Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1792 Views 9 Replies Latest reply: Oct 9, 2012 7:30 AM by Troja RSS
satbir Apprentice 85 posts since
Oct 9, 2011
Currently Being Moderated

Oct 9, 2011 9:39 AM

how to enable progressive lock-out in MWG7

Hi Folks!

 

I have tried to find out progressive lock-out configuration in available mwg7 guides but couldn't get it....Where is its configuration option in MWG7.x versions. Please help!

 

Regards,

Satbir


SS
  • ittech Champion 448 posts since
    Jan 25, 2010
    Currently Being Moderated
    1. Oct 10, 2011 8:32 AM (in response to satbir)
    Re: how to enable progressive lock-out in MWG7

    Forgive me, but what is progressive lock-out?

  • asabban McAfee SME 1,357 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Oct 10, 2011 9:26 AM (in response to satbir)
    Re: how to enable progressive lock-out in MWG7

    Hello,

     

    as far as I know "Progressive Lockout" describes that a "policy violation" (Malware download, access of forbidden URLs, etc.) may only occur a couple of times, before a user is completely locked and will prevented from accessing the internet and/or an administrator will be informed. Also allowing a user to violate your policy a couple of times and then block him may be an option.

     

    If this is what we are talking about, please let me know. I have a description and a sample rule set available.

     

    best,

    Andre

  • asabban McAfee SME 1,357 posts since
    Nov 3, 2009
    Currently Being Moderated
    4. Oct 12, 2011 2:39 AM (in response to satbir)
    Re: how to enable progressive lock-out in MWG7

    Hello,

     

    allright I have some notes for the "Progressive Lockout", you may need to adjust it to your needs.

     

    "Block and count attempts.png" shows a rule that blocks requests to a

    URL whose category is listed in the associated list. The event writes

    the number of attempts into PDStorage:

     

    Block and count attempts.png.png

     

    There is a User-Defined property used to do the "+1" calculation. This

    rule is used to "count" the attempts of a user to access an URL with

    restricted access.

     

    I have used a modified error template here, and added the content of the

    PDStorage container. Doing so you can see "how often" you have accessed

    the blocked URL (see "Show connection attempts.png"):

     

    Show connection attempts.png.png

     

    Additionally I have created a rule set which handles the PDStorage

    value. I have attached a Screenshot "Grab Progressive Lockout.png" and

    the XML source for this rule set:

     

    Grab Progressive Lockout.png

     

    It has two features:

     

    - When a user accessed a blocked ressource 10 times, it will send an

    eMail to the admin:

     

    -- snip --

    Subject: WARNING: User CN=Andre Sabban,CN=Users,DC=McAfee,DC=local has

    exceeded Progressive Lockout threshold

     

    Body: Dear Admin,

     

    the user with Client IP 192.168.122.163 and name "CN=Andre

    Sabban,CN=Users,DC=McAfee,DC=local" has exceeded the allowed number of

    Progressive Lockout attempts of 10.

     

    Best,

    MWG at MWG7-4

    -- snip --

     

    The second rule verified the number of attempts, and once you passed

    "20" attempts, you receive a block page that tells you that you have

    been "locked out" (see Locked out.png). Depending on where you place it,

    it will block ALL connection attempts, even to allowed sites (which is

    the use of Progressive Lockout).

     

    In my example you can see where I have placed this rule set and it will

    only allow URLs which are whitelisted by the global whitelist.

     

    Important to note is that I placed the rule set after authentication was

    done - this is required since the Progressive Lockout won´t know the

    user otherwise.

     

    Please also note that in the rule set I have used "equals 10" and

    "greater than or equals 20" for the rules. This is very important.

     

    If you don´t use "equals" for the eMail rule, you will get an eMail for

    each connection attempt. If you use "equals" for the block rule, only

    the "20th" access will be blocked - the "21st" will go through.

