9 Replies Latest reply: Oct 9, 2012 7:30 AM by Troja RSS

    how to enable progressive lock-out in MWG7

    satbir

      Hi Folks!

       

      I have tried to find out progressive lock-out configuration in available mwg7 guides but couldn't get it....Where is its configuration option in MWG7.x versions. Please help!

       

      Regards,

      Satbir

        • 1. Re: how to enable progressive lock-out in MWG7
          ittech

          Forgive me, but what is progressive lock-out?

          • 2. Re: how to enable progressive lock-out in MWG7
            asabban

            Hello,

             

            as far as I know "Progressive Lockout" describes that a "policy violation" (Malware download, access of forbidden URLs, etc.) may only occur a couple of times, before a user is completely locked and will prevented from accessing the internet and/or an administrator will be informed. Also allowing a user to violate your policy a couple of times and then block him may be an option.

             

            If this is what we are talking about, please let me know. I have a description and a sample rule set available.

             

            best,

            Andre

            • 3. Re: how to enable progressive lock-out in MWG7
              satbir

              Yes, that's excatly what i am looking for! It would be great if you can share rule-sets...Many thanks in advance!

               

              Regards,

              Satbir

               

              Message was edited by: satbir on 10/10/11 10:41:25 AM CDT
              • 4. Re: how to enable progressive lock-out in MWG7
                asabban

                Hello,

                 

                allright I have some notes for the "Progressive Lockout", you may need to adjust it to your needs.

                 

                "Block and count attempts.png" shows a rule that blocks requests to a

                URL whose category is listed in the associated list. The event writes

                the number of attempts into PDStorage:

                 

                Block and count attempts.png.png

                 

                There is a User-Defined property used to do the "+1" calculation. This

                rule is used to "count" the attempts of a user to access an URL with

                restricted access.

                 

                I have used a modified error template here, and added the content of the

                PDStorage container. Doing so you can see "how often" you have accessed

                the blocked URL (see "Show connection attempts.png"):

                 

                Show connection attempts.png.png

                 

                Additionally I have created a rule set which handles the PDStorage

                value. I have attached a Screenshot "Grab Progressive Lockout.png" and

                the XML source for this rule set:

                 

                Grab Progressive Lockout.png

                 

                It has two features:

                 

                - When a user accessed a blocked ressource 10 times, it will send an

                eMail to the admin:

                 

                -- snip --

                Subject: WARNING: User CN=Andre Sabban,CN=Users,DC=McAfee,DC=local has

                exceeded Progressive Lockout threshold

                 

                Body: Dear Admin,

                 

                the user with Client IP 192.168.122.163 and name "CN=Andre

                Sabban,CN=Users,DC=McAfee,DC=local" has exceeded the allowed number of

                Progressive Lockout attempts of 10.

                 

                Best,

                MWG at MWG7-4

                -- snip --

                 

                The second rule verified the number of attempts, and once you passed

                "20" attempts, you receive a block page that tells you that you have

                been "locked out" (see Locked out.png). Depending on where you place it,

                it will block ALL connection attempts, even to allowed sites (which is

                the use of Progressive Lockout).

                 

                In my example you can see where I have placed this rule set and it will

                only allow URLs which are whitelisted by the global whitelist.

                 

                Important to note is that I placed the rule set after authentication was

                done - this is required since the Progressive Lockout won´t know the

                user otherwise.

                 

                Please also note that in the rule set I have used "equals 10" and

                "greater than or equals 20" for the rules. This is very important.

                 

                If you don´t use "equals" for the eMail rule, you will get an eMail for

                each connection attempt. If you use "equals" for the block rule, only

                the "20th" access will be blocked - the "21st" will go through.

                 

                Lockout (PDStorage) data will be kept for 1 day. You can configure this

                in the Settings container that belongs to the PDStorage calls.

                 

                I hope this helps to get started. I will document this and make a nice

                exmaple for the rule library, but this will take some more days.

                 

                Let me know if there are any questions or if there is any feedback.

                 

                Best,

                Andre

                 

                Nachricht geändert durch asabban on 12.10.11 02:39:22 CDT
                • 5. Re: how to enable progressive lock-out in MWG7
                  satbir

                  Thanks a lot!

                   

                  Regards,

                  Satbir

                  • 6. Re: how to enable progressive lock-out in MWG7
                    ittech

                    If someone was to get locked out, let's say the CEO is extra curious today, is there a way to unlock them or do they just have to wait until tomorrow?

                    • 7. Re: how to enable progressive lock-out in MWG7
                      asabban

                      Hello,

                       

                      actually you cannot control the progressive lockout in a comfortable way from the UI. I see a couple of options to unlock a user again:

                       

                      - Wait the time until he is unlocked again

                      - Remove the file which holds the data from the disk (will most likely require a restart)

                      - Add a rule which calls a "PDStorage.DeleteUserData", and removes the content for Progressive Lockout for this user. This can be done by an Admin for example, after the user confessed he did something bad and wants access again.

                       

                      So in summary:

                       

                      Is it possible to unlock a user again? Yes

                      Is there a nice frontend to select a user and click "unlock"? No

                       

                      BEst,

                      Andre

                      • 8. Re: how to enable progressive lock-out in MWG7

                        Hi *,

                         

                        I've also had a request to create something like this, and figure not being able to reset the lockout could be a pretty major problem. What I decided to do was create a token when the user gets locked out and then email that token to the administrator in a parameter on the url. This way the admin can clear out the lock, but any old user couldn't just unlock themselves by going to a specific url.

                         

                        Basically when a user gets locked out we send an email that has a link in it that the administrator can click on and unlock the user.

                         

                        1) user gets locked out

                         

                        2) admin gets an email that says user X has been locked out, please click

                        http://proxy ip:proxyport/mwg-lockout/unlock?User=X&Token=<a really long somewhat unique string that noone else knows>

                         

                        3) admin clicks on the link which goes to the webgateway and is caught, the token is validated and the user gets a fresh start.

                         

                        There is also logging of lockouts and unlocks.

                         

                        Order does matter, I would probably put the unlock and the lock user out rulesets close to the top and put the category block where the regular URL filtering is.

                         

                        Caveats:

                        1) This is dependent (I believe) on authentication although could be modified for unauthenticated environments.

                        2) Progressive lockout is highly dangerous. Certain sites (facebook and twitter in particular) have links all over the internet and you could accidently lock someone out if you enabled this for, say, social networking.

                         

                        Buyer beware.

                         

                        Please tell me what you think or if you have any concerns regarding this.

                         

                        Regards,

                         

                        --CN

                        • 9. Re: how to enable progressive lock-out in MWG7
                          Troja

                          Hi all,

                          i have also a problem with overload at a customer, but i don´t know if this could be resolved with progressive lockout.

                           

                          Scenario:

                          • MWG is authenticating any webrequest
                          • Some applications are not aware to answer the 407 response and starting to request the internet content again and again. Some software products are generating 300 and more requests per second.

                           

                          This is a real problem. Because most time IT does not know which applications are installed on a client anywhere within the organization.

                          I think, blocking such a client directly with progressive lockout does not solve the problem.

                           

                          Is it possible to automatically generate a network protection rule to block such a client??

                          Any Ideas?

                           

                          Regards,

                          Thorsten