2 Replies Latest reply on Feb 13, 2012 3:59 PM by sliedl

    Allow Facebook / Youtube application while dropping other HTTP access.

      Hi everybody,

       

      I created two rules on MFE v 8.2 as follows in heirarchal order:

       

      1. Action=Allow, Application=facebook, Src Endpoint=Any, Src Zone=internal, Dest Endpoint=Any, Dest Zone=external, NAT=localhost

      2. Action=Deny, Application=HTTP, Src Endpoint=Any, Src Zone=internal, Dest Endpoint=Any, Dest Zone=external, NAT=localhost

       

      What I intend to do is to allow a certain web application such as facebook or youtube to be accessed while blocking access to other generic HTTP applications.

       

      Is this possible? I also have further questions like if MFE v8.2 can perform as a Web Application Firewall (WAF) wherein it can learn a custom web application, then allow access to this application while blocking all other http traffic on port 80?

       

      Thank you very much in advance for your feedback.

       

       

      JC Isidro

      Technical Consultant

        • 1. Re: Allow Facebook / Youtube application while dropping other HTTP access.
          PhilM

          I've not tried it, but theoretically your suggestion makes sense.

           

          Even though the Facebook rule, using the Facebook application, will show the protocol/port as TCP/80, the AppPrism signature is the element which determines whether the traffic it is seeing pass over port 80 is actually Facebook or not.

           

          So, based on your rule logic anyone trying to perform generic web browsing may hit the Facebook rule momentarily (as it is using tcp/80), but the AppPrism signeture will confirm that it is not Facebook. The traffic will then pass to the next rule in the list which is for generic HTTP, but is a deny rule.

           

          Where this becomes a bit more tricky is (as I would assume) you do still want to allow users to web browse. Your current logic would not allow this - as you are denying HTTP. A rule will need to be in place to allow this and anything conforming to the HTTP protocol standard will be allowed to use this rule, which could be seen as a bit of a catch-22.

           

          The AppPrism signature database is running at 1366 signatures (and counting). If you want to allow HTTP web browsing, allow Facebook, but deny other generic HTTP-aware web applications you could look to see whether they are present in the signature database and create an explicit deny rule for the group of applications in question.

           

          -Phil.

          • 2. Re: Allow Facebook / Youtube application while dropping other HTTP access.
            sliedl

            The Facebook application will pass all HTTP traffic that does not match another Application the firewall already has a signature for.

             

            1. Make a rule that Allows the 'facebook' application out.
            2. Try to go to Facebook - you're allowed.
            3. Try to go to CNN.com - you're allowed.
            4. Try to go to Google News - you're denied.
            5. Try to go to Yahoo Finance - you're denied.
            6. Try to go to the Yahoo homepage - you're allowed.

             

            The firewall has application signatures for Google News and Yahoo Finance, so it will not allow you to browse to those sites.  It does not have signatures for CNN or the Yahoo homepage so you are allowed to browse to those sites.  This is regardless of the 'Application Discovery' setting in the Zone configuration (which is for auditing).

             

            If you want to Allow and Block specific sites then SmartFilter is the best option here.