     

    Lockout (PDStorage) data will be kept for 1 day. You can configure this

    in the Settings container that belongs to the PDStorage calls.

     

    I hope this helps to get started. I will document this and make a nice

    exmaple for the rule library, but this will take some more days.

     

    Let me know if there are any questions or if there is any feedback.

     

    Best,

    Andre

     

    Nachricht geändert durch asabban on 12.10.11 02:39:22 CDT
  • ittech Champion 448 posts since
    Jan 25, 2010
    Currently Being Moderated
    6. Oct 12, 2011 7:09 AM (in response to asabban)
    Re: how to enable progressive lock-out in MWG7

    If someone was to get locked out, let's say the CEO is extra curious today, is there a way to unlock them or do they just have to wait until tomorrow?

  • asabban McAfee SME 1,357 posts since
    Nov 3, 2009
    Currently Being Moderated
    7. Oct 12, 2011 7:29 AM (in response to ittech)
    Re: how to enable progressive lock-out in MWG7

    Hello,

     

    actually you cannot control the progressive lockout in a comfortable way from the UI. I see a couple of options to unlock a user again:

     

    - Wait the time until he is unlocked again

    - Remove the file which holds the data from the disk (will most likely require a restart)

    - Add a rule which calls a "PDStorage.DeleteUserData", and removes the content for Progressive Lockout for this user. This can be done by an Admin for example, after the user confessed he did something bad and wants access again.

     

    So in summary:

     

    Is it possible to unlock a user again? Yes

    Is there a nice frontend to select a user and click "unlock"? No

     

    BEst,

    Andre

  • cnewman McAfee SME 40 posts since
    Jan 31, 2011
    Currently Being Moderated
    8. Oct 18, 2011 6:28 PM (in response to ittech)
    Re: how to enable progressive lock-out in MWG7

    Hi *,

     

    I've also had a request to create something like this, and figure not being able to reset the lockout could be a pretty major problem. What I decided to do was create a token when the user gets locked out and then email that token to the administrator in a parameter on the url. This way the admin can clear out the lock, but any old user couldn't just unlock themselves by going to a specific url.

     

    Basically when a user gets locked out we send an email that has a link in it that the administrator can click on and unlock the user.

     

    1) user gets locked out

     

    2) admin gets an email that says user X has been locked out, please click

    http://proxy ip:proxyport/mwg-lockout/unlock?User=X&Token=<a really long somewhat unique string that noone else knows>

     

    3) admin clicks on the link which goes to the webgateway and is caught, the token is validated and the user gets a fresh start.

     

    There is also logging of lockouts and unlocks.

     

    Order does matter, I would probably put the unlock and the lock user out rulesets close to the top and put the category block where the regular URL filtering is.

     

    Caveats:

    1) This is dependent (I believe) on authentication although could be modified for unauthenticated environments.

    2) Progressive lockout is highly dangerous. Certain sites (facebook and twitter in particular) have links all over the internet and you could accidently lock someone out if you enabled this for, say, social networking.

     

    Buyer beware.

     

    Please tell me what you think or if you have any concerns regarding this.

     

    Regards,

     

    --CN

    Attachments:
  • Troja Champion 257 posts since
    Aug 26, 2010
    Currently Being Moderated
    9. Oct 9, 2012 7:30 AM (in response to cnewman)
    Re: how to enable progressive lock-out in MWG7

    Hi all,

    i have also a problem with overload at a customer, but i don´t know if this could be resolved with progressive lockout.

     

    Scenario:

    • MWG is authenticating any webrequest
    • Some applications are not aware to answer the 407 response and starting to request the internet content again and again. Some software products are generating 300 and more requests per second.

     

    This is a real problem. Because most time IT does not know which applications are installed on a client anywhere within the organization.

    I think, blocking such a client directly with progressive lockout does not solve the problem.

     

    Is it possible to automatically generate a network protection rule to block such a client??

    Any Ideas?

     

    Regards,

    Thorsten

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points