1-888-922-2726

BASCOM BASCOM
SOLUTIONS
Patronus
Filter Management
Access Zones
Kids Zone Portal Technology
Appliance Servers
Internet Filtering
Peer-to-Peer
Firewall
Authentication
Logging & Reporting
Flexible Setup
Web Cache
Backup/Restore
Multicasting

Patronus Technology

Internet Filtering

Patronus provides customized Web site filtering using a number of disparate techniques. These techniques can be applied to various elements of your network in a customized and unique manner, depending on your needs. Filtering can be customized and assigned to individual workstations or ranges of local IP addresses, user names (or other identity elements such as workstation names or organizational membership), or defined groups of workstations or users. The following filtering techniques are utilized:

  • Dynamic URL Categorization
    Patronus comes loaded with a powerful Web site filter which automatically categorizes over 25 million sites in over 90 comprehensive categories. Access to these categories can be permitted or blocked, allowing it to be fine-tuned for each computer. This list is automatically updated by BASCOM, reflecting the continuous changes of Web sites and their content.
  • Real Time Proxy Detection
    In addition to categorizing known Internet proxies through our URL category list, Patronus examines suspicious-looking URLs to determine if the network client is attempting to circumvent its filter by use of a proxy. This dynamic detection is in addition to the category list, as proxy servers routinely are set up quickly, possibly prior to being categorized in the master list.
  • Safe-Search Mode
    Patronus can optionally enforce "Safe Search" levels within popular search engines. This allows the Safe Search option to be set on each local network client, regardless of how that client has attempted to set up their Safe Search level within their browser.
  • Safe-Search for Google Images and Search Engine Cache
    Patronus can also apply Web content filtering policies to Google's image search by examining the destination of the image thumbnails, further protecting users from inappropriate content that is otherwise difficult for traditional Web filters to detect.
  • File & Extension Blocking
    Patronus also permits selective blocking of specific files and file types. This provides control over the type of content clients can download. System Administrators can also set exception rules to allow specific files or file type downloads only from specific sites.
  • Streaming Media Blocking
    Blocks all types of streaming media, while allowing a user to selectively permit focused media content.
  • Select Viewing of YouTube Videos
    Although a librarian may want to use specific YouTube videos or channels for educational purposes, allowing the entire site may deliver inappropriate content. To address this need BASCOM recently announced its new Patronus Video Selector™. This robust feature enables librarians to safely allow a specific YouTube video or channel and its related page content, while blocking access to other videos.

    This feature streamlines a very difficult process for the user. Without this feature, the user would have to individually allow many links to aggregate the entire page. Since the YouTube site (www.youtube.com) employs a highly complex infrastructure that relies on many different servers for streaming content, building a single YouTube page requires intelligent URL inspection to examine each link required for the page. Patronus performs this automatically to allow all necessary content for proper page display.
  • Instant Messenger Blocking
    Blocks most popular types of instant messenger clients on a profile basis.
  • Granular Web Site Control
    In addition to URL categorization, Patronus enables the built-in filtering techniques to be overridden by permitting a defined list of allowed or blocked exceptions. The granularity of this can be as wide as an entire domain name, or as narrow as a specific page. Each filter profile has its own list of custom allowed/blocked sites, in addition to having a list that's system-wide. For even more granular control, sites are categorized in multiple categories. If a site is blocked in one category, but allowed in another, a "trust" setting is available to always allow the site.
  • Flexible User Discretion
    The System Administrator is responsible for setting the default filter settings defined by the Acceptable Use Policies for your library, and for setting the authority level (or discretion) that a librarian has over making changes to those defaults. When a System Administrator creates User Accounts, authority for each filter category is defined for each user. This flexible discretion permits a user to allow certain sites from within a filter category that may be blocked for the rest of the library. The permitted librarian may also unblock an entire filter category when it is appropriate.
  • Block HTTPS Traffic
    Blocks access to specific types of sites.

Peer-to-Peer Detection and Blocking

Your network and its bandwidth are protected by the peer-to-peer blocking and monitoring capabilities of Patronus.

  • Peer-to-Peer Blocking
    Protects a network and its bandwidth by restricting clients from running many distributed peer-to-peer file sharing and browsing programs. This allows the enforcement of your Internet Use Policies. It effectively detects most protocols, including: bittorrent, gnutella, edonkey, fasttrack, neonet, ares, and torpark.

