Sophos WS1000 FAQ

NwTech, Inc.

Frequently asked questions (FAQs)

The following list of frequently asked questions about the WS1000
Web Security Appliance is updated with answers from Sophos
support engineers.

General

What is the WS1000 Web Security Appliance?
Why is Sophos launching a web security appliance?
How is Sophos solution different from other vendors' solutions?
What is the bi-dimensional URL classification?
What is risk-sensitive scanning?
How does Sophos achieve such a high degree of protection and control?
How do I evaluate the WS1000
What organization type is the WS1000 suitable for?

Specifications and network requirements

What are the WS1000 hardware specifications?
What protocols does the WS1000 protect?
What software is installed on the WS1000?
Do I need Linux or other software experience to use the WS1000?
Does the WS1000 support Active Directory?
How is the WS1000 configured?
Can certain users or groups be opted out of content filtering?
How is threat protection kept up to date?
How are the URL filters kept up to date?
How do upgrades work?

Management

How does the administrator manage the WS1000?
Is there command-line access?
What degree of policy control is possible?
How do administrators review policy settings, reports and logs?
What kind of reporting is available from the WS1000?

Support and Service

How is the WS1000 supported?
Are the support contracts different from other Sophos products?
How is system health monitored?
What technologies are used to support the WS1000?
What types of alerts are sent to Sophos?
What if I need further assistance?
How does Sophos maintain security during remote assistance sessions?
Can remote monitoring be disabled?

What is the warranty on the WS1000?

General

What is the WS1000 Web Security Appliance?
The Sophos WS1000 Web Security Appliance provides easy-to-manage security against web-based threats with one efficient, high-performance scanning engine in a compact appliance. It filters for both security risks (e.g. spyware, viruses and phishing) and content/productivity concerns (such as adult and gambling sites) and allows the administrator to eliminate the full spectrum of inbound and outbound web-based network threats without compromising end-user expectations for speed and efficiency.

Why is Sophos launching a web security appliance?
We are building on over 20 years' experience providing best-of-breed security solutions that protect against threats to network security. Acknowledging the growth of web-based threats to enterprise network security, such as spyware, we are expanding our product range beyond email, hacking and malware solutions by offering a comprehensive web security solution.

We have been an active part of this market through a range of OEM relationships with companies such as Bluecoat and Secure Computing for many years. There are also many parallels between email and web filtering, and we will leverage the millions of messages that SophosLabs receives daily to identify known bad URLs, phishing attacks and websites that contain malicious code.

How is the Sophos solution different from other vendors' solutions?
The WS1000 is the industry's first web security solution to provide truly integrated security against all web-based threats in an easy-to-manage appliance, setting a new standard for security and performance. It is industry-leading in terms of time to protection and has the fastest scanning engine available. Innovations include bi-dimensional URL classification and risk-sensitive scanning.

What is bi-dimensional URL classification?
Traditional URL filters allow or block access to websites based on a one-dimensional view of their assigned category (e.g. enternainment, media or search). The major limitation of this approach, aside from the challenge of simply keeping up with the proliferation of websites and how to categorize them, is that allowed sites may still pose a risk to network security based on their underlying code and file types.

Sophos's bi-dimensional URL classification also inspects the conduct of the site (i.e. how it behaves regardless of its category), delivering a true assessment of both the security and productivity risk of a website. This approach evaluates a site's history of malicious behavior, such as spyware distribution or the use of dangerous scripts and executables, and avoids the over-blocking that often plagues traditional URL filtering solutions attempting to ensure greater security.

What is risk-sensitive scanning?
Risk-sensitive scanning works in tandem with bi-dimensional URL classification to adapt the scope of the scan based on the web content's assessed risk, enhancing the browsing performance of the WS1000. The result is faster access to safe web pages and more rigorous scanning of less safe pages.

A low-risk site, such as the sports site espn.com, would (if the administrator allows access to sports sites) not have its HTML and images scanned by the WS1000. However, a medium-risk site, such as download.com, would (if access to this category is permitted) have all file types and sub-directories scanned.

IMPORTANT NOTE: While the scope of the scan is variable, its depth remains the same. Files that are scanned are checked for the full spectrum of web-based threats (spyware, viruses, Trojans, worms, etc).

How does Sophos achieve such a high degree of protection and control?
We offer this unique combination of protection and control through the visibility of SophosLabs™ - our global network of threat detection centers. SophosLabs maintain unrivaled visibility into the source and nature of web-based threats by constantly analyzing a database of billions of web pages and uncovering thousands of new malicious URLs every day. Our unrivaled visibility into web-based threats and the sites where they reside equips us to deliver unmatched security and control to our customers.

The WS1000 also scans web traffic for spyware, viruses and other malware, and is able to detect and block "phone home" traffic from bots (zombies) within the network.

How do I evaluate the WS1000?
You can request an evaluation. We will then contact you about your requirements and discuss system pre-configuration and signing our Hardware Loan Agreement.

What organization type is the WS1000 suitable for?
The WS1000 is ideal for organizations with 100-1,500 users per location that want to:

block spyware/malware/adware in web traffic
stop phishing and identity theft attempts
restrict access to malicious or questionable websites
enforce company-wide acceptable internet use policies
accelerate the delivery of web content through caching

Specifications and network requirements

What are the WS1000 hardware specifications?

