integrating with the SECURE ICAP Gateway, solutions such as F5 BIG-IP or Blue

Coat ProxySG can complement their functionality with Clearswift’s Adaptive Data

Loss Prevention (A-DLP) technology.

Featuring the highly efficient Clearswift Content Inspection Engine, the SECURE ICAP

Gateway provides a wide range of functionality. This new version extends the

existing the capabilities of the product:

Content Inspection and Adaptive Data Loss Prevention

o Clearswift Deep Content Inspection Engine

o Adaptive Redaction



o Lexical analysis

o Lexical qualifiers

o True data type content detection

o Recursive decomposition

Platform:

o 64 bit Red Hat Enterprise Linux 6.6

o Hardware appliance, software and virtual installation options

ICAP

o ICAP server

o Integrated authentication

Management

o Granular policies

o URL Database

o Complete reporting engine

o English and Japanese Web UI

Threat protection

o Sophos and Kaspersky anti-malware engines

o Active content detection and removal

o Security risks URL database category

These features are detailed in the following sections of the document.

1.1 Clearswift Content Inspection Engine

Key points:

Full inspection of both requests from users and responses from servers

Detect and prevent sensitive information from leaving the organization

Prevents accidental disclosure

Ensure regulatory compliance

True data type detection to provide full control of the content security policy

Clearswift’s Content Inspection Engine provides unparalleled technology to perform

bidirectional decomposition and analysis of the communication flows and apply the

appropriate content security policy to them.



Using true binary data type detection and recursive decomposition, it can identify

over 175 different data types even if they are embedded, compressed or contained

inside other file types. Even more, this detection can be extended by administrators

to effectively detect new data types.

Binary detection is often used to prevent undesired content, such as executables,

from getting into an organization. But also to prevent certain data types that might

contain company unique knowledge, like CAD designs, to leave the organization.

Lexical expressions provide a powerful way to identify text content in the

communication flows. By using weighted lists of words, patterns or tokens, not only

specific text can be identified, but also the context of the communication can be

validated. Great flexibility is provided in the definition of the expression, which can

be done using plain words, regular expressions or combinations of both for greater

accuracy.

Specific detection tokens are included in the product, which perform validation

operations such as checksums to ensure proper detection. These tokens include

credit card numbers, International Bank Account Numbers, UK National Insurance

number, US Social Security Number, German National ID Number, Australian Tax

File Number and the Business Identifier Code.

These can be extended with user defined patterns to detect other tokens such as

part numbers, national IDs, or any other pattern like the days of the week.



Lexical expressions are widely used to detect and prevent sensitive content from

leaving the organization and ensure regulatory compliance. But also to prevent

undesired content from getting into the organization, such as offensive content or

data subjected to some kind of regulation, like credit card numbers.

In order to improve the accuracy of the lexical detection, simplify the definition and

dramatically reduce the number of false positives, Clearswift allows the automatic

import of expressions from structured data sources like databases. Combining the

definition of specific tokens, such as Patient ID, and the information fed from the

databases the number of false positives can almost be reduced to zero.

Patient

DBExport TSV Export

Secure and

Index

Indexed and

secured TSV

export

Place on a

secure server

Secure Server

Pull

Both Lexical Expression detection and Binary Data Type detection can be combined

to selectively perform analysis of only the desired data types and provide an even

higher accuracy.



1.2 Adaptive Redaction

Key points:

Modify offending content to match the security policy

Apply detect-and-modify policy rather than a detect-and-block to allow the communication to happen

Ensure compliance by redacting sensitive or personal data

Strip hidden information from documents to prevent embarrassing disclosures

Remove active content to effectively protect from Advanced and Persistent Threats (APTs)

Preserve intellectual property and competitive advantage

Cost option

Adaptive Redaction is the set of technology used to detect and modify content on

the fly as it is being analyzed by the Gateway. By taking such a comprehensive

approach, business processes are not blocked because of a strict or incorrect data

loss prevention policy.

Under the umbrella of Adaptive Redaction in the SECURE ICAP Gateway there are

three different features:

Data Redaction

Document Sanitization

Structural Sanitization

Data Redaction relies on the lexical expression detection technology to perform

substitution of content that has been detected. The substitution can take place in

Office 2007+ (Word, Excel, PowerPoint), OpenOffice (Calc, Graphic, Impress,

Master, Math and Writer documents), PDF, RTF, text and HTML content and it is

replaced by asterisk (*) characters. This allows the Clearswift SECURE ICAP Gateway

to modify content being uploaded, downloaded, and even web pages as they are

being browsed.

Document Sanitization cleans up meta-data information like properties, change

tracking or quick save data, which are a common source of information disclosure.

The supported formats are Office 2007+ Word, Excel, PowerPoint, OpenOffice and

PDF.

Structural Sanitization can effectively detect and strip active content from different

sources. It covers the need to protect from unknown threats and APTs as well as



preserving intellectual property. The formats and active content supported vary

based on the data type, and are shown in the below table:

DOCX PPTX XLSX Open Office

HTML RTF encoded

HTML

PDF RTF

VBA Macro

JavaScript

VBScript

ActiveX

Adaptive Redaction provides a big step forward in Data Loss Prevention

technologies, as it provides alternatives to unsuccessful blocking DLP policies while

protecting from the most common data loss issues and the most advanced targeted

attacks.

