Triton RiskVision Setup Manual

v2.0

TRITON® RiskVision™ Setup Guide

©2015, Websense Inc.
All rights reserved.
10900 Stonelake Blvd, 3rd Floor, Austin, TX 78759, USA

Published 2015
Printed in the United States and Ireland

The products and/or methods of use described in this document are covered by U.S. Patent Numbers 5,983,270; 6,606,659; 6,947,985;
7,185,015; 7,194,464 and RE40,187 and other patents pending.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or
machine-readable form without prior consent in writing from Websense Inc.

Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with respect to this
documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Websense Inc., shall not be
liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or
the examples herein. The information in this documentation is subject to change without notice.

Trademarks

Websense and TRITON are registered trademarks and RiskVision is a trademark of Websense, Inc., in the United States and certain
international markets. Websense has numerous other unregistered trademarks in the United States and internationally. All other
trademarks are the property of their respective owners.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.

Mozilla and Firefox are registered trademarks of the Mozilla Foundation in the United States and/or other countries.
This product includes software distributed by the Apache Software Foundation (http://www.apache.org

).

Copyright (c) 2000. The Apache Software Foundation. All rights reserved.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole

property of their respective manufacturers.

TRITON RiskVision Setup Guide i

Contents

Chapter 1 Introducing TRITON RiskVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Positioning TRITON RiskVision in the network 2

RiskVision positioned downstream from a web proxy . . . . . . . . . . . . . . . . . . .2

RiskVision positioned upstream from a web proxy 3

RiskVision and SSL decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

How does RiskVision work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Setup process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Chapter 2 Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Step 1: Set up your V-Series appliance hardware . . . . . . . . . . . . . . . . . . . . . . . . .7

Step 2: Set up the RiskVision appliance software . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 3 Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Step 3: Configure the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Verify your network interface configuration . . . . . . . . . . . . . . . . . . . . . . . . .11

Enable RiskVision analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Update the analytic databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Check for system updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configure data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Enable traffic capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Verify the RiskVision services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Step 4: Verify RiskVision monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Step 5: Using TRITON RiskVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

ii Websense TRITON RiskVision

Contents

1

TRITON RiskVision Setup Guide  1

Introducing TRITON
RiskVision

TRITON RiskVision Setup Guide | TRITON RiskVision | v2.0

Websense® TRITON® RiskVision™ uses advanced analytics—including rules,
signatures, heuristics, and file sandboxing—to provide real-time analysis of files
transferred in web and email traffic.

TRITON RiskVision monitors TCP traffic by connecting to a SPAN or mirror port on
a switch, or to a network tap that supports aggregation.

 Files identified in HTTP and SMTP traffic are analyzed by the solution in real

time, using Websense Advanced Classification Engine (ACE) analytics on the
local machine, to identify suspicious and malicious software.

 Potentially suspicious files are forwarded to the cloud-based file sandboxing

service to identify advanced malware threats. Administrators can:

 Find status information in the Local Manager to track the status of file

sandboxing.

 Access online file sandboxing reports to learn more about analyzed files, the

threats associated with them, and the steps needed for remediation.

 Transaction data is analyzed to find violations of regulatory policies related to

transfer of Personally Identifiable Information (PII), Protected Health Information
(PHI), and Payment Card Industry (PCI) data within file content.

Introducing TRITON RiskVision

2  Websense TRITON RiskVision

Positioning TRITON RiskVision in the network

RiskVision positioned downstream from a web proxy

In most cases, it is best to position the RiskVision appliance between clients and the
proxy. This ensures that RiskVision components see:

 Unaltered TCP traffic from clients

 The client IP address associated with requests

Outbound data protection performed by the upstream proxy does not affect
RiskVision, but if the upstream proxy blocks responses from origin servers,
RiskVision does not see those responses.

TRITON RiskVision Setup Guide  3

Introducing TRITON RiskVision

RiskVision positioned upstream from a web proxy

When RiskVision is positioned closer to the Internet egress point:

 RiskVision sees origin server responses before they are processed by the web

proxy. This allows unrestricted application of the real-time analytic features.

 If the downstream proxy blocks outbound requests, however, RiskVision will not

see those requests and cannot analyze or log them.

In this configuration, because outbound traffic goes through the downstream proxy
before being seen by RiskVision, the source IP address of all requests is the web proxy
IP address.

To address this issue, configure the downstream proxy to add X-Forwarded-For to
HTTP headers. RiskVision automatically parses the X-Forwarded-For information
and includes both the source IP address (the proxy) and the forwarded for IP address
(the client) in its reporting output.

Introducing TRITON RiskVision

4  Websense TRITON RiskVision

RiskVision and SSL decryption

If your network includes a product that provides SSL decryption, RiskVision can be
configured to monitor and analyze the decrypted traffic.

Deployment details vary based on the product providing the decryption. In general
terms, however, RiskVision analyzes a read-only copy of the decrypted traffic via a
monitor or SPAN port.