| iPrism Frequently Asked Questions (FAQs)
The
iPrism Database
WHAT IS iPRISM?
iPrism
v3.5 is a full-featured, dedicated Internet filtering
appliance designed for high performance and reliability.
The only appliance-based solution truly optimized for
filtering and interoperability, iPrism enables organizations
to effectively monitor, block and report on their users'
Web activity.
WHAT ARE SOME OF THE FEATURES
OF V3.5?
-
Industry's
best URL database - Each and every Web site in
the 60-category database is reviewed by human eyes,
leading to the most accurate database in the industry.
-
Database
customization - Use the 8 customizable categories
to create your own categories, add sites to the database,
and exempt sites from the database.
-
Flexible
enforcement options - Create unique filtering
and monitoring policies by time of day, day of week,
category, users, and groups.
-
Real-time
e-mail alerts - Set e-mail alerts for notification
when certain URLs are accessed or when bandwidth or
time thresholds have been reached.
-
Remote
management - Securely administer iPrism via any
workstation with a browser.
-
Comprehensive
reporting - Generate management style reporting
for summary and detailed analysis of your organization's
Web surfing habits.
-
Support
for NT User Groups - Assign profiles to users
based on the NT groups they belong to.
-
Support
for LDAP - Assign profiles to users based on LDAP
(Windows 2000, Active Directory, Novell and Unix systems)
attributes.
-
Auto-Login
feature - Apply filtering policies and view reports
on a per-user basis without requiring users to authenticate.
Ideal for terminal server environments such as Citrix.
HOW DOES THE AUTO-LOGIN
FEATURE WORK (TRANSPARENT MODE)?
It is possible to
obtain login credentials without prompting the user in
both Proxy and Transparent mode. Instead, the collection
of these credentials can be obtained from their workstation
environment. You will get the same benefits as provided
by explicit authentication but without the extra manual
step from the user.
Auto-Login is an
extension of the IP-mapped authentication scheme available
in transparent mode. The authentication still relies on
an IP address-to-user mapping, in which the session length
is controlled by a timeout.
The authentication
phase is automated; instead of prompting the user for
their account information (domain name and user name)
and password, the account information is obtained from
the workstation login credentials.
The login credentials
are obtained using the Client Side NTLM authentication
scheme, also known as Integrated Windows Authentication.
This is a secure authentication scheme designed by Microsoft.
User's login credentials are not passed in clear text.
Instead, an encrypted challenge/response mechanism is
used that involves the client's browser, iPrism, and the
domain controller. Although this process is transparent
to the user, a full authentication phase takes place.
Windows workstations
will only be able utilize the Auto-Login feature of iPrism
if it is logged into a domain in which iPrism is also
a trusted member. If the Auto-Login phase is not successful
(e.g. NTLM domain unreachable, incompatible browser),
iPrism will revert to the manual authentication interface
and ask the user to enter their login credentials.
To learn more about
Auto-Login in Transparent Mode, visit:
http://www.stbernard.com/products/docs/ip_technotes/Auto-Login.pdf
WHAT ARE THE REQUIREMENTS
FOR AUTO-LOGIN (TRANSPARENT MODE)?
-
Client Side
NTLM is a proprietary authentication scheme that is
currently only implemented in Microsoft's Internet
Explorer Web browser. In order to use Auto-Login,
clients must be using Microsoft's Internet Explorer
4.x and newer.
-
Client workstations
must be running Windows 98 or newer that participate
and logon to a Windows NT/2000 Domain.
-
NTLM authentication
must be enabled, configured and operational on iPrism.
-
Specify a redirect
method in iPrism. Depending on the redirection setting
you choose, you will need to configure your browser/workstation,
domain controller, or the DNS server (as appropriate)
to support that choice.
-
IP Address.
(Default) In order for Internet Explorer to participate
in the NTLM authentication with iPrism, it is
imperative that Internet Explorer knows that iPrism
is within it local intranet. In order to establish
this trust relationship, the IP address of iPrism
must be in the Local Intranet Zone of Internet
Explorer. Adding the IP address of iPrism to the
Local Intranet Zone of Internet Explorer can be
configured automatically from the domain controller
or manually for each client. These procedures
are detailed later in this document.
-
DNS.
However, v3.4 offers an alternative to modifying
browser settings. The alternative is to add an
A record to your DNS server for iPrism so that
browsers are able to resolve iPrism's non-qualified
domain name to iPrism's IP address.
HOW
DOES AUTO-LOGIN WORK FOR TERMINAL SERVER ENVIRONMENTS
(PROXY MODE)?
Proxy Mode Auto-Login,
much like Transparent Mode Auto-Login, offers a way to
authenticate users automatically without requiring input
from the user. By using the same credentials that the
user already entered to log into their workstation, and
authenticating against the same domain controller, Auto-Login
can uniquely identify users securely and apply the correct
Internet usage profile to their browsing.
