8e6 Technologies Threat Analysis Reporter TAR HL-SL-MSA User Manual
Size:
1.21 Mb
Download

® Threat Analysis Reporter

EVALUATION

GUIDE

Models: TAR HL/SL/MSA

Software Version: 1.3.00

Document Version: 01.05.09

THREATANALYSISREPORTEREVALUATIONGUIDE

© 2009 8e6 Technologies

All rights reserved. Printed in the United States of America

Local: 714.282.6111 • Domestic U.S.: 1.888.786.7999 • International: +1.714.282.6111

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior written consent from 8e6 Technologies.

Every effort has been made to ensure the accuracy of this document. However, 8e6 Technologies makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. 8e6 Technologies shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. Due to future enhancements and modifications of this product, the information described in this documentation is subject to change without notice.

Trademarks

Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

ii

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

CONTENTS

 

THREAT ANALYSIS REPORTER EVALUATION GUIDE ..........................................

1

Overview. .........................................................................................................................

1

Note to Evaluators. .........................................................................................................

1

Install, Configure, and Test TAR....................................................................................

1

CHAPTER 1: ACCESS THE TAR WEB CLIENT ...................................................

2

Step 1: Launch IE............................................................................................................

2

Step 2: Type in the URL..................................................................................................

2

Step 3: Log into the Application....................................................................................

2

CHAPTER 2: DRILL DOWN INTO A URL GAUGE ...............................................

4

Step 1: How to Read a Gauge. .......................................................................................

4

Gauge Name ............................................................................................................................

4

Score ........................................................................................................................................

4

Time Span ................................................................................................................................

5

Threat Level .............................................................................................................................

5

Step 2: View Child Gauges.............................................................................................

5

Step 3: View a List of Users Affecting a Child Gauge. ................................................

6

Step 4: View an Individual User’s Gauge Activity........................................................

6

Step 5: Take Action on an Individual’s Activity. ..........................................................

7

Step 6: View Category Details........................................................................................

7

Step 7: View the Actual Web Page Visited by the User...............................................

8

CHAPTER 3: CREATE A NEW URL GAUGE ......................................................

9

Step 1: Select the Gauges Menu Item. ..........................................................................

9

Step 2: Add a Gauge Group. ..........................................................................................

9

Step 3: Define the Gauge..............................................................................................

10

Step 4: Advanced Settings...........................................................................................

11

CHAPTER 4: CREATE AN AUTOMATED ALERT ................................................

12

Step 1: Select Alerts. ....................................................................................................

12

Step 2: Add a New Alert................................................................................................

12

Step 3: Specify Alert Components. .............................................................................

13

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

iii

CONTENTS

CHAPTER 5: VIEW A URL TREND REPORT ....................................................

14

Step 1: Access Trend Charts. ......................................................................................

14

Step 2: Change the Time Span. ...................................................................................

14

CHAPTER 6: MONITOR BANDWIDTH GAUGES .................................................

15

Step 1: Select Bandwidth and Outbound....................................................................

15

Step 2: Select the FTP Protocol Gauge.......................................................................

15

Step 3: Select Port 21 Child Gauge. ............................................................................

16

Step 4: View the User Summary. .................................................................................

16

Step 5: View Port Traffic...............................................................................................

17

CHAPTER 7: VIEW A BANDWIDTH TREND REPORT .........................................

18

Step 1: Select Bandwidth and Trend Chart. ...............................................................

18

Step 2: View Bandwidth Trend Chart Data. ................................................................

18

iv

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

THREATANALYSISREPORTEREVALUATIONGUIDEOVERVIEW

THREATANALYSISREPORTEREVALUATIONGUIDE

Overview

The Threat Analysis Reporter helps administrators manage internal Web-basedthreats by monitoring Internet usage information by userin real-time,and by providing proactive remediation tools to enforce the organization’s Acceptable Use Policy.

Note to Evaluators

Thank you for taking the time to review 8e6’s Threat Analysis Reporter (TAR) appliance. Your interest in our company and product is greatly appreciated.

This Evaluation Guide Is designed to provide product evaluators an efficient way to install, configure and exercise the main product features of the TAR.

Install, Configure, and Test TAR

To install the TAR appliance, configure the server, and to test the unit to ensure that reporting is operational, please refer to the step-by-stepinstructions in the Threat Analysis Reporter Quick Start Guide provided inside the carton containing the chassis.

Please note that prior to reviewing TAR, the R3000 Internet Filter must already be installed; this appliance is required for sending logs to the Reporter. See the R3000 Internet Filter Evaluation Guide for instructions on how to set up the Internet Filter.

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

1

CHAPTER1: ACCESS THETAR WEBCLIENTSTEP 1: LAUNCH IE

CHAPTER1: ACCESS THETAR WEBCLIENT

Step 1: Launch IE

From your workstation, launch Internet Explorer to open an IE browser window.

