iPrism Frequently Asked Questions

• What is iPrism?
• What are some of the features of v3.4?
• How does the Auto-Login feature work (Transparent Mode)?
• What are the requirements for Auto-Login (Transparent Mode)?
• How does Auto-Login work for Terminal Server Environments (Proxy Mode)?
• What are the requirements for Auto-Login (Proxy Mode)?
• What platforms does Auto-Login work on?
• Why is iPrism better than software-only solutions?
• Do you block Web sites by IP address?
• What happens if someone enters an IP address to access a site?
• Can users circumvent iPrism filtering?
• Are user override privileges supported?
• How do I receive software updates? 
• Does iPrism offer reporting?
• What if I only want to monitor Internet access?
• Does iPrism filter other Internet services?
• How does iPrism connect to my network?
• How secure is iPrism?
• Is iPrism scalable?
• What does an iPrism filtering subscription include?

The iPrism Database

• What is iGuard?
• Why is iGuard better than other rating systems?
• Why does iGuard utilize "100% Human Review"?
• How many categories and URLs do you have in your database?  How often is the database updated?
• Can I change the way a site is categorized?
• What does the iGuard team do to ensure that the database is up-to-date?
• What categories are supported by iGuard?

WHAT IS iPRISM?

iPrism v3.4 is a full-featured, dedicated Internet filtering appliance designed for high performance and reliability. The only appliance-based solution truly optimized for filtering and interoperability, iPrism enables organizations to effectively monitor, block and report on their users' Web activity.

WHAT ARE SOME OF THE FEATURES OF V3.4?

• Industry's best URL database - Each and every Web site in the 60-category database is reviewed by human eyes, leading to the most accurate database in the industry.
• Database customization - Use the 8 customizable categories to create your own categories, add sites to the database, and exempt sites from the database.
• Flexible enforcement options - Create unique filtering and monitoring policies by time of day, day of week, category, users, and groups.
• Real-time e-mail alerts - Set e-mail alerts for notification when certain URLs are accessed or when bandwidth or time thresholds have been reached.
• Remote management - Securely administer iPrism via any workstation with a browser.
• Comprehensive reporting - Generate management style reporting for summary and detailed analysis of your organization's Web surfing habits.
• Support for NT User Groups - Assign profiles to users based on the NT groups they belong to.
• Support for LDAP - Assign profiles to users based on LDAP (Windows 2000, Active Directory, Novell and Unix systems) attributes.
• Auto-Login feature - Allows administrators to apply filtering policies and view reports on a per-user basis without requiring users to authenticate. Ideal for terminal server environments such as Citrix.

HOW DOES THE AUTO-LOGIN FEATURE WORK (TRANSPARENT MODE)?

With the release of version 3.4, it is possible to obtain login credentials without prompting the user in both Proxy and Transparent mode. Instead, the collection of these credentials can be obtained from their workstation environment. You will get the same benefits as provided by explicit authentication but without the extra manual step from the user.

Auto-Login is an extension of the IP-mapped authentication scheme available in transparent mode. The authentication still relies on an IP address-to-user mapping, in which the session length is controlled by a timeout.

The authentication phase is automated; instead of prompting the user for their account information (domain name and user name) and password, the account information is obtained from the workstation login credentials.

The login credentials are obtained using the Client Side NTLM authentication scheme, also known as Integrated Windows Authentication. This is a secure authentication scheme designed by Microsoft. User's login credentials are not passed in clear text. Instead, an encrypted challenge/response mechanism is used that involves the client's browser, iPrism, and the domain controller. Although this process is transparent to the user, a full authentication phase takes place.

Windows workstations will only be able utilize the Auto-Login feature of iPrism if it is logged into a domain in which iPrism is also a trusted member. If the Auto-Login phase is not successful (e.g. NTLM domain unreachable, incompatible browser), iPrism will revert to the manual authentication interface and ask the user to enter their login credentials.

WHAT ARE THE REQUIREMENTS FOR AUTO-LOGIN (TRANSPARENT MODE)?

• Client Side NTLM is a proprietary authentication scheme that is currently only implemented in Microsoft's Internet Explorer Web browser. In order to use Auto-Login, clients must be using Microsoft's Internet Explorer 4.x and newer.

• Client workstations must be running Windows 98 or newer that participate and logon to a Windows NT/2000 Domain.

• NTLM authentication must be enabled, configured and operational on iPrism.

• Specify a redirect method in iPrism. Depending on the redirection setting you choose, you will need to configure your browser/workstation, domain controller, or the DNS server (as appropriate) to support that choice.

  • IP Address. (Default) In order for Internet Explorer to participate in the NTLM authentication with iPrism, it is imperative that Internet Explorer knows that iPrism is within it local intranet. In order to establish this trust relationship, the IP address of iPrism must be in the Local Intranet Zone of Internet Explorer. Adding the IP address of iPrism to the Local Intranet Zone of Internet Explorer can be configured automatically from the domain controller or manually for each client. These procedures are detailed later in this document.

