SurfinCheck Overview ------------------- SurfinCheck(tm) is a plug and play security solution for the Local Network, supporting Java content inspection, ActiveX blocking and HTML stripping of JavaScript, VBscripts and Plug-ins. The new computing paradigm of Internet downloadables, has introduced a new level of security risk that simply is not answered by a traditional TCP/IP Firewall. Since Java Applets, ActiveX controls, Scripts and Plug-ins are automatically and routinely pushed into the systems of Web users, a new Java security solution is needed to implement an appropriate security policy and determine which entities should be allowed through the gateway and which should be blocked. SurfinCheck protects your Local Network from unauthorized applications originating outside of your corporate environment. It checks downloadables coming through your gateway, scans the Java applets bytecode and compares it to the end-user security policy to determine if the applet should be allowed to load. General description of SurfinCheck --------------------------------- SurfinCheck provides it's protection at the gateway. It serves as a proxy of the end-user browsers, loading the Java Applets for them and examining their content before delivering them to the end-user machine. Depending on the Applet content and on the security policy defined for the end-user, SurfinCheck may block the applet gracefully. The SurfinCheck product comprises two main components: 1) SurfinCheck Server - This component is the one providing Protection (as per the Corporate Security Policy). It should be installed on a Gateway machine since it will serve as a Proxy for the client browsers. (after the installation, all client browsers should be configured to use SurfinCheck Server as an HTTP Proxy). As is the case with most proxy servers, SurfinCheck Server should typically be placed at the gateway, between the firewall (or directly before the router if there is no firewall) and the end-users. In cases where there are other proxy servers in the system, it is preferred to place SurfinCheck Server closest to the client workstations (rather then between the firewall and any other proxy server). For a set up where there are other proxy servers between SurfinCheck Server and the client end users, all other proxies must support ip forwarding (i.e. SurfinCheck Server must get the true ip address of the end-user machine as part of the http request). 2) SurfinConsole - This is your Security Management Console. It is preferable to install SurfinConsole on a separate machine (so as not to reduce performance due to SurfinCheck Server load). SurfinConsole is the User Interface component through which the Corporate Security Policy is set, Users and Group of Users are defined, reports are generated and more. SurfinCheck also uses a shared database file as the repository of the Users definitions, the Security Policies defined for the Users and of all Security Events as detected by the system. System Requirements ------------------- SurfinCheck Server requirements: * Pentium * 32Mb RAM (64Mb recommended) * Windows NT 4.x * 15Mb disk * Windows network - client for Microsoft Networks * Windows network - file sharing for Microsoft Networks SurfinConsole requirements: * Pentium * 16Mb RAM (32Mb RAM recommended) * SVGA graphics card and above (resolution of 600x800 or more) * Windows 95 or NT 4.x * 10Mb disk Installation notes ------------------ Install SurfinCheck Server on the gateway machine: * Run setup.exe to install this SurfinCheck Server component. * Please be sure to specify correctly whether this is an installation of a Primary SurfinCheck Server which comprises the Security Policy repository. Install SurfinConsole on the Security Administrator machine: * Run setup.exe to install this SurfinConsole component. * Please be sure to specify the Host name of the SurfinCheck Server. Note: Setup SurfinCheck Server and SurfinConsole can work properly with other gateway devices such as a third party vendor proxy server. For such a setup, select the 'Devices' button in SurfinConsole, click the SurfinCheck device icon on the devices list and set the Proxy settings. Setup your LAN security policy: * Using SurfinConsole, define the end-users and the groups of end-users that will use SurfinCheck's protection. * Using SurfinConsole, define the General Security Policy and for the organization, for any group of users you may have defined and for specific users. Setup the client browsers on the end-users machines: * At each of the end-users machines, configure the browser to use SurfinCheck Server as an http Proxy and clear it's cache. Note: During installation the user is asked to specify a password, which is used by the setup program to create a shared directory on the primary SurfinCheck Server Host containing the central database files of the system. Known problems: --------------- 1) If the database file or host name is pointing to a wrong location (defined in the SurfinConsole setup window), SurfinConsole will not come up until the problem is corrected. To correct the host name, edit the SurfinCheck.cfg file in your <[SurfinConsole installation directory]/config/ > directory to set the SurfinConsole database parameters. (For more information please refer to the SurfinCheck help files). 2) Groups of Users may not be renamed. Please take care to provide a proper name whenever defining a new Group. 3) The database file grows continuously and should be backed up periodically. (For more information please refer to the SurfinCheck help files). SFCRM708