NOTE: Ifpop-upblocking software is installed on the workstation, it must be disabled. Information about disablingpop-upblocking software can be found in the TAR User Guide Appendix A: DisablePop-upBlocking Software.

Step 2: Type in the URL

In the Address field of the browser window, type in the URL for the TAR server: http://x.x.x.x:8080 (in which ‘x.x.x.x’ represents the IP address). This action opens the TAR login window, which serves as a portal for administrators to log into TAR.

Login window

Step 3: Log into the Application

1.In the Username field, type in your username. If you are logging in as the global administrator, enter the username registered during the quick start wizard procedures.

If you are logging in as a group administrator, enter the username set up for you by the global administrator.

2.In the Password field, type in your password. If you are logging in as the global administrator, enter the password registered during the quick start wizard procedures. If you are logging in as a group administrator, enter the password set up for you by the global administrator. Asterisks display for each character entered.

3.Click the Log In button to open the application that displays the URL dashboard gauge view in the right panel by default. The navigation panel displays to the left, and in the panel above the system time and date display (in the HH:MM:SS/ MM.DD.YYYY format) beside the Logout button:

2

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

CHAPTER1: ACCESS THETAR WEBCLIENTSTEP 3: LOG INTO THE APPLICATION

URL dashboard with URL gauges

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

3

CHAPTER2: DRILLDOWN INTO AURL GAUGESTEP 1: HOW TO READ A GAUGE

CHAPTER2: DRILLDOWN INTO AURL GAUGE

This section will step you through the manual monitoring of users in real-timevia the URL gauge dashboard. Note that this is simply one of many ways to use TAR to monitor insider threats. There is also a robust automated alert component that does not require the system administrator to be monitoring gauges in order to be notified of a violation in process.

Step 1: How to Read a Gauge

The graphic below describes how to read gauges on the URL dashboard:

Anatomy of a gauge diagram

Gauge Name

The gauge name is the customized name of the gauge created by the administrator. TAR has five default sample gauges that correspond with five of 8e6’s super-categories:Adult Content, Security, Shopping, Bandwidth and Illegal. Administrators can create their own gauges as well as delete the default gauges.

Score

The score is the large number in the center of the gauge that is based upon the number of URL page hits (see NOTE below) that occur in this specific category in a given period of time.

NOTES: In addition to page hits, TAR also counts “blocked object” hits. For reference, “pages hits” are files that typically end in .html and represent a main page view. “Object hits” are files that typically end in .gif or .jpg and represent image files.

To streamline your task, TAR does not track a score for “non-blockedobjects,” since these gauges are designed to provide a clear picture of how many times a user has requested a page, and objects are images hosted within a page. TAR includes blocked object data to cover instances in which harmful images are hosted on anon-harmfulsite.

4

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

CHAPTER2: DRILLDOWN INTO AURL GAUGESTEP 2: VIEW CHILD GAUGES

Time Span

Each gauge monitors events in real-timefor a window of time between one and 60 minutes. This time span is customizable by the administrator. For example, if a gauge is set for 15 minutes, that gauge will indicate the number of page hits for the last 15 minutes of time. For example, if the current time is 12:00, the gauge score will reflect all activity from 11:45 to 12:00. Once the time is 12:01, the gauge will reflect all activity from 11:46 to 12:01.

Threat Level

The colored threat level indicates the current state of threat based on the customizable ceiling created by the administrator. For example, if the administrator creates a gauge with a threshold of 100, when the score reaches 67 the gauge dial will move into the red section of the dial and the score number will turn red and begin to flash. These gauges are designed to provide an intuitive reminder when a specific category gauge is experiencing abnormal levels of activity so the administrator can react quickly.

Step 2: View Child Gauges

Sometimes a single child gauge is responsible for driving a parent gauge’s score. To view child gauges, you can either double-clickthe parent gauge orright-clickthe parent gauge and then select “View Gauge Details”. In this example, select the “Security” gauge.

Select the Security parent gauge

Performing either of the two aforementioned actions on this parent gauge will open a window containing all child gauges associated with that gauge.

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE

5

CHAPTER 2: DRILL DOWN INTO A URL GAUGE STEP3: VIEW ALIST OFUSERSAFFECTING ACHILDGAUGE

Step 3: View a List of Users Affecting a Child Gauge

Double-clickthe child gauge to open a window containing a list of users who are responsible for driving that gauge’s score. In this example,double-clickthe “Spyware” child gauge.

Open the child gauges window

Step 4: View an Individual User’s Gauge Activity

In the Spyware window, select the top name from the user list and click “User Summary” to get a complete view of all activity for that user. This will help determine if the user is just abusing a single category or has high activity in other gauges as well.

View a list of end users who are responsible for a gauge’s activity

6

8E6 TECHNOLOGIES, THREATANALYSISREPORTEREVALUATIONGUIDE