1.3 ICAP Server

Key points:

Integrate with existing infrastructure to perform deep content inspection in the communication flows

Fully featured server provides content inspection, antimalware and URL filter

Integrates different user authentication mechanisms provided by ICAP Client

Certified Blue Coat ProxySG and F5 BIG-IP support as ICAP clients

The Clearswift SECURE ICAP Gateway provides ICAP server functionality. It allows

supported ICAP clients to send requests for inspection and policy enforcement.

The ICAP protocol defines a means to exchange messages between a client and a

server to provide additional inspection on the managed traffic. This is often used to

provide antivirus inspection through an external solution.

Clearswift presents a full featured content inspection solution as an ICAP Server. Not

only does it provide the commonly requested antimalware functionality, but it also

provides the full power of the Clearswift award winning Content Inspection Engine to

analyze the browsing flow at its deepest level.

In the current version, Blue Coat ProxySG, F5 BIG-IP and Squid are the supported

ICAP clients.



Clearswift SECURE

ICAP Gateway

ICAP Client

Users

HTTP Request

ICAP Msg Adapted

Content

Mod HTTP Request

HTTP ResponseMod HTTP Resp

The Clearswift SECURE ICAP Gateway allows the configuration of the permitted ICAP

clients and the rest of parameters through the Web UI.

Configuration must also be done on the ICAP Client to forward the traffic intended

for inspection to the SECURE ICAP Gateway.



Figure 1: Blue Coat ProxySG integration

Figure 2: F5 BIG-IP integration

The Clearswift SECURE ICAP Gateway supports user based policies. This is achieved

by enabling authentication in the proxy and setting the authentication details to be

forwarded to the Clearswift SECURE ICAP Gateway.

Within the list of authentication protocols supported by Blue Coat, the following are

the ones that have been tested and validated to work with the Clearswift SECURE

ICAP Gateway:

Windows IWA (transparent authentication),

LDAP (AD)

Authentication Forms

F5 BIG-IP authentication can also be performed in a number of ways. However, it

must be configured to forward the authentication information in the “X-

Authenticated-User” ICAP header following a “DOMAIN/username” format. This is

typically done by using an iRule.



Once authentication is enabled and the details are being received by the Clearswift

SECURE ICAP Gateway, granular policies can be applied to the traffic, as explained

in the following section.

1.4 Management

Key points:

Complete intuitive Web management interface

Per user/department/group granular policies

Easy to use Web UI to fully control Clearswift Content Inspection Engine

URL database with 84 categories to apply per site/category/Internet zone policies

English and Japanese Web management interface

Encrypted communications

The Clearswift SECURE ICAP Gateway inherits the intuitive web management

interface from the Clearswift award winning products the SECURE Email and Web

Gateways. It allows administrators to take full control of the underlying Content

Inspection Engine and create effective content security policies. The web interface is

provided in the same box as the enforcement module to achieve higher

consolidation and is localized into English and, with version 4.2, into Japanese.

The definition of the policy is based on routes, which are source and destination

relationships that select a specific rule set to be applied.



Active Directory and LDAP integration allows the selection of users based on their

department, group, or any other information as source of the communication. The

destination can be defined through the selection of one or more URL database

categories, the definition of URL patterns, or even IP addresses.

Based on these two parameters, the defined routes are evaluated in order to find

the rule set to apply to a specific communication flow.

The selected content rules are applied in order, analyzing the traffic to look for

specific content and taking remedial action where appropriate. A complete collection

of content rules is provided to take advantage of all the available functionality

offered by the Clearswift Content Inspection Engine.

The actions that a content rule can perform could be to block the traffic, force it to

be allowed, or simply continue with the evaluation to perform only monitoring of the

traffic, like in the example below.



Additionally, informs can be sent to specific users (like administrators, HR or the

legal department) to notify them about the triggered rule.

In any case, a trace of the triggered rules is registered to be able to run reports on

them.

1.5 Reporting

Key points:

Complete built-in reporting engine

Live and historical data

Simplified report scheduling

Reporting is a key element on any content inspection product. The Clearswift

SECURE ICAP Gateway provides a complete reporting engine built into the product

without need of additional external servers.

The product keeps track of the analyzed content and the rules triggered by it. Based

on this information, a complete set of reports can be parameterized and run.



This information is generated as the traffic is inspected by the Gateway. This

provides the ability to seamlessly run the reports on historical data and real time

data based on the time period selected.

All of the reports can be easily scheduled to be generated automatically and emailed

to one or more recipients.

1.6 Threat Protection

Key points:

Selectable antimalware engine – Cost option

Antispyware engine

Security risk URL filters

Real time page analysis

The Clearswift SECURE ICAP Gateway provides a wide range of functionality focused

on inspecting content to the deepest level. Additionally complete threat protection

technology is optionally included in the product:

Sophos or Kaspersky selectable antimalware engine

Spyware call home detection

Tracking cookies detection and removal

URL security risk categories to prevent access to sites where malicious content has been detected

Real time analysis of the content in 18 different languages to detect possible security risks

All of the filters can be selectively activated inside the granular policy to be applied

to specific user groups or sites.



2 Availability

Phase Date

General Availability 28th July 2015

3 Packaging

This release will be available as an ISO image for all clients to download. Installation

guides describe the process for the initial setup and configuration.

Product Information Bulletin - Clearswift · 2020-02-17 · Product Information Bulletin Clearswift...

Documents

Transcript of Product Information Bulletin - Clearswift · 2020-02-17 · Product Information Bulletin Clearswift...