So I am faced with a management request that I am not sure how to fulfill. We have just implemented MWG, and we have 2 categories of restricted sites: "black" categories which get a hard block, these are porn, viruses, etc - sites that there is no possible legitimate reason to use, and then we have "grey" categories, those that likely are not business related, but depending on the department or user, possibly could be work related, sites we want to "soft" block.
The goal is this: if a user hits a site that is in a grey category, they will get a block page that gives them the ability to input a business reason to access the site and then bypass the block, this in turn will send an email (basically like the site review page) and allow them to access the site.
The issue I am running into, is how to actually allow the bypass, for a couple of reasons. Obviously we don’t want to have the block page appear for every click on that site, that could become very intrusive for the end-user, not to mention it could generate an enormous number of emails to the HelpDesk. (For example they hit a site where they are researching something for legitimate business and need to view 20 different pages on that site, it would be very intrusive to have to input a business reason for every click on the site) I was able to accomplish the soft block with the built-in rule set for authorized override, but this presented another issue. I tested this with the alcohol category, since we are a retail establishment that carries alcohol, a user could need to access a site in that category.
I went to http://www.absolut.com and was prompted with the auth override page, clicked past, and was able to browse the site - perfect. However, then I went to http://www.jackdaniels.com and did not hot a block page, since the auth override timeout had not been exceeded - this is my main issue. I don’t want to allow the entire category, or worse all categories that we soft block in the authorized override, which is what would happen using the built-in rule set.
Ideally I would like to be able to do something similar to the following, but I am unsure how to accomplish it:
1 - If URL in category list (Black sites) => block no bypass
2 - If URL in URL list (under review sites) => allow (stop set)
3 - If URL in category list (grey sites) => block with bypass - if user inputs a business reason, allow bypass and add url to list 'under review sites' from rule 2
If this isn’t possible, then adjusting the duration of the bypass time to be based on the URL not the category would be the second choice.
Here is a coaching page with comments. You can use it to have someone neter a business justification and then click through to the site.
When a coaching, quota, or authorized override page is clicked through, it is valid for all entries in that selection criteria (usually category). This is why the alcohol example you describe occurs. You open one, it opens them all in that category for a timed period.
You can adjust the timer to as many minutes as you want by hardcoding it into a hidden field on on the page.
But having it prompt per site in the category is a challenge. I think it's been done, but i can't find the community post that describes it. You have to create PDStorage values that track each site+category for the time. But that because an even more daunting challenge because you then have to track what FQDNs feed that site. For example, absolut.com has elements from absolut.com and some images are hosted on avp.absolut.com.
Because avp.absolute.com is embedded intot he main page, it will get the coaching page, but there is no way to render that within the DOM of the main page, so images and other content sill not show up to click on.
You have similar behavior with things like facebook.com and fbcdn.com or twitter.com and twimg.com. The elements comng fromt he different hosts can't be overridden.
It ultimately becomes a mess and it's just easiest to keep it coached by the high-level categories.
Would it not be possible to grab just the domain, similar to the url belongs to domain, and instead of checking the domain against a list (like using url belongs to domain) adding it to a list?
Is PDStorage the only way to accomplis this? I dont have an issue with it being a perm exception, instead of a time based one. My thought being the following:
1 - if url belongs to domain in list 'Under Review Domains' stop set
2 - if in category black block
3 - if in category grey (which includes alcohol) then coach
4 - if coach post: record business use, send email, convert URL to domain only [absolut.com], create user defined variable 'greylist_domain' and set value to absolut.com, add value for 'greylist_domain' to custom list 'Under Review Domains' and redirect to original url
This may not be at all possible. Admitedly I dont know enough about MWG yet to know if you can dynamically add to a custom list or if you can only add to PD storage.
I get what you are saying about sites that refer to CDN's, but as a followup, IF I was able to implement this using PDStorage or my example, what would be the result of the following:
Resources on www.facebook.com hosted at fbcdn.com and img.facebook.com
If we assume for the sake of this example that we have a working ruleset using something similar to what I have outlined, where we are taking just the domain from the request and greylisting it, what would happen when a user then hits the www page? img.facebook.com would be covered by the domain exemption, but of course fbcdn.com would not be. Would they hit a second consecutive coaching page or would the page load, but the resources that come from fbcdn.com would either not display, or if iframed you would get a page that partially worked with iframe(s) showing the coaching page replacing those elements?
Maybe I am approaching this from the wrong perspective, I am open to suggestions. Here is the goal. Since we came from websense, and we amitedly had a crap implementation, we are trying to ease the user impact. To add insult to injury, we had 6 weeks lined up for a staged rollout, but that has been compressed into 1 week, with a rollout in each office on different days, due to our websense implementation dying fully. So the thought was for those categories that could have no business use, we hard block them. For those that might have business use, especially for one department or another (marketing, buyers, etc) that we would have a soft block for the rest of the questionable categories, and soft block for 30 days. That would ensure that if it was a true legitimate business need, that work would not be affected, and they could bypass, and it would also then give us a chance to review those sites and validate that they are in fact business need. This way if a buyer is visiting liquiorwarehouse.com and gets hit by the alcohol category, then they could bypass it and do work, not have to call the Security team to open it on the spot, and then we could review it daily, so that if someone was bypassing via coaching page to ifunny.com, that we could see that there wasnt a business need.
I have a few concerns with the timed only coach. That means to do this right, I need to create a HUGE rule (or multiples) so that there is a rule or criteria for every grey / coached category, so that bypassing for one category doesnt bypass for another. If it bypasses for multiple categories, then it almost defeats the purpose, because then I may never get a site request during the 30 day coaching for a legit site, because they never hit a coaching page for it.
Thoughts Senior E²?