Get documents about "embc-NetSweeper-SD-v1.0
Document Sample
embc - embc Netsweeper Service Description
04 Nov 2011
embc Netsweeper
Service Description
embc -SDO16 -NS-Ser vice -
Registered Reference:
Description
Version: 1.0
Status: Final
Version Date: 04 Nov 2011
Author: Rowan Wilson
Enquiries to:
Supersedes: 0.1
Copyright Statement
The copyright in this work is vested in Synetrix (Holdings) Ltd. (Synetrix) and this document is issued in confidence for the purpose only for which it is supplied. It must
not be reproduced in whole or in part except under an agreement or with the consent in writing of Synetrix, and then only on the condition that this notice is included in any
such reproduction.
No information as to the contents or subject matter of this document or any part thereof arising directly or indirectly there from shall be given orally or in writing or
communicated in any manner whatsoever to any third party being an individual firm or company or and employee thereof, without the prior written consent of Synetrix.
embc-SDO16-Service Description-001 Page 1 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
Contact and Corporate Details
Office Details Innovation Centre
Keele Science Park
Keele, Staffordshire ST5 5NB
T: 01782 338200
F: 01782 629600
E: info@synetrix.co.uk
Legal Information Bankers: Barclays bank plc – Mid Thames Group, Reading, PO Box 27,
RG1 2HD
Solicitors:
Herbert Smith, Exchange House, Primrose Street, London,
EC2A 2HS
Auditors:
KPMG Audit plc, 15 Canada Square, London, E14 5GL
Registered
17 Rochester Row, London, SW1P 1QT
office:
Reg No: 03466197
VAT No: 618 1841 40
Contacts Mike Wrout T: 01782 338200
Account Director M: 07825 007360
E: mike.wrout@synetrix.co.uk
Paul Mavis T: 01782 338200
Managed Service Architect M: 07887450114
E: paul.mavis@capita.co.uk
Alan Thackeray T: 01782 338200
Programme Manager M: 07825 843782
E: alan.thackeray@capita.co.uk
Simon Nutt T: 01782 338237
Business Director M: 07774 197597
E: simon.nutt@synetrix.co.uk
Lee Neely T: 01782 338200
Business Development Director M: 07774 480212
E: lee.neely@synetrix.co.uk
embc-SDO16-Service Description-001 Page 2 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
1 INTERNET CACHING AND FILTERING.......................................................................................................... 4
1.1 FUNCTIONALITY................................................................................................................................................. 4
1.2 INTERNET CACHING............................................................................................................................................ 4
1.3 POLICY DEFINITION AND MANAGEMENT ............................................................................................................ 4
1.4 UNCATEGORISED URLS ..................................................................................................................................... 5
1.5 IWF BLACKLIST................................................................................................................................................. 5
1.6 NETSWEEPER CATEGORIES ................................................................................................................................ 5
1.7 LOGGING AND REPORTING ................................................................................................................................. 6
1.8 RECATEGORISATION REQUESTS ......................................................................................................................... 6
1.9 RECATEGORISATION BY SYNETRIX .................................................................................................................... 6
1.10 ENFORCED SAFE SEARCH ................................................................................................................................... 6
1.11 GLOBAL ALLOW AND DENY LISTS ...................................................................................................................... 7
1.12 CUSTOM CATEGORIES ........................................................................................................................................ 7
2 DESIGN SUMMARY .............................................................................................................................................. 8
2.1 NETSWEEPER FILTERING PROCESS ..................................................................................................................... 8
2.2 NETSWEEPER INFRASTRUCTURE ........................................................................................................................ 9
2.3 DATA BACKUP AND RETENTION ....................................................................................................................... 10
2.3.1 Squid cache servers .................................................................................................................................... 10
2.3.2 Virtualised servers ...................................................................................................................................... 10
2.3.3 Configuration files ...................................................................................................................................... 10
2.3.4 Policy database ........................................................................................................................................... 10
2.3.5 Logs............................................................................................................................................................. 10
2.4 PREREQUISITE SERVICES .................................................................................................................................. 10
2.5 RELATED SERVICES .......................................................................................................................................... 10
2.5.1 Customised URL filtering ........................................................................................................................... 10
2.5.2 Portal login integration .............................................................................................................................. 10
100 DOCUMENT CONTROL ................................................................................................................................ 11
100.1 AUTHORISATIONS ........................................................................................................................................ 11
100.2 DISTRIBUTION LIST ..................................................................................................................................... 11
100.3 HISTORY ...................................................................................................................................................... 11
embc-SDO16-Service Description-001 Page 3 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
1 INTERNET CACHING AND FILTERING
1.1 Functionality
The standard Internet filtering and caching system will provide URL filtering based on the NetSweeper
filtering product version 2.6.29.5. The base service will deliver a single policy per site, selected from one of
4 standard policies, the details of which are to be agreed with embc and are subject to change at any time.