    Our protocol blocking monitors all traffic flowing from your network to the Internet. By examining the data, Patronus detects suspicious traffic from clients on your network. When this traffic is detected, Patronus restricts all Internet access on that client computer for five minutes. In addition, this access is logged so you can further review and identify chronic peer-to-peer violators.
  • Peer-to-Peer Monitoring
    Patronus's peer-to-peer control monitors and logs activity, quietly logging access, but not blocking the access of violating clients. This provides the freedom of not restricting clients, while still maintaining the ability to administer network utilization.
  • TorPark/XeroBank
    TorPark (now referred to as XeroBank) uses a modified version of FireFox, which routes its traffic through a worldwide distributed network of "onion" servers. These servers make Web requests on behalf of the TorPark browser—therefore not only distributing Web access, but also anonymizing the access in the process. This circumvents most front-line, Web content control. Incorporating TorPark control into Patronus's suite of detectable peer-to-peer protocols effectively fixes the security and policy issues that these browsing proxies and anonymizers introduce.

Integrated Firewall

BASCOM's Patronus includes an integrated stateful firewall, providing robust network security that is managed through a simple Web interface. This deep-packet inspection firewall filters both inbound and outbound traffic. Since it is an affirmative firewall, all traffic into and out of the network must be explicitly allowed by the System Administrator.

Patronus actively logs blocked attempts against the firewall. These logs are available to BASCOM's Technicians. The firewall also actively monitors, blocks, and logs invalid login attempts. If there are too many invalid login attempts, the computer is blocked from further login attempts for 60 seconds. Doing this prevents most brute force, script-based attacks from interfering with your network.

  • Predefined Rules
    For ease of network deployment, BASCOM has provided numerous predefined firewall rules, allowing firewall settings to be defined with just a few clicks and keystrokes. Many common applications, such as Web servers, VNC, FTP, and H.323, are made available in the Predefined dropdown of the Add Firewall Rule page. With a single selection, the required rules for an entire application are added to a firewall.
  • VPN Pass-Through
    Within these predefined rules, BASCOM has defined VPN pass-through rules. This enables VPN connectivity without knowing the nuances of each port and protocol that's required to properly deploy it. Our VPN pass-through rules encompass popular VPN protocols, including IPSec, PPTP, and L2TP.
  • Locked Down by Default
    Patronus's firewall is completely locked down by default, restricting all communication in or out of your network. Improved management of a network and bandwidth are accomplished through explicit definitions that selectively permit access.
  • Temporary Rules
    Firewall rules can be enabled and disabled on demand, eliminating the need to constantly redefine infrequently-used rules.
  • Port Forwarding
    Patronus's firewall allows the definition of specific port forwards for applications that are not predefined.
  • Network Address Translation (IP Translation/Outbound)
    Patronus's firewall supports network address translation (NAT), further providing security and control over a network's resources.
  • Deep, Stateful Packet Inspection
    Patronus employs a stateful packet inspection (or SPI) firewall which actively tracks all inbound and outbound communication. This implementation is a quantum leap over traditional firewalls, leveraging today's available processing power to ease administration and security headaches. An initial connection is examined, and if allowed, is continually tracked by the firewall. Doing this provides two benefits. First, the firewall's rules are only referred to during the initial connection, which means that subsequent packets only need to be checked against the firewall's active connections and not against the rules, as the conversation has already been qualified. Finally, rogue, potentially malicious packets outside of the context of established, tracked connections are ignored—mitigating the risk of traditional firewall attacks. This powerful firewall tracking works equally well with connection oriented (TCP) and connectionless (UDP) protocols. In addition, Patronus deploys application-level filters at the packet level-utilizing deep packet inspection to dynamically detect and configure the firewall in response to the examined traffic.

Authentication

Patronus provides flexible authentication options to accommodate most network architectures. The methods offered can be mixed and matched to work within many environments—all without reworking administrative philosophies.