Although very similar,
Proxy Mode Auto-Login differs from Transparent Mode Auto-Login.
While Transparent Mode Auto-Login is an extension of the
IP-mapped authentication scheme, Proxy Mode Auto-Login
is a session based authentication scheme. This means that
in proxy mode when a user launches Internet Explorer,
it establishes a network socket connection to iPrism and
sends an initial URL request. iPrism responds to the browser
with a 407 header, meaning that proxy authorization is
required. Part of this proxy-auth notification includes
methods of authentication, and should include NTLM and
BASIC authentication options. In compliance with RFC 2617
"HTTP Authentication", browsers are supposed to respond
with the strongest form of authentication they support.
In this case, NTLM is far more secure than BASIC authentication,
and any browser supporting NTLM should select it as the
best choice for authentication. By including BASIC as
an option, software that cannot or does not support NTLM
authentication is still capable of authenticating with
the proxy and using the proxy managed resources. It is
important to have BASIC authentication to fall back to,
because many applications do not support NTLM authentication
and will never be able to authenticate without the availability
of BASIC authentication.
Since Proxy Mode
Auto-Login on iPrism uses session-based authentication
and authentication is based on user profile, Proxy Mode
Auto-Login has a major benefit over Transparent Mode Auto-Login.
This major benefit being that Proxy Mode Auto-Login can
support and authenticate distinct users from a single
IP address in multi-user environments like Citrix and
Windows Terminal Services where multiple individuals are
simultaneously logged in and using a single server computer.
Proxy Mode Auto-Login also works effectively in networks
utilizing NAT (network address translation) where many
users may be on a private network that appears to the
rest of the world as a single IP address.
Logins on multi-user
environments are subject to the same requirements as non-multi-user
environments, in that the login must be a domain login
and the users' browser must be configured correctly to
use the iPrism as proxy. More information can be found
at
http://www.stbernard.com/products/docs/ip_technotes/Auto-Login.pdf
WHAT ARE THE
REQUIREMENTS FOR AUTO-LOGIN (PROXY MODE)?
-
Supported browsers
include Microsoft Internet Explorer version 4.x and
later.
-
Client workstations
must be Windows 98 or later and must be participating
in, as well as logging into a Windows domain. iPrism
must have a shared trust connection in the same domain.
-
NTLM authentication
must be enabled, configured, and operational on iPrism.
-
Users wishing
to use proxy authentication must have their browser
configured with iPrism as their proxy server. NTLM
authentication cannot be proxied, so browsers must
be able to communicate directly with the iPrism in
which they intend to authenticate.
To learn more about
Auto-Login in Transparent Mode, visit:
http://www.stbernard.com/products/docs/ip_technotes/Auto-Login-Proxy.pdf
WHY IS iPRISM BETTER
THAN SOFTWARE-ONLY SOLUTIONS?
1) There
is no additional hardware or software to purchase, install,
or manage. iPrism
does not require additions to workstations, servers, firewalls or other
network components.
2)
iPrism provides automatic operating system and
application software updates.
Software solutions force their customers to download
and install any patches, upgrades, etc.
3) Since iPrism includes both hardware
and software, there is only one vendor to contact for
support. Software solutions may require multiple
vendor contacts depending on the issue.
4) iPrism
is platform-independent and works in virtually any environment. This allows iPrism to easily adapt
to changing network equipment.
Software vendors may not work in certain platforms
or network equipment and do not easily adapt to change.
5) iPrism offers a much lower total
cost of ownership.
DO YOU
BLOCK WEB SITES BY IP ADDRESS?
No. iPrism filters by full URL
names and includes the ability to block top level directories
while allowing subdirectories for maximum flexibility
and precision control. URL-based filtering is required
to properly handle virtual Web site hosting. Since many
ISPs host multiple Web sites on the same server, products
that block based only upon IP address will incorrectly
block every site on the hosted Web server, even though
some sites do not contain inappropriate content.
WHAT HAPPENS IF SOMEONE ENTERS
AN IP ADDRESS TO ACCESS A SITE?
iPrism will automatically detect
IP address entry and properly handle them as if the site
had been entered by URL name.
CAN USERS CIRCUMVENT iPRISM FILTERING?
No. In the recommended configuration,
iPrism controls all network traffic to and from the Internet.
Any attempts to bypass the filter are blocked and logged
as an access violation.
ARE USER OVERRIDE PRIVILEGES SUPPORTED?
Yes. When a user tries to access
a blocked Web site, a message indicating that access was
denied is displayed instead of the requested page. This
page allows users with override privileges to enter a
password for immediate access to the requested Web site.
HOW DO I RECEIVE SOFTWARE UPDATES?