1.2 Internet caching
The NetSweeper URL filtering system includes web caching functionality, using the Squid proxy cache
system. Where Internet caching is required without Internet Filtering, then Squid can be used without the
NetSweeper filters applied for unfiltered Internet Access.
Alternatively, NetSweeper IWF filtering only can be applied to restrict access to known illegal websites
without applying any other filtering.
1.3 Policy definition and management
Synetrix will maintain the 4-level standard policy groups currently operated by embc but will, as a
collaborative process, review and modify these in line with the latest NetSweeper category lists and our
experience of obtaining Becta accreditation.
Synetrix will also provide a method within the Customer Services Portal for designated Internet Filtering
administrators to be able to select the type of Internet filtering that is applied to the site from the following
options:
Default site policy selection
The administrator must select one of the following options as the default filtering
configuration for the site.
Policy Details
option
Level 1 The embc standard Basic Minimum Adult policy will be applied to all
users on the site without users needing to login.
This policy will not be configurable by the administrator.
Level 2 The embc standard Senior Pupils policy will be applied to the whole site
without users needing to login.
This policy will not be configurable by the administrator.
Level 3 The embc standard Younger Pupils policy will be applied to the whole
site without users needing to login.
This policy will not be configurable by the administrator.
Level 4 The embc standard Younger Pupils No Search, Politics & Religion
policy will be applied to the whole site without users needing to login.
This policy will not be configurable by the administrator.
When the administrator selects one of the options above, the NetSweeper configuration will be automatically
updated, based on the stored information about the site’s IP address range and the agreed policy
configurations.
For sites using the base “policy per site” filtering, access to the NetSweeper web administration system is
provided for the purposes of reporting only.
embc-SDO16-Service Description-001 Page 4 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
1.4 Uncategorised URLs
Where a requested URL is not already categorised by the global NetSweeper system, the URL is passed
immediately to the NetSweeper Artificial Intelligence (A.I) servers at NetSweeper in Canada. These servers
immediately scan the requested URL and categorise it accordingly. In general the categorisation process for
a new URL takes less than 30 seconds.
While waiting for a URL to be categorised, the NetSweeper policy servers will act in one of two ways,
depending on the policy being applied.
The system is set to block uncategorised URLs: The user is redirected to a page that informs them that
the requested URL is in the process of being categorised and that they should try again later. The page
automatically refreshes every 10 seconds.
The system is set to allow uncategorised URLs: The requested URL is allowed through pending
categorisation.
1.5 IWF Blacklist
NetSweeper is a member of the IWF and the IWF blacklist is integrated into the NetSweeper product and is
applied to all access through the filtering system, regardless of any policy settings made by Synetrix, embc-pl
or the school filtering administrators.
1.6 NetSweeper categories
The Categories currently available within NetSweeper are as follows.
Adult Image Job Search Religion
Adware Journals and Blogs Remote access tools
Alcohol Malformed URL Safe Search
Alternative Lifestyles Match Making Sales
Arts and Culture Matrimonial Search Engines
Criminal Skills Network Timeout Search Keywords
Directory Network Unavailable Self Help
Educational games New URL Sex Education
Entertainment No Text Social networking
Extreme Occult Sports
Gambling Pay to Surf Substance Abuse
Games Peer to Peer Technology
General Phishing Travel
General News Phone cards Under Construction
Hate Speech Political Viruses
Host is an IP Pornography Weapons
Humour Portals Web Chat
Images Profanity Web E-mail
Intranet Servers Proxy Anonymiser
Investing Redirector page
embc-SDO16-Service Description-001 Page 5 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
The categories to be blocked in each of the 4 standard embc policies will be agreed between embc-pl and
Synetrix following system testing and prior to the service going live. This list will be reviewed on a
quarterly basis and changed if necessary based on changes to NetSweeper policies and/or experience and
recommendations from the users.
1.7 Logging and reporting
All web access through the NetSweeper system will be logged.
Where users have not been authenticated to the embc SSO, the logged information will include the IP
address of the user, the URL accessed, the category and whether it was allowed or denied.
Once a user is authenticated to embc services, the logs will also include the username for each access
attempt.
NetSweeper provides an advanced reporting tool, which can use these logs to provide comprehensive and
flexible reports on web usage, including raw access logs, denied pages, allowed pages, summaries by
category, details by policy, site or IP address.