Rack mount	1U
Dimensions (W x H x D)	16.7in x 1.7in x 14 in (424mm x 43mm x 356mm)
Processor	Intel Pentium D dual-core, 3.4 GHz processor
Memory	4 GB
Hard drive	2 x 160 GB SATA 7,500 RPM hard drives
Power supply	260 W 100/240 V AC
Failover capability	Network bypass card, shared configuration

What protocols does the WS1000 protect?
The WS1000 scans data transferred via HTTP (Hyper Text Transfer Protocol) and data sent on FTP (File Transfer Protocol) via HTTP. The WS1000 also ensures secure transmission via HTTPS by validating certificates. It takes a comprehensive approach to web filtering, scanning for security risks as well as offensive content and productivity concerns (such as adult or gambling sites).

What software is installed on the WS1000?
The WS1000 uses Sophos's industry-leading scanning engine that combines anti-virus, anti-spyware and potentially unwanted application control on a hardened Linux operating system. It also features the industry's most advanced web reputation filtering system, based on the millions of URLs captured by SophosLabs.

Do I need Linux or other software experience to use the WS1000?
No. All administration requirements are addressed via the web-based management console. Access to the command line is not required.

Does the WS1000 support Active Directory?
The WS1000 integrates seamlessly with Active Directory. Synchronization is configured through the management console and occurs automatically.

How is the WS1000 configured?
A setup wizard walks the administrator through the basic steps. Manual configuration is also available using the web-based management console.

Can certain users or groups be opted out of content filtering?
The administrator can opt certain groups and IP addresses out of content filtering.

How is threat protection kept up to date?
Threat definition updates (distributed at no charge) are downloaded automatically every five minutes from SophosLabs. This process is monitored by Sophos, so if it detects that an appliance has not been downloading its updates on schedule, a support technician will proactively contact the administrator to inform them their WS1000 is not up to date and help take corrective action.

How are the URL filters kept up to date?
Sophos compiles a list that assesses sites based both on security risk and content category. This list is a combination of internal data from SophosLabs, third-party web indexing sources and customer feedback. We will respond in a timely fashion to all re-categorization requests.

How do upgrades work?
Software updates and upgrades occur automatically via the Sophos online repository, at no charge. The administrator can schedule non-critical updates to occur at convenient times. Critical patches and updates are installed automatically.

Management

How does the administrator manage the WS1000?
The WS1000 is a managed appliance - most of its functions are automated and its performance is maintained by Sophos, requiring negligible regular administrator involvement. All administrative functions are easily accessible through the web-based management console. This console is built around the principle of "three clicks to anywhere" - simplified navigation that ensures easy access to every function within the appliance. On-demand remote assistance and remote "heartbeat" monitoring also help to decrease the management time required for the WS1000.

Is there command-line access?
No. All administrative functions are available through the web-based management console.

What degree of policy control is possible?
Policy settings include:

controlling access to website categories, such as gambling, shopping or pornography
blocking specified file types, such as executables and streaming audio
preventing deliberate or accidental downloading of potentially unwanted applications or file types, such as peer-to-peer (P2P) and adware
blocking access to sites that contain malicious code

The WS1000 combines site access control with advanced risk avoidance, allowing administrators to set policy according to website categories and the degree of code or application risk posed by an individual site. For example, the administrator can allow access to sites that deliver streaming audio or video (category), and through the second dimension (risk), block access to a particular streaming or audio site that is known by SophosLabs to host malicious content. this provides the optimum balance of control and security that competitive solutions cannot match, effectively eliminating the over-block/under-block risk and the immense administrative burden of constantly tweaking the security policy to handle such situations.

How do administrators review policy settings, reports and logs?
All policy settings are easily reviewed and modified through the management console. Reports are also generated through the console. Logs can be searched against a range of variables.

What kind of reporting is available from the WS1000?
Reports are available based on security and productivity concerns, and include:

Traffic patterns (page requests, downloads)
Blocked illegitimate traffic
System performance (throughput and latency)
User requests (site access)

Support and service

How is the WS1000 supported?
You can access Sophos's industry-leading support network via inbound telephone or email requests 24/7/365. You can also access the Sophos knowledgebase for extensive self-help. Sophos does not outsource support, and serves as the first and only line of contact on all matters relating to hardware and software.

Are the support contracts different from other Sophos products?
No. We maintain a single support structure for all Sophos products. Support is not outsourced and is available 24 hours a day, seven days a week.

How is system health monitored?
The WS1000 uses an intelligent array of built-in sensors that constantly monitor and report on system status. These sensors monitor hardware health, network connectivity, threat definition and software update status, and more.

What technologies are used to support the WS1000?
The built-in sensors trigger email notifications that get sent to the system administrator and, for some issues, to Sophos as well. If we need to respond, we will do so via email or text messaging (Standard support). If you opt for Sophos's Premium support package, we will respond via telephone.

What types of alerts are sent to Sophos?
Sophos receives Event Driven Notifications (EDN) in the case of any mission-critical system failure. EDNs typically cover elements such as software updates and hardware performance such as disk space, temperature and component failure.

What if I need further assistance?
The WS1000 also offers instant remote assistance via a secure tunnel (SSH) connection between the appliance and Sophos.

How does Sophos maintain security during remote assistance sessions?
SSH connections are fully encrypted for security, and responses are restricted to Sophos IP addresses to eliminate interception. The connection can only be initiated by the appliance administrator, as an outbound request to Sophos. the session remains open until the administrator closes it or 4 hours have passed. Furthermore, all changes made to the appliance configuration and settings are logged, providing complete transparency into everything that a Sophos support engineer does.

Can remote monitoring be disabled?
Yes. The administrator can turn off the remote monitoring function.

What is the warranty on the WS1000?
The hardware comes with an Advance Replacement Warranty against manufacturer defects for up to three years and as long as a valid license is in place. In the event of hardware failure, Sophos will replace the appliance unit at no cost to the customer before the customer returns the failed unit to the local depot (Boston or Eindhoven).