  • DNS. However, v3.4 offers an alternative to modifying browser settings. The alternative is to add an A record to your DNS server for iPrism so that browsers are able to resolve iPrism's non-qualified domain name to iPrism's IP address.

HOW DOES AUTO-LOGIN WORK FOR TERMINAL SERVER ENVIRONMENTS (PROXY MODE)?

Proxy Mode Auto-Login, much like Transparent Mode Auto-Login, offers a way to authenticate users automatically without required input from the user. By using the same credentials that the user already entered to login to their workstation, and authenticating against the same domain controller, Auto-Login can uniquely identify users securely and apply the correct Internet usage profile to their browsing.

Although very similar, Proxy Mode Auto-Login differs from Transparent Mode Auto-Login. While Transparent Mode Auto-Login is an extension of the IP-mapped authentication scheme, Proxy Mode Auto-Login is a session based authentication scheme. This means that in proxy mode when a user launches Internet Explorer, it establishes a network socket connection to iPrism and sends an initial URL request. iPrism responds to the browser with a 407 header, meaning that proxy authorization is required. Part of this proxy-auth notification includes methods of authentication, and should include NTLM and BASIC authentication options. In compliance with RFC 2617 "HTTP Authentication", browsers are supposed to respond with the strongest form of authentication they support. In this case, NTLM is far more secure than BASIC authentication, and any browser supporting NTLM should select it as the best choice for authentication. By including BASIC as an option, software that cannot or does not support NTLM authentication is still capable of authenticating with the proxy and using the proxy managed resources. It is important to have BASIC authentication to fall back to, because many applications do not support NTLM authentication and will never be able to authenticate without the availability of BASIC authentication.

Since Proxy Mode Auto-Login on iPrism uses session-based authentication and authentication is based on user profile, Proxy Mode Auto-Login has a major benefit over Transparent Mode Auto-Login. This major benefit being that Proxy Mode Auto-Login can support and authenticate distinct users from a single IP address in multi-user environments like Citrix and Windows Terminal Services where multiple individuals are simultaneously logged in and using a single server computer. Proxy Mode Auto-Login also works effectively in networks utilizing NAT (network address translation) where many users may be on a private network that appears to the rest of the world as a single IP address.

Logins on multi-user environments are subject to the same requirements as non-multi-user environments, in that the login must be a domain login and the users' browser must be configured correctly to use the iPrism as proxy.
 

WHAT ARE THE REQUIREMENTS FOR AUTO-LOGIN (PROXY MODE)?

• Supported browsers include Microsoft Internet Explorer version 4.x and later.

• Client workstations must be Windows 98 or later and must be participating in, as well as logging into a Windows domain. iPrism must have a shared trust connection in the same domain.

• NTLM authentication must be enabled, configured, and operational on iPrism.

• Users wishing to use proxy authentication must have their browser configured with iPrism as their proxy server. NTLM authentication cannot be proxied, so browsers must be able to communicate directly with the iPrism in which they intend to authenticate.

WHAT PLATFORMS DOES AUTO-LOGIN WORK ON?

NOTE: Windows 2000 Service Pack 3 using Internet Explorer 5.01 SP3 has been found to have abnormal authentication behavior and is not compatible with the Auto-Login feature to date.

WHY IS iPRISM BETTER THAN SOFTWARE-ONLY SOLUTIONS?

1)     There is no additional hardware or software to purchase, install, or manage.  iPrism does not require additions to workstations, servers, firewalls or other network components.

2)    iPrism provides automatic operating system and application software updates.  Software solutions force their customers to download and install any patches, upgrades, etc.

3)  Since iPrism includes both hardware and software, there is only one vendor to contact for support.  Software solutions may require multiple vendor contacts depending on the issue.

4)    iPrism is platform-independent and works in virtually any environment.  This allows iPrism to easily adapt to changing network equipment.  Software vendors may not work in certain platforms or network equipment and do not easily adapt to change.

5)   iPrism offers a much lower total cost of ownership.

DO YOU BLOCK WEB SITES BY IP ADDRESS?

No. iPrism filters by full URL names and includes the ability to block top level directories while allowing subdirectories for maximum flexibility and precision control. URL-based filtering is required to properly handle virtual Web site hosting. Since many ISPs host multiple Web sites on the same server, products that block based only upon IP address will incorrectly block every site on the hosted Web server, even though some sites do not contain inappropriate content.

WHAT HAPPENS IF SOMEONE ENTERS AN IP ADDRESS TO ACCESS A SITE?

iPrism will automatically detect IP address entry and properly handle them as if the site had been entered by URL name.

CAN USERS CIRCUMVENT iPRISM FILTERING?