Reports may be viewed online, emailed to a specified email address, or data may be downloaded as CSV,
text, PDF or HTML. These reports may be run on demand, or scheduled to run on a regular basis.
Administrators logged into the NetSweeper web administration system are able to create and view these
reports for any of the policy groups and IP ranges over which they have permissions. For example, reporting
on access at a particular school would be accessible by the school filtering administrator, the LA
administrator and at the embc-pl level.
1.8 Recategorisation requests
As with all Internet filtering systems, there are instances where the NetSweeper system does not correctly
categorise a URL. In this event there are several approaches to rectifying the error.
Recategorisation by NetSweeper
o When a web page is blocked, a link is placed on the Deny page which users may click if they believe
the page to be incorrectly categorised. Such requests are sent directly to NetSweeper, with a
commitment for recategorisation (if appropriate) within 24 hours.
o Requests to recategorise URLs that are being allowed through in error can be made via the web
based administration interface. This is also sent directly to NetSweeper.
1.9 Recategorisation by Synetrix
o The Synetrix Customer Service Centre (CSC) also has the ability to recategorise URLs on demand,
and contacting Synetrix by telephone is the recommended route to achieve prompt recategorisation.
Synetrix will also provide a page on the portal that may be used by any logged on user to highlight
miscategorised URLs.
1.10 Enforced safe search
NetSweeper offers a feature to enforce the “safe search” option available in many search engines, which
significantly reduces users’ ability to find links to pornographic web sites through searches.
Search engines supported include:
Google
Yahoo
MetaCrawler
Excite
embc-SDO16-Service Description-001 Page 6 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
Lycos
NetSweeper are constantly updating the product and the list of support search engines will be further
developed.
1.11 Global allow and deny lists
The NetSweeper system will provide a global allow and global deny list, which may be used to block or
allow specific websites, URLs or keywords for the whole embc community.
1.12 Custom categories
Synetrix will configure custom categories in the NetSweeper system. These categories initially be empty,
and will be populated manually by Synetrix with specific sites or URLs as requested. These custom
categories can then be denied in sites’ policies to provide more flexibility and control of filtering policies
without resorting to listing URLs in the global deny list or adding them to multiple local deny lists.
Up to 10 custom categories can be defined, in agreement with embc-pl.
embc-SDO16-Service Description-001 Page 7 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
2 DESIGN SUMMARY
2.1 NetSweeper filtering process
The diagram and steps below summarise the operation of the NetSweeper system.
NetSweeper Canada
Netsweer A.I. servers for Netsweeper CNS
KEY
real-time scanning category databases
URL request path
Control data
Live
Retrieve category
pages for updates
scanning
Internet Requests for Approved
Live
category URLs
updates
Local category
database
Category Netsweeper
check Proxy Servers
Netsweeper
Policy Server Array Returned data
Access
logging Logging
server
Netsweeper
Check requested URL Proxy Servers
Netsweeper
Policy server load against policy Proxy Servers
Netsweeper
balanced Virtual IP Request sent to policy Proxy Server Array
server VIP
Load balanced proxy
requests from browsers
Proxy load balanced
Virtual IP
Content requests
(via browser proxy settings
or network redirect)
The user’s browsers request a URL from a NetSweeper proxy server. The proxy servers are accessed via
a Virtual IP Address (VIP) on a load balancing switch, providing load balancing, redundancy and
platform scalability.
The NetSweeper Proxy servers send the user details and requested URL to a NetSweeper policy server.
The policy servers are accessed via a VIP on a load balancing switch, providing load balancing,
redundancy and platform scalability.
The policy server checks the category of the URL in the local database. If the URL is not listed the
request is sent to the local CNS servers (hosted within the Synetrix network). If the local CNS servers
do not have the URL listed then the request is sent over the Internet to the master CNS servers at
NetSweeper.
The returned category of the URL is compared to the filtering policy for the user. If the URL is allowed
then the proxy servers receive an OK. Otherwise they receive a command to redirect the user to the
Deny page. In either instance, the request is logged.
Allowed requests for content not present in the NetSweeper proxy cache are requested from the Internet.
The NetSweeper proxy then serves the safe and approved content to the user.
embc-SDO16-Service Description-001 Page 8 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
2.2 NetSweeper Infrastructure
The NetSweeper system will be delivered using the following infrastructure:
16 Squid servers to deliver the proxy services These will be rack-mounted Dell servers, with 5 x
15,000RPM disks in each server to provide the low latency IO requirements needed to deliver a high
performing filtering system.These caching servers will use the new NetSweeper Squid 2.7 build
based on the 2.6 Linux kernel.
