Many security vendors are struggling to cope with the rapid evolution of business internet usage, but Websense's Triton Security Gateway Anywhere (TSGA) intends to bring order to chaos. It claims to be the first unified content security solution for web, mail and data security that doesn't rely on third-party analysis.
On review is the V10000 appliance that can handle up to 2,500 users and runs all TSGA components on a single platform. Beyond this user count the various components are distributed on multiple appliances to avoid impacting performance. For web content security, most UTM solutions rely on a local URL database or cloud-based services. With Websense's hybrid service you get the best of both worlds, as filtering is carried out in the cloud and locally on the appliance.
Social networking is now an important business tool but most UTM solutions can only block or allow access. Not so with TSGA, as Websense's own web page analysis can allow access to these sites but block users from undesirable content. The data security module works with both the web and mail components to stop data loss via channels such as HTTP, HTTPS, FTP and mail. Compliance with data protection regulations is covered completely, as Websense includes over 4,000 predefined policies for PCI DSS, HIPAA, SOX and more.
For lab testing, we deployed the TSGA appliance in a network containing two Dell PowerEdge servers, with one acting as a Windows Server 2008 R2 domain controller and the other hosting internal email services. We used Windows 7 client PCs configured to use TSGA as their proxy. For email data leakage testing we added a third system providing an external mail domain.
Administration is very simple thanks to the intuitive web interface. Websense has avoided any complexity by grouping the main modules under three tabs for web, data and email security. Selecting either tab brings up a customisable dashboard showing the current day's detected threats, security risks and policy activity for that specific module. You can quickly pull up historical displays, view alerts or audit logs and, for the web security module, see all activity occurring.
Reporting is accessed from the same panel where you can choose from a catalogue of predefined web usage reports. Web security policies can be created swiftly and applied to AD users and groups, IP address ranges and individual machines. Each policy contains web category filters, and Websense provides one of the most comprehensive lists we've yet seen. Protocol filters are just as extensive and cover most IM and P2P apps, file transfer tools, IM file attachment controls and web mail. Individual categories may be blocked or allowed and can have URL keyword searches, file type blocks and browsing time quotas applied. A bandwidth optimiser can be applied to category and protocol filters, so even if they are enabled they will be blocked if bandwidth usage goes above a set percentage. The default mail policy monitors all inbound and out-bound messages for viruses and spam. For the latter, Websense scans the message body, classifies any URLs it finds, runs heuristics, uses its LexiRule scanner to check for specific word patterns and calculates message fingerprints and compares them to its spam database.
Configuring data security is swift, as this tab offers quick setup options for data loss prevention (DLP) policies for mail and web. For mail you can enforce size limits, control attachments, search for patterns and phrases and apply predefined dictionaries of unacceptable terms.
Pattern and phrase matching isn't restricted to the message itself as you can also search within attachments. Regulatory compliance is handled well, as you select which ones you want to apply and choose the country of operation. TSGA determines which regulations are most applicable for your locale and applies them for you.
You can also create fingerprints of sensitive files and, even if only a partial match is found, you can block files from being sent. Websense's PreciseID identifies content based on a huge dictionary of patterns such as credit card numbers, and it can even apply image analysis to mail.
DLP web policies can include compliancy checks and pattern matching. File uploads are controlled by type, name, size and the destination website, and you can stop users posting content over a certain size. We tested the mail DLP policies by sending messages across our two domains. Some attachments were Word documents with banned patterns and phrases, and these were successfully blocked. We also tested its analysis capabilities with a range of images and found TSGA proficient at quarantining those that were unacceptable.
DLP activity can be monitored closely using a large catalogue of predefined reports and views. For our blocked mail we could see these in the incident reports, and selecting one brought up a forensics window where we could see the entire content of the message, attachment, recipient and sender.
We were impressed with the level of features on offer, as TSGA appears to have every security angle covered. Websense scores highly for value, and management is neatly centralised.