Note: This is not a sponsored review.

Recently, GFI has released the latest version of their award winning web monitoring and filtering solution, GFI WebMonitor 2009.

With this new release, GFI is taking a step further towards large enterprise security market and what I find the most innovative feature is the optional ability to run the software on any Windows Server / Workstation without requiring a pre-existent ISA Server.  Of course, the ISA plugin edition is also available as it has always been.

In my opinion, the next logical step would be providing a dedicated appliance based on a hardened Windows Server as I encounter more and more corporate customers which would prefer an appliance instead of software delivery.

Enough with introduction, let's take a look under the bonnet:

1. Installation
I downloaded the 30 days full edition, available here and one of the first decisions which need to be made is the deployment model.

GFI WebMonitor can be installed as a proxy (default option) or one can chose the Gateway mode which will intercept all HTTP/S traffic trough the network. It's not clear to me (and I did browsed the documentation ) if the Gateway mode requires changes in the IP addressing or is the server  placed inline capturing all traffic al layer 2. If you are a GFI tech, please leave a comment on this blog post clearing this issue . Thanks !

2. Monitoring / Management  Console
The GFI WebMonitor console presents at a glance the most important real-time statistics about the inspected traffic and the policies which are  applied.

Using explicit dashboards and graphs, the administrator can very easily see details about : 

• Total bandwidth consumed
• Anti Virus and Anti Phishing statistics
• Bandwidth usage trends 
• Top blocked web categories
• Top web categories hits 
• Last Blocked Security Threats

3. Configuration
Defining and enforcing content filtering policies is split in several sections for maximum flexibility. For instance, one can define very strict virus, spyware and phishing policies and a more relaxed policy for URL filtering, instant messaging and allowed  downloads. I chose to define and impose strict policies for all actions , just to play the role of modern day corporate employee , confined in rules and regulations.

I would like to mention that policy enforcement is granular and because not all people are equal, different users or IPs can be the subject of different policies and exceptions which can be defined within one policy. Sweet !

Speaking of users, GFI WebMonitor proxy supports basic authentication or integrated NTLM authentication.

4. User Experience
There are several ways to enforce the GFI WebMonitor proxy settings:
- manual / automatic browser configuration trough GPOs
- publishing the IP of the GFI WebMonitor proxy in WPAD
- transparent proxy redirection

Either way, the end user experience is not affected at all and 10 minutes after I set my browser, I have already forgotten that I'm using a content filtering service. I tried to break the policies by browsing inappropiate websites (adult) , downloading games (spyware) and clicking several phishing links I found on PhishTank.

Each and every time I tried these actions I was blocked and, in the real world, and email could have been sent to security / HR departments. Scary !

Here are a few screenshots of the user side of the action :

Here are a few reports (pdf) which I run using GFI WebMonitor Report Pack :

• Browsed Sites by Users
  
• Report Bandwidth Usage by Classifications
  
• Report Bandwidth Usage by Websites
  

5. Conclusion
GFI WebMonitor 2009 proves to be a very effective security control which protects the largest threat vector in use today : web browsing. It's effectiveness is proven by the short time and small administrative overhead during planning, deploying and maintenance while achieving high quality results. As said, I think that a GFI WebMonitor appliance would complete the picture

One of the core values of GFI  has always been the  business common sense and ethics which stand behind the "We Care" campaign. You cand download a free copy of GFI WebMonitor or you can buy the full version.

It's good value for the money and, by taking your mind off web content security, it will leave you more time and resources for productivity, creativity or daydreaming & fun.
 

A new book on ModSecurity is on it's way, expected this Nov. The nice folks at Pakt Publishing contacted me and I'll receive a copy as soon as it's launched. Of course I will review it on this blog but until then, a short look under the bonnet :

Title :  ModSecurity 2.5
Author: Magnus Mischel
Publisher : Packt Publishing

Having worked mostly with commercial Web Application Firewalls such as Imperva and F5, I'm eager to see how ModSecurity lives up it's reputation and how one can save lots of time and money by implementing a robust open source WAF adapted to today's threats.

From publisher's presentation:

A complete guide to using ModSecurity, this book will show you how to secure your web application and server, and does so by using real-world examples of attacks currently in use.

Sounds like fun !

It's been a long time since my last post and If I look back at it, I was writing about NetWitness.

Today, I was notified that NetWitness released NextGen version 9. Since I liked version 8 so much, let me write here the new features offered in version 9.0 :

• NetWitness Identity – provides the ability to easily correlate IP addresses in network sessions to end-user directory credentials – fusing an organization’s Active Directory to offer a real-time 4-1-1 lookup capability. As a result, security staff can link compromised machines and inappropriate network behavior to a user’s actual identity.
• Support for 802.11 Wireless Capture – initially supported under the portable NextGen Eagle platform, this capability will be available on all NextGen 9.0 capture platforms. This new capability supports WEP in-line decryption and will support WPA decryption under an upcoming service pack.
• 10Gbps Network Support – building off of real-world experiences with massive government, commercial and service provider networks, unlike other products in this space, NextGen 9.0 includes support for both capture and real-time analysis on 10Gbps networks.
• Expanded authentication options – NextGen 9.0 supports Linux PAM, providing pluggable authentication modules that connect the NextGen infrastructure to customer authentication frameworks such as Kerberos for Windows and Unix environments, LDAP, Radius and many others.
• Expanded enterprise management – NextGen 9.0 introduces a new administrative dashboard that enables comprehensive insight into global health across all connected appliances. This includes real-time feedback and charting for all system metrics, and expanded interfaces for managing configuration parameters, rules, alerts, parsers, feeds, and software updates across all devices from a single location.

Let's hope that NetWitness Investigator (free download here) will be soon upgraded to version 9 as well just because it's such an awesome tool

• Just registered for the 2PM session RT @netwitness: Registration now open for live webinar w/ Eddie Schwartz (July 23) http://bit.ly/2xqW8H #
• big day next Wed. doing a live demo on @arcsight + @encase and hopefully @netwitness , all of them working together in sweet harmony #
• crawling (yawn..) trough EnCase on demand training.. . shouldn’t be prerequisites for this course ? at least what is a bit / byte .. #
• is any @webex audio link so crappy just because I’m not in US ? both builtin audio and phone links are jammed / fragmented most of the time #
• RT @GFISoftware: giving away a free GFI t-shirt to 20 lucky winners! Follow & RT this for your chance to win – http://tr.im/sqqH #
• attending Application Security tech webinar; way much better audio on gotowebinar compared to @imperva webex session earlier. #
• @WebEx I’m afraid you are not following me, so no can do DM . Please try http://www.dragoslungu.com for contact as I can help troubleshoot this in reply to WebEx #
• RT @securityshell: RT @pauldotcom Slides & Audio now available for “Using Nessus In Web App Testing” http://bit.ly/171oCu #
• @WebEx event no. 799 408 473 went terribly wrong, almost no audio at all (was a webinar with many attendees) in reply to WebEx #
• @flibeau are u happy happy happy ? congratz http://bit.ly/TBH5i #

Powered by Twitter Tools.