DNS servers, one located in each data center. Each site will resolve requests locally, while utilising
the alternate site for secondary DNS resolution should the first site become problematic.
8 Policy servers will be used to support the request generated by the Squid servers. This is based on
NetSweeper best practice and Synetrix experience that a ratio of 1 policy server to every 2 enhanced
Squid servers is needed to maintain optimum performance.
The policy servers will be delivered as Virtual Machines within the CSF, with the OS and
configuration stored on the SAN. This provides the advantages of the high availability and resilience
features provided by that platform, as described in the CSF Service Definition. They will run a
Netsweeper version greater than 2.6.29.
Logging and Reporting servers will be used to receive and store logs of all the traffic filtered by
the policy servers. These server will also provide the reporting functionality. These server will be
provided as physical Machines within the CSF, with the logs and reports stored on the SAN.
Web Administration servers will be provided to allow access to policy controls.
The web administration will be delivered as Virtual Machines within the CSF, with the OS and
configuration stored on the SAN. This provides the advantages of the high availability and resilience
features provided by that platform, as described in the CSF Service Definition.
The Cisco ACE blades will provide load balancing and fail-over within the CSF. This will provide
Virtual IP addresses for
o the Squid servers, to be accessed by the users
o the policy servers, to be accessed by the Squid servers
o the web administration servers, to be accessed by filtering policy administrators
2.3 In scope changes
The filtering policies for the four standard groups can be changed by agreement with embc-pl.
URLs may be added to the global allow and deny lists on request from embc-pl.
URLs may be requested for recategorisation into one of the standard NetSweeper categories by any users,
subject to review and acceptance by Synetrix staff.
URLs will be categorised into one of the custom categories on request by embc-pl.
The filtering administrator for a site may be changed
embc-SDO16-Service Description-001 Page 9 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
2.4 Data backup and retention
2.4.1 Squid cache servers
The squid servers will all be based on a standard build image, a copy of which will be stored on the SAN in
both data centres.
2.4.2 Virtualised servers
The Virtual Server image for each NetSweeper server is replicated between the two data centres and copies
are retained according to the Standard Server Image Retention policy described in the CSF Service
Definition.
2.4.3 Configuration files
NetSweeper and Squid configuration files will be backed up according to the Standard Data Backup policy
described in the CSF Service Definition.
2.4.4 Policy database
The policy database will be replicated between the policy servers to protect against single server failure.
Protection against corruption of the policy database will be achieved by taking backups of the database
according to the Standard Data Backup policy described in the CSF Service Definition.
2.4.5 Logs
All logs generated at the primary site will be replicated to the secondary site. Multiple historical copies of
the logs will not be kept as the logs are, by definition, already historical data.
2.5 Prerequisite services
This service is only available to sites connected directly to the embc network via the WAN, DSL, mobile
service or VPN access and using the embc Internet connection.
2.6 Related services
The following optional services are available for sites as an addition to the standard single policy per site
filtering service. Please refer to each Service Definition for further details. The Customised URL filtering is
particularly applicable as an extension to this service.
2.6.1 Customised URL filtering
Providing delegated customisable filtering for sites and users with Portal Controlled Filtering.
2.6.2 Portal login integration
Providing user specific selection of filtering polices by integrating a portal login with NetSweeper filtering.
embc-SDO16-Service Description-001 Page 10 of 11 Version 1.0
embc - embc Netsweeper Service Description
04 Nov 2011
100 DOCUMENT CONTROL
100.1 Authorisations
Name Role At Signature Date
Roy Pollen Project Manager Capita IT 21Jul11
Services
John Shaw-Miller Technical Design Authority Synetrix 21Jul11
100.2 Distribution List
Name Organisation Role Review Role
David Cheetham embc Operations Director Reviewer
Dan Broad embc Technical Change Manager Reviewer
Simon Nutt Synetrix Business Director Reviewer
Alan Thackeray Capita IT Programme Manager Reviewer
Services
Mike Wrout Synetrix Account Director Information
Paul Mavis Capita IT Managed Service Architect Information
Services
Lee Neely Synetrix Business Development Director Information
Darren Francis Synetrix Service Director Information
100.3 History
Version Status Description Of Changes Author Issue Date
0.1 Draft Initial draft for internal review Rowan Wilson 13.07.11
1.0 Final Final version Rowan Wilson 21.07.11
embc-SDO16-Service Description-001 Page 11 of 11 Version 1.0
