cancel
Showing results for 
Search instead for 
Did you mean: 
hivemind
Level 7

Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Hello everyone,

I am planning a rollout of Web Gateway 7.2 to out users and enforcing it as a mandatory proxy through a proxy pak sent down to them via Group Policy (WCCP is not an option unfortunately)

Further more I have extended group policy to include the Google Chrome and Firefox GPO extentions, seems to be working fine so far 

I have been wondering is it possible to limit from within Web Gateway which browsers it will support? so it only accepts connections from Internet Explorer, Google Chrome and Firefox?

It is something thats just a tick box in IPCop and Squid, but I can't find any rule for it in McAfee Gateway 7.2 or any mention of 'browser' based properties for that matter.

Thanks in advanced for tips on your experiences.

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Yes, you can. But you have to maintain the list yourself.

You would have to create a rule that uses criteria such as:

Header.Request.Get ("User-Agent") does not match in list "AllowedBrowsers: User Agents"

Action: Block

This is a wildcard list where you would put in values like:

Mozilla/*Firefox/*

Mozilla/*Trident/*

Mozilla/*Chrome/*

etc.

When you have a only a check-box solution, you cannot get very granular and make changes. If you limit it to just browser checkmark, what happens when a particular browser is vulnerable and you want to block the specific version? If you limit to only browsers, you will block content from Flash, Java, iTunes, Adobe Reader, etc.

That's why it is preferred to make your own specific list.

10 Replies
eelsasser
Level 15

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Yes, you can. But you have to maintain the list yourself.

You would have to create a rule that uses criteria such as:

Header.Request.Get ("User-Agent") does not match in list "AllowedBrowsers: User Agents"

Action: Block

This is a wildcard list where you would put in values like:

Mozilla/*Firefox/*

Mozilla/*Trident/*

Mozilla/*Chrome/*

etc.

When you have a only a check-box solution, you cannot get very granular and make changes. If you limit it to just browser checkmark, what happens when a particular browser is vulnerable and you want to block the specific version? If you limit to only browsers, you will block content from Flash, Java, iTunes, Adobe Reader, etc.

That's why it is preferred to make your own specific list.

hivemind
Level 7

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Ah yes, I see.

That makes sense I will try creating rules around the Header.Request.Get ("User-Agent")parameters

Thanks for the tips also on the considerations to make for other applications that would become affected, very useful

0 Kudos
cscoup8
Level 9

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

eelsasser wrote:

[...]

When you have a only a check-box solution, you cannot get very granular and make changes. If you limit it to just browser checkmark, what happens when a particular browser is vulnerable and you want to block the specific version? If you limit to only browsers, you will block content from Flash, Java, iTunes, Adobe Reader, etc.

Java and iTunes send a unique user-agent string with version information, but how would one go about blocking Adobe Flash and Reader, or more specifically, outdated versions of Flash and Reader?

0 Kudos
asabban
Level 17

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Hello,

we would like to block outdated plugins since a while but so far do not have a good way to do it. It would require a part on the client that tells MWG the version of the plugins or requires the client to visit a pre-defined welcome page once a day to check the plugin version, and then block him until he has the correct versions installed.

Unfortunately there is no smart way (that I am aware of) to collect the versions of the plugins in real-time and block users running old plug-ins. There are several ideas moving around which could improve this in the future, but at the moment it is rather complicated to set up.

Best,

Andre

0 Kudos
McAfee Employee

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Hi All,

This is an interesting concept that I've seen the for firefox plugin checker:

https://www.mozilla.org/en-US/plugincheck/

It checks the plugins installed in the browser and gives you a pretty report with action to take.

I havent explored how it detects these things though. I'm wondering if it invokes something in the brower to get a response from the plugin and determine its version. Or perhaps it has a better user-agent detection.

The help page seems to indicate it uses some sort of javascript detection mechanism:

https://www.mozilla.org/en-US/plugincheck/more_info.html

IE has limited support because it requires ActiveX code to run properly. Theoretically this could be done with a welcome page as Andre described using javascript for non-IE browsers using javascript.

Best,

Jon

0 Kudos
asabban
Level 17

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Hello,

or use our plugin check (still beta):

http://www.browser-info.net/

We had some ideas of creating a welcome page which embedds the browser check, e.g. if you start your browser you have to pass a plugin check. After that is performed MWG will grant access based on installed plugins/versions and/or browser/os versions.

Best,

Andre

0 Kudos
cscoup8
Level 9

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

It is funny you mention that.  I’ve been looking into the Firefox plugin check as well and wondering if there would be a way to incorporate something that into our block pages so that whenever a block page appears there is a small area that shows the health of your web browser plugins.  It wouldn't be as protective as a mandatory welcome page but perhaps not as invasive.

Ironically, we can get ideas on how to incorporate vulnerable plugin detection schemes by looking at things such as the Black Hole exploit kit and examining how that kit manages to detect what are the versions of your plugin and send exploits only for the vulnerable versions.  Here is the analysis of it: http://blog.imperva.com/2011/12/deconstructing-the-black-hole-exploit-kit.html

0 Kudos
pbrickey
Level 11

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Hi Cscoup8,

From what I've seen, Flash sends a header called x-flash-version in the request rather than using a custom user-agent. Therefore, you can use the same critiera, Header.Request.Get ("x-flash-version") to block older versions of the flash plugin. I can't be sure that this is always included for 100% of requests. I haven't checked for reader.

-Patrick

0 Kudos
cscoup8
Level 9

Re: Limiting the browsers supported by Web Gateway 7.2

Jump to solution

Awesome information about the x-flash-version.  Thank you.

0 Kudos