Product Information Bulletin
Clearswift SECURE ICAP Gateway v4.2
Version 01
28/07/2015
Clearswift Public
Product Information Bulletin
Copyright
Version 1.0, July, 2015
Published by Clearswift Ltd.
© 1995–2015 Clearswift Ltd.
All rights reserved.
The materials contained herein are the sole property of Clearswift Ltd unless otherwise
stated. The property of Clearswift may not be reproduced or disseminated or transmitted in
any form or by any means electronic, mechanical, photocopying, recording, or otherwise
stored in any retrievable system or otherwise used in any manner whatsoever, in part or in
whole, without the express permission of Clearswift Ltd.
Information in this document may contain references to fictional persons, companies,
products and events for illustrative purposes. Any similarities to real persons, companies,
products and events are coincidental and Clearswift shall not be liable for any loss suffered
as a result of such similarities.
The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All other
trademarks are the property of their respective owners. Clearswift Ltd. (registered number
3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington
Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they
comply with all national legislation regarding the export, import, and use of cryptography.
Clearswift reserves the right to change any part of this document at any time.
Clearswift Public
Page 1 of 16
Product Information Bulletin
Contents
1
Overview ....................................................................................................... 3
1.1
Clearswift Content Inspection Engine ........................................................ 4
1.2
Adaptive Redaction .................................................................................. 7
1.3
ICAP Server ............................................................................................. 8
1.4
Management ......................................................................................... 11
1.5
Reporting .............................................................................................. 13
1.6
Threat Protection ................................................................................... 14
2
Availability ................................................................................................... 15
3
Packaging.................................................................................................... 15
Clearswift Public
Page 2 of 16
Product Information Bulletin
1 Overview
Clearswift is excited to introduce version 4.2 of the Clearswift SECURE ICAP
Gateway. This fully featured gateway extends the connectivity and coverage of the
existing products by providing an ICAP interface to integrate Clearswift’s unique
inspection and remediation technology with a client’s existing infrastructure.
Typical deployments are integrated with a forward proxy to inspect users’ browsing
traffic, or in a reverse proxy environment to analyze content being downloaded from
or uploaded to the corporate web servers.
In any of these cases, the devices acting as a forward or reverse proxy are typically
providing a wide range of network related functionality. However, they lack of the
ability to perform deep content inspection of the information being exchanged to
enforce the information security policy. By complementing them with Clearswift,
clients can take advantage of the features of both products, protecting corporate
systems at network and information level.
Clearswift has signed technology alliance partnerships with the market leaders in
each of these sectors. With this release, F5 BIG-IP is included as a supported
platform to integrate with. F5 Networks has more than 50% share of the Application
Delivery market.
Similarly, Blue Coat is leader of the Secure Web Gateway market. Clearswift is also a
Data Loss Prevention technology alliance partner of Blue Coat.
It is also quite common in mid or low-sized organizations to find the open source
product Squid deployed as a proxy. With this release, Squid is also an officially
supported product to integrate with Clearswift SECURE ICAP Gateway.
All of these platforms provide an interface to expand their functionality through
other solutions such as anti-virus and Data Loss Prevention products connected via
the Internet Content Adaptation Protocol (ICAP).
By integrating with the SECURE ICAP Gateway, solutions such as F5 BIG-IP or Blue
Coat ProxySG can complement their functionality with Clearswift’s Adaptive Data
Loss Prevention (A-DLP) technology.
Featuring the highly efficient Clearswift Content Inspection Engine, the SECURE ICAP
Gateway provides a wide range of functionality. This new version extends the
existing the capabilities of the product:

Content Inspection and Adaptive Data Loss Prevention
o Clearswift Deep Content Inspection Engine
o Adaptive Redaction
Clearswift Public
Page 3 of 16
Product Information Bulletin
o Lexical analysis
o Lexical qualifiers
o True data type content detection
o Recursive decomposition

Platform:
o 64 bit Red Hat Enterprise Linux 6.6
o Hardware appliance, software and virtual installation options

ICAP
o ICAP server
o Integrated authentication

Management
o Granular policies
o URL Database
o Complete reporting engine
o English and Japanese Web UI

Threat protection
o Sophos and Kaspersky anti-malware engines
o Active content detection and removal
o Security risks URL database category
These features are detailed in the following sections of the document.
1.1 Clearswift Content Inspection Engine
Key points:

Full inspection of both requests from users and responses from servers

Detect and prevent sensitive information from leaving the organization

Prevents accidental disclosure

Ensure regulatory compliance

True data type detection to provide full control of the content security
policy
Clearswift’s Content Inspection Engine provides unparalleled technology to perform
bidirectional decomposition and analysis of the communication flows and apply the
appropriate content security policy to them.
Clearswift Public
Page 4 of 16
Product Information Bulletin
Using true binary data type detection and recursive decomposition, it can identify
over 175 different data types even if they are embedded, compressed or contained
inside other file types. Even more, this detection can be extended by administrators
to effectively detect new data types.
Binary detection is often used to prevent undesired content, such as executables,
from getting into an organization. But also to prevent certain data types that might
contain company unique knowledge, like CAD designs, to leave the organization.
Lexical expressions provide a powerful way to identify text content in the
communication flows. By using weighted lists of words, patterns or tokens, not only
specific text can be identified, but also the context of the communication can be
validated. Great flexibility is provided in the definition of the expression, which can
be done using plain words, regular expressions or combinations of both for greater
accuracy.
Specific detection tokens are included in the product, which perform validation
operations such as checksums to ensure proper detection. These tokens include
credit card numbers, International Bank Account Numbers, UK National Insurance
number, US Social Security Number, German National ID Number, Australian Tax
File Number and the Business Identifier Code.
These can be extended with user defined patterns to detect other tokens such as
part numbers, national IDs, or any other pattern like the days of the week.
Clearswift Public
Page 5 of 16
Product Information Bulletin
Lexical expressions are widely used to detect and prevent sensitive content from
leaving the organization and ensure regulatory compliance. But also to prevent
undesired content from getting into the organization, such as offensive content or
data subjected to some kind of regulation, like credit card numbers.
In order to improve the accuracy of the lexical detection, simplify the definition and
dramatically reduce the number of false positives, Clearswift allows the automatic
import of expressions from structured data sources like databases. Combining the
definition of specific tokens, such as Patient ID, and the information fed from the
databases the number of false positives can almost be reduced to zero.
Patient
DB
Expor t
TSV Expor t
Secur e and
Index
Indexed and
secur ed TSV
expor t
Place on a
secur e ser ver
Pull
Secure Server
Both Lexical Expression detection and Binary Data Type detection can be combined
to selectively perform analysis of only the desired data types and provide an even
higher accuracy.
Clearswift Public
Page 6 of 16
Product Information Bulletin
1.2 Adaptive Redaction
Key points:

Modify offending content to match the security policy

Apply detect-and-modify policy rather than a detect-and-block to allow
the communication to happen

Ensure compliance by redacting sensitive or personal data

Strip hidden information from documents to prevent embarrassing
disclosures

Remove active content to effectively protect from Advanced and
Persistent Threats (APTs)

Preserve intellectual property and competitive advantage

Cost option
Adaptive Redaction is the set of technology used to detect and modify content on
the fly as it is being analyzed by the Gateway. By taking such a comprehensive
approach, business processes are not blocked because of a strict or incorrect data
loss prevention policy.
Under the umbrella of Adaptive Redaction in the SECURE ICAP Gateway there are
three different features:

Data Redaction

Document Sanitization

Structural Sanitization
Data Redaction relies on the lexical expression detection technology to perform
substitution of content that has been detected. The substitution can take place in
Office 2007+ (Word, Excel, PowerPoint), OpenOffice (Calc, Graphic, Impress,
Master, Math and Writer documents), PDF, RTF, text and HTML content and it is
replaced by asterisk (*) characters. This allows the Clearswift SECURE ICAP Gateway
to modify content being uploaded, downloaded, and even web pages as they are
being browsed.
Document Sanitization cleans up meta-data information like properties, change
tracking or quick save data, which are a common source of information disclosure.
The supported formats are Office 2007+ Word, Excel, PowerPoint, OpenOffice and
PDF.
Structural Sanitization can effectively detect and strip active content from different
sources. It covers the need to protect from unknown threats and APTs as well as
Clearswift Public
Page 7 of 16
Product Information Bulletin
preserving intellectual property. The formats and active content supported vary
based on the data type, and are shown in the below table:
DOCX
PPTX
XLSX
Open
Office
HTML
RTF
encoded
HTML
PDF
RTF
VBA Macro








JavaScript








VBScript








ActiveX








Adaptive Redaction provides a big step forward in Data Loss Prevention
technologies, as it provides alternatives to unsuccessful blocking DLP policies while
protecting from the most common data loss issues and the most advanced targeted
attacks.
1.3 ICAP Server
Key points:

Integrate with existing infrastructure to perform deep content inspection
in the communication flows