You may select to have software
updates automatically downloaded and applied to your iPrism
or manually apply software updates when you choose. Automatic
software updates are performed without any user intervention.
DOES iPRISM OFFER REPORTING?
Yes. In addition to proactive
filtering and blocking of inappropriate Internet access,
iPrism provides full monitoring and logging of all successful
and unsuccessful Internet accesses, giving your organization
a complete profile of user activity. Comprehensive
reporting is built into the iPrism appliance and is included
at no extra charge.
WHAT IF I ONLY WANT TO MONITOR
INTERNET ACCESS?
You can determine on a category-by-category
basis whether you want to monitor access, block access,
do both or do neither. When monitoring, reports are available
allowing you to show detailed site-by-site access or summary
reports showing what content categories are accessed by
which users.
DOES iPRISM FILTER OTHER INTERNET
SERVICES?
Yes. iPrism can control access to a wide variety
of other productivity and bandwidth draining services,
such as streaming audio, streaming video, FTP, IRC and
ICQ chat.
HOW DOES iPRISM CONNECT TO MY
NETWORK?
iPrism
has dual 10/100Mbps network interface cards and is typically
connected between your router and LAN. Other connection
options exist to meet special needs.
HOW SECURE
IS iPRISM?
iPrism is the most secure
filtering solution available.
All database and software updates are sent via
a secure connection.
It utilizes SSL to provide secure authentication
of users. Usernames and passwords are encrypted.
In addition, the operating system has been optimized
for web filtering and "hardened" against attacks.
IS iPRISM
SCALABLE?
Yes. The central management capability
allows easy management of multiple iPrism units. It also supports F5 Big IP and Cisco load balancers for redundancy and load balancing.
WHAT DOES
AN IPRISM FILTERING SUBSCRIPTION INCLUDE?
Subscriptions include
the following:
-
Automatic, daily database
updates
-
Automatic operating
system and software upgrades
-
Hardware and software
support
WHAT IS iGUARD?
iGuard is the
St. Bernard Software brand name designation for the process
by which a filter list of URLs are classified into various
categories.
WHY IS iGUARD BETTER THAN OTHER
RATING SYSTEMS?
A lot of comparisons are made in the filtering
arena - the following explains why the iGuard system is
better:
- 100% human review - better than machine or
keyword rating
- Rating by parent URL vs. IP address
- Variety of acquisition methods
- Quickly review new sites
- Clearly defined categories
- Strong review process
- Daily update to iPrism
- 24-hour client submission process
WHY DOES iGUARD UTILIZE "100%
HUMAN REVIEW"?
The Internet Analysts will visit each site
and assign it one or more category ratings based on the
site's content. This 100% "real person analysis" approach
is superior to scanning and rating via software or artificial
intelligence technology that use techniques such as keywords,
word pairs or custom dictionaries. These systems are susceptible
to a high rate of false positives/negatives. These errors
are virtually eliminated with iPrism because our iGuard
filter list is a result of careful review by our team
of professional analysts.
Rating accuracy is paramount to the success
of the iPrism product line. Rating accuracy is closely
monitored. To ensure the high quality of rating work performed,
daily quality checks are performed.
HOW MANY CATEGORIES AND URLS DO
YOU HAVE IN YOUR DATABASE?
HOW OFTEN IS THE DATABASE
UPDATED?
We have 60 content categories covering hundreds
of millions of Web pages. The database is updated on a daily basis via
automatic incremental updates.
CAN I CHANGE THE WAY
A SITE IS CATEGORIZED?
Yes. You may change the categorization for
any Web site by adding a new rating for the site. Your
site rating will always override the ratings in the master
Web site database.
WHAT
DOES THE iGUARD TEAM DO TO ENSURE THAT THE DATABASE IS
UP-TO-DATE?
In addition to the items
already discussed, the iGuard team performs many other
regular checks to ensure the database that is sent to
our iPrism clients is up-to-date. Some of them include:
Reachability Testing
-
We regularly check the current database to ensure that
the URLs are still reachable. In some cases, URLs are
hosted and then after a while removed. This process makes
sure that the database stays current and only active websites
are exported.
Placeholder Sites -
It is very common for a URL to be registered and held
in check to either be sold or not used for a variety of
reasons. These sites are rated as "place holders" and
are routinely rechecked. If and when the URL actually
results in an actual website, it is rated and added to
the filter list.
Quality Assurance -
Rating accuracy is paramount to the success of the iPrism
product line. Rating accuracy is closely monitored. To
ensure the high quality of rating work performed, daily
quality checks are performed.
WHAT CATEGORIES ARE IN THE DATABASE?
Detailed category
definitions can be found on St.Bernards website at: http://www.stbernard.com/products/iprism/products_iprism-cats.asp
|