  • IP-Based
    The simplest configuration permits access control assignments by a client's IP address. This allows access policies to be set across a large number of client computers. Also, a group of computers within a specific IP address range can easily be assigned a specific profile. A profile can also be assigned to a specific IP address to override the wider access control of an IP address range. Patronus also allows access control by individual IP and range definitions into aliases, or groups.
  • Login-Based
    Patronus can be configured to require a login before permitting access. This login is directly tied to a profile, allowing a roving user to apply their Internet access settings to any computer on a network. Logins can be deployed in two ways: a user is presented with a Patronus login page, prompting them for an ID and password, or a user can be presented with a standard proxy authentication dialog box, as implemented by a Web browser. Client logins can also be mixed with the IP and range access, and permission for client logins can be restricted to selected workstations.
  • Directory Services Integration (Novell, Microsoft Active Directory)
    Access can be authenticated and controlled by utilizing the client's LDAP attributes. When a user logs into their computer, their identifying information is associated with the access control defined within Patronus's administrator interface. Access can be controlled by user or workstation name, or by the associated group or organizational unit. Overriding access for a specific user with a group is accomplished easily by assigning that user's name to the desired profile—all without altering the LDAP controller or a given user's membership within the organization. This flexibility can be mixed and matched with the IP-based and Login-based authentication methods.
  • Directory Services Logging and Reporting
    LDAP can also be used for access logging and reporting. Rather than "opaque" reporting of usage by IP address, utilizing the directory services feature permits reporting with more useful, descriptive names. Doing this requires no configuration or administration of directory services during installation; the login facility conveys a user's information automatically to Patronus's logging and reporting subsystem. Established components of a network's design are leveraged intuitively, without forcing the administration of access control into an "all or nothing" approach.

Logging & Reporting

Patronus offers a variety of reports for analyzing Internet use—making it easy for an Administrator or Technology Director to study how the Internet is used throughout the library. It also automatically archives log files for easier auditing and logs all access requests for a firewall rule from either inside or outside of a network.

  • Workstation Reports for analyzing Internet use for a workstation
    Workstation Reports show usage for workstations by Profile Name, Access Zone, those set by Users, and those using the Profile Login method.
  • Profile Reports for locating a profile by specific criteria
    Profile Reports show usage for profiles by Users or Access Zone.
  • User Reports for finding individuals that are misusing the Internet
    User Reports list users and their profiles or Access Zone.
  • Access Reports for analyzing Internet use by specific requests
    Access Reports are based on the following requests: Most Popular Destinations; Peer-to-Peer Requests; Most Active Workstations or Profiles; Filtered Zone Categories by Number of Requests; Directory Service User Names by Number of Requests; Allowed or Blocked Requests; Requests by Directory Service User Name, Core Categories, Workstation, Host, or Filtered Zone Category; and All Directory Service Logins.
  • A 'Reports Only' Patronus User
    Patronus provides the ability to create a User Account for a Reports Only User. This is beneficial for a User that needs access to Patronus's Reporting function only without actually needing to use the system to set Internet access controls.
  • Reporting-LDAP-based Directory Services
    Patronus is now able to integrate with LDAP-based directory services—such as Novell eDirectory or Microsoft Active Directory—to add User Names to reports.
  • Firewall Traffic Reports
    Logs specified network access requests.

Flexible Setup

For ease of installation and to meet your networking requirements, Patronus is available in a variety of setup options. This flexibility includes the following configurations: Internet (2 or 3 Ethernet), Internet Gateway (PPPoE), Proxy Only, URL Filter Server, and Transparent Bridge (with or without firewall).