No. In the recommended configuration, iPrism controls all network traffic to and from the Internet. Any attempts to bypass the filter are blocked and logged as an access violation.

ARE USER OVERRIDE PRIVILEGES SUPPORTED?

Yes. When a user tries to access a blocked Web site, a message indicating that access was denied is displayed instead of the requested page. This page allows users with override privileges to enter a password for immediate access to the requested Web site.

HOW DO I RECEIVE SOFTWARE UPDATES?

You may select to have software updates automatically downloaded and applied to your iPrism or manually apply software updates when you choose. Automatic software updates are performed without any user intervention.

DOES iPRISM OFFER REPORTING?

Yes. In addition to proactive filtering and blocking of inappropriate Internet access, iPrism provides full monitoring and logging of all successful and unsuccessful Internet accesses, giving your organization a complete profile of user activity.  Comprehensive reporting is built into the iPrism appliance and is included at no extra charge.

WHAT IF I ONLY WANT TO MONITOR INTERNET ACCESS?

You can determine on a category-by-category basis whether you want to monitor access, block access, do both or do neither. When monitoring, reports are available allowing you to show detailed site-by-site access or summary reports showing what content categories are accessed by which users.

DOES iPRISM FILTER OTHER INTERNET SERVICES?

Yes. iPrism can control access to a wide variety of other productivity and bandwidth draining services, such as streaming audio, streaming video, FTP, IRC and ICQ chat.

HOW DOES iPRISM CONNECT TO MY NETWORK?

iPrism has dual 10/100Mbps network interface cards and is typically connected between your router and LAN. Other connection options exist to meet special needs.

HOW SECURE IS iPRISM?

iPrism is the most secure filtering solution available.  All database and software updates are sent via a secure connection.  We utilize SSL to provide secure authentication of users.  Usernames and passwords are encrypted.  In addition, the operating system has been optimized for web filtering and "hardened" against attacks.

IS iPRISM SCALABLE?

Yes.  The central management capability allows easy management of multiple iPrism units.  We also support F5 Big IP and Cisco load balancers for redundancy and load balancing.

WHAT DOES AN IPRISM FILTERING SUBSCRIPTION INCLUDE?

Subscriptions include the following:

• Automatic, daily database updates

• Automatic operating system and software upgrades

• Hardware and software support

WHAT IS iGUARD?

iGuard is the St. Bernard Software brand name designation for the process by which a filter list of URLs are classified into various categories.

WHY IS iGUARD BETTER THAN OTHER RATING SYSTEMS?

A lot of comparisons are made in the filtering arena - the following explains why the iGuard system is better:

• 100% human review - better than machine or keyword rating
• Rating by parent URL vs. IP address
• Variety of acquisition methods
• Quickly review new sites
• Clearly defined categories
• Strong review process
• Daily update to iPrism
• 24-hour client submission process

WHY DOES iGUARD UTILIZE "100% HUMAN REVIEW"?

The Internet Analysts will visit each site and assign it one or more category ratings based on the site's content. This 100% "real person analysis" approach is superior to scanning and rating via software or artificial intelligence technology that use techniques such as keywords, word pairs or custom dictionaries. These systems are susceptible to a high rate of false positives/negatives. These errors are virtually eliminated with iPrism because our iGuard filter list is a result of careful review by our team of professional analysts.

Rating accuracy is paramount to the success of the iPrism product line. Rating accuracy is closely monitored. To ensure the high quality of rating work performed, daily quality checks are performed.

HOW MANY CATEGORIES AND URLS DO YOU HAVE IN YOUR DATABASE?
HOW OFTEN IS THE DATABASE UPDATED?

We have 60 content categories covering hundreds of millions of Web pages.  The database is updated on a daily basis via automatic incremental updates.

CAN I CHANGE THE WAY A SITE IS CATEGORIZED?

Yes. You may change the categorization for any Web site by adding a new rating for the site. Your site rating will always override the ratings in the master Web site database.

WHAT DOES THE iGUARD TEAM DO TO ENSURE THAT THE DATABASE IS UP-TO-DATE?

In addition to the items already discussed, the iGuard team performs many other regular checks to ensure the database that is sent to our iPrism clients is up-to-date. Some of them include:

Reachability Testing - We regularly check the current database to ensure that the URLs are still reachable. In some cases, URLs are hosted and then after a while removed. This process makes sure that the database stays current and only active websites are exported.

Placeholder Sites - It is very common for a URL to be registered and held in check to either be sold or not used for a variety of reasons. These sites are rated as "place holders" and are routinely rechecked. If and when the URL actually results in an actual website, it is rated and added to the filter list.

Quality Assurance - Rating accuracy is paramount to the success of the iPrism product line. Rating accuracy is closely monitored. To ensure the high quality of rating work performed, daily quality checks are performed.

WHAT CATEGORIES ARE IN THE DATABASE?

Detailed category definitions can be found here