Fully featured server provides content inspection, antimalware and URL
filter

Integrates different user authentication mechanisms provided by ICAP
Client

Certified Blue Coat ProxySG and F5 BIG-IP support as ICAP clients
The Clearswift SECURE ICAP Gateway provides ICAP server functionality. It allows
supported ICAP clients to send requests for inspection and policy enforcement.
The ICAP protocol defines a means to exchange messages between a client and a
server to provide additional inspection on the managed traffic. This is often used to
provide antivirus inspection through an external solution.
Clearswift presents a full featured content inspection solution as an ICAP Server. Not
only does it provide the commonly requested antimalware functionality, but it also
provides the full power of the Clearswift award winning Content Inspection Engine to
analyze the browsing flow at its deepest level.
In the current version, Blue Coat ProxySG, F5 BIG-IP and Squid are the supported
ICAP clients.
Clearswift Public
Page 8 of 16
Product Information Bulletin
HTTP Request
Mod HTTP Request
ICAP Client
Users
Mod HTTP Resp
HTTP Response
ICAP Msg
Adapted
Content
Clearswift SECURE
ICAP G ateway
The Clearswift SECURE ICAP Gateway allows the configuration of the permitted ICAP
clients and the rest of parameters through the Web UI.
Configuration must also be done on the ICAP Client to forward the traffic intended
for inspection to the SECURE ICAP Gateway.
Clearswift Public
Page 9 of 16
Product Information Bulletin
Figure 1: Blue Coat ProxySG integration
Figure 2: F5 BIG-IP integration
The Clearswift SECURE ICAP Gateway supports user based policies. This is achieved
by enabling authentication in the proxy and setting the authentication details to be
forwarded to the Clearswift SECURE ICAP Gateway.
Within the list of authentication protocols supported by Blue Coat, the following are
the ones that have been tested and validated to work with the Clearswift SECURE
ICAP Gateway:

Windows IWA (transparent authentication),

LDAP (AD)

Authentication Forms
F5 BIG-IP authentication can also be performed in a number of ways. However, it
must be configured to forward the authentication information in the “XAuthenticated-User” ICAP header following a “DOMAIN/username” format. This is
typically done by using an iRule.
Clearswift Public
Page 10 of 16
Product Information Bulletin
Once authentication is enabled and the details are being received by the Clearswift
SECURE ICAP Gateway, granular policies can be applied to the traffic, as explained
in the following section.
1.4 Management
Key points:

Complete intuitive Web management interface

Per user/department/group granular policies

Easy to use Web UI to fully control Clearswift Content Inspection Engine

URL database with 84 categories to apply per site/category/Internet zone
policies

English and Japanese Web management interface

Encrypted communications
The Clearswift SECURE ICAP Gateway inherits the intuitive web management
interface from the Clearswift award winning products the SECURE Email and Web
Gateways. It allows administrators to take full control of the underlying Content
Inspection Engine and create effective content security policies. The web interface is
provided in the same box as the enforcement module to achieve higher
consolidation and is localized into English and, with version 4.2, into Japanese.
The definition of the policy is based on routes, which are source and destination
relationships that select a specific rule set to be applied.
Clearswift Public
Page 11 of 16
Product Information Bulletin
Active Directory and LDAP integration allows the selection of users based on their
department, group, or any other information as source of the communication. The
destination can be defined through the selection of one or more URL database
categories, the definition of URL patterns, or even IP addresses.
Based on these two parameters, the defined routes are evaluated in order to find
the rule set to apply to a specific communication flow.
The selected content rules are applied in order, analyzing the traffic to look for
specific content and taking remedial action where appropriate. A complete collection
of content rules is provided to take advantage of all the available functionality
offered by the Clearswift Content Inspection Engine.
The actions that a content rule can perform could be to block the traffic, force it to
be allowed, or simply continue with the evaluation to perform only monitoring of the
traffic, like in the example below.
Clearswift Public
Page 12 of 16
Product Information Bulletin
Additionally, informs can be sent to specific users (like administrators, HR or the
legal department) to notify them about the triggered rule.
In any case, a trace of the triggered rules is registered to be able to run reports on
them.
1.5 Reporting
Key points:

Complete built-in reporting engine

Live and historical data

Simplified report scheduling
Reporting is a key element on any content inspection product. The Clearswift
SECURE ICAP Gateway provides a complete reporting engine built into the product
without need of additional external servers.
The product keeps track of the analyzed content and the rules triggered by it. Based
on this information, a complete set of reports can be parameterized and run.
Clearswift Public
Page 13 of 16
Product Information Bulletin
This information is generated as the traffic is inspected by the Gateway. This
provides the ability to seamlessly run the reports on historical data and real time
data based on the time period selected.
All of the reports can be easily scheduled to be generated automatically and emailed
to one or more recipients.
1.6 Threat Protection
Key points:

Selectable antimalware engine – Cost option

Antispyware engine

Security risk URL filters

Real time page analysis
The Clearswift SECURE ICAP Gateway provides a wide range of functionality focused
on inspecting content to the deepest level. Additionally complete threat protection
technology is optionally included in the product:

Sophos or Kaspersky selectable antimalware engine

Spyware call home detection

Tracking cookies detection and removal

URL security risk categories to prevent access to sites where malicious
content has been detected

Real time analysis of the content in 18 different languages to detect possible
security risks
All of the filters can be selectively activated inside the granular policy to be applied
to specific user groups or sites.
Clearswift Public
Page 14 of 16
Product Information Bulletin
2 Availability
Phase
Date
General Availability
28th July 2015
3 Packaging
This release will be available as an ISO image for all clients to download. Installation
guides describe the process for the initial setup and configuration.
Clearswift Public
Page 15 of 16