Integrating HSG with Menlo Security for Maximum Web Security

Menlo Security has been named by Gartner Inc. to the Visionaries quadrant of the 2018 Gartner Magic Quadrant for Secure Web Gateways. The Menlo Security Isolation Platform (MSIP) is a global, 24x7 cloud service, that protects enterprises from cyber attacks by isolating and executing all web content in the MSIP platform, away from the endpoints.

RansNet Hotspot Gateway (HSG) combined with MSIP is an ideal web security solution with seamless UX experience. HSG simplifies the network administrator's job with numerous authentication methods to allow internet access to large number of enterprise and transient users while helping the security team enforce internet policies on both enterprise and BYOD devices.

Once authorized by HSG, the user’s web sessions and all active contents (e.g. video, JavaScript, Flash, etc.), whether good or bad, are fully executed and contained in the Isolation Platform. Only safe, malware-free rendering information is delivered to the user’s endpoint, eliminating any possibility of authorized user device being compromised by harmful web contents.

User experience (traffic flow)

  1. User device associates to wireless SSID broadcasted by AP
  2. AP forwards user connection request to HSG, which will issue DHCP IP to user device
  3. After getting DHCP IP address, user launches browser for Internet access (some devices will auto trigger CNA portal)
  4. HSG intercepts user browsing request, and (if not authenticated user) redirects user browser to a customisable splash/login page
    • the splash page can be customized with a link, asking user to download and install SSL cert (for MSIP web isolation purpose)
    • can combine multiple authentication options
      • Enterprise/corporate user login: this integrates with company AD or pre-loaded authorized accounts
      • Guest/Transient user login: this can be self-registration via email/SMS or social sign, with restricted/controlled access.

NOTE: to simplify user experience, we can enable seamless relogin features (client sticky or portal sticky), so that only the first time user is prompted to download SSL cert and authenticate (eg. step #4 only happens once). Subsequent connections are seamless to all users.

CONFIGURATION ON HSG

!#this section is optional. needed only for on-premise deployment. replace 172.16.60.100/101 with on-premise box IP addressip host menlo-cmr.ransnet.com 172.16.60.100 rewriteip host menlo-iso.ransnet.com 172.16.60.101 rewriteip host xhr-safeweb.ransnet.com 172.16.60.101 rewriteip host safeweb.ransnet.com 172.16.60.101 rewrite!#exempt DNAT for HSG local IP or other resourcefirewall-dnat 00 exempt all src 192.168.50.248/32firewall-dnat 01 exempt all dst 2.1.2.1firewall-dnat 02 exempt all dst 61.8.193.99#use DNAT to intercept web requests and forward everything else to HSG local proxy servicesfirewall-dnat 03 redirect all tcp src 192.168.80.0/24 dport 80 rdport 3128firewall-dnat 04 redirect all tcp src 192.168.80.0/24 dport 443 rdport 3129
!firewall-input 01 permit all tcp dport 3128firewall-input 02 permit all tcp dport 3129!#use HSG proxy-server to re-route browsing request to Menlo MSIP platformsecurity proxy-server proxy-access 10 permit src 192.168.80.0/24 remark "permitted LAN for proxy access" proxy-chain safeweb.ransnet.com port 3129 proxy-access 10 remark "chain to Menlo" proxy-chain safeweb.ransnet.com port 3129 proxy-access 10 remark "chain to Menlo" start!