  • Internet Gateway (2 Ethernet)
    This model of Patronus includes a LAN firewall, Web caching, filtering, the Kids Zone, and the Virtual Administrator. It is compatible with many forms of Internet access, including ISDN, DSL, Cable, and T1 and works with an external router.
  • Internet Gateway (3 Ethernet)
    This model of Patronus requires the installation of a third network card. Depending on the system, this third network card may be pre-installed and provides a separate physical network. This network can be used as a DMZ for the protection of public servers such as a Web or an e-mail server, or it can be used as a separate internal network. For both networks (depending upon the setup), this Patronus includes the LAN firewall, Web caching, filtering, the Kids Zone and the Virtual Administrator. It is compatible with many forms of Internet Access, including ISDN, DSL, T1 and works with an external router.
  • Internet Gateway (PPPoE)
    Point-to-Point Protocol over Ethernet (PPPoE) is used by some DSL-based ISPs to establish communications. If using a DSL line, check with the ISP to see if they use PPPoE. If they do use PPPoE, it must be enabled. Remember to remove any existing PPPoE routers on the network and plug the system directly into the DSL modem. This model of Patronus includes a LAN firewall, Web caching, filtering, the Kids Zone, and the Virtual Administrator.
  • Proxy Only
    In this configuration, the system is not in the direct path of network traffic. It sits adjacent to a router. The Web browser on each of the workstations needs to be configured with a proxy setting so that all Web requests are directed to the system. The DNS setting on each of the workstations also needs to be pointed towards the IP address of the system to properly resolve the system interface addresses. The system then performs Web caching and filtering. This model of Patronus also includes the Kids Zone and the Virtual Administrator.
  • URL Filter Server
    Use this selection if a Cisco product (that supports the URL-filter command) is on the network and Patronus will be used for filtering only. In this configuration, the system is not in the direct path of network traffic. Instead, it is adjacent to the Cisco product and is used for filtering Web requests. This model of Patronus also includes the Kids Zone and the Virtual Administrator.
  • Transparent Bridge
    In this configuration, Patronus is in the direct path of network traffic. All traffic flows through it, but only Web and DNS requests are intercepted. The system performs Web caching and filtering. This model of Patronus also includes the Kids Zone and the Virtual Administrator.
  • Transparent Bridge with Firewall
    In this configuration, Patronus is in the direct path of network traffic. All traffic flows through it. The system acts as a Web cache, filter and firewall. This model of Patronus also includes the Kids Zone and the Virtual Administrator.
  • Acceptable Use Policy (AUP) Splash Screen
    This feature allows a library to create a WiFi hotspot for a portion of their network. For patrons using their own laptops your library may wish to institute an Acceptable Use Policy (AUP) which requires agreement of your Internet guidelines in order to access the Internet. The screen can also be used to alert patrons of any vital information. For flexibility in administration, specific computers and/or IP ranges of computers can be excluded from receiving the AUP screen.

Integrated Web Cache

Patronus includes Web Caching for HTTP traffic (including YouTube videos). This speeds up Internet access by storing frequently used Web objects on the server.

Web caching is the ability for a server or computer to 'cache' or save Web pages and their individual elements onto its internal storage. When a Web surfer calls for the page, parameters determine whether it's more efficient to ask for the page from the original Web server over the Internet (takes more time) or directly from Patronus (saves time). In addition, a rudimentary check is performed to assure that the locally cached information is still valid. Since pages are served locally whenever appropriate, libraries can get better performance out of less expensive connection scenarios, saving bandwidth and access costs.

Backup/Restore

  • Backup
    Every night, Patronus performs automatic, remote backup of all configuration files—including firewall rules, profiles, and network settings—and stores this data securely at BASCOM's Network Operation Center. This relieves a library's technology staff of doing daily tape backups.

  • Restore
    For disaster recovery a phone call to BASCOM's Technical Support staff is all that is needed to remotely restore Patronus using a private, inter-server, communication channel. A simple interface is used to restore a library's backed-up data and Internet access. In case of a hardware failure, Patronus's Express Exchange Warranty™ guarantees delivery of a new appliance the following day if BASCOM is notified by 12:00 noon Eastern Time. (Notifications after 12:00 noon Eastern Time cannot guarantee delivery of a new appliance the following day.

IP Multicast Support

Streaming of video, audio or other multimedia content from the Internet to multiple computers simultaneously can consume massive amounts of bandwidth. Patronus now supports PIM and IGMP multicasting. This enables it to receive a single video and then broadcast it to many computers on a network, thus saving huge amounts of bandwidth. However, multicasting requires support from your Internet Service Provider, and can only be enabled and configured by contacting BASCOM support.

Copyright © 2010 BASCOM Global Internet Services, Inc. BASCOM, BASCOM Global Internet Services, Inc., Global Chalkboard, Frontera, Patronus, Web Library, My Web Library, and Kids Zone Web Library are trademarks or registered trademarks of BASCOM Global Internet Services, Inc. Intel and the Intel logo are registered trademarks of Intel Corporation in the U.S. and other countries. All other products are trademarks or registered trademarks of their respective companies. Certain uses protected under U.S. Pat. No. 5,987,606. All rights reserved.