Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1722 Views 8 Replies Latest reply: Jan 30, 2013 12:54 PM by al.johnson RSS
abjones Newcomer 10 posts since
Jul 18, 2012
Currently Being Moderated

Sep 21, 2012 8:32 AM

Temporary Access to Blocked Website

At times we have users who need temporary access to websites that are being blocked.  We would like to incorporate within the blocked message a link, that when clicked, will prompt the user for a username and password that will give temporary access to the blocked website.  Is this possible, if so, how do I accomplish thiswithin the ruleset?

 

Thanks.

  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    1. Sep 25, 2012 1:53 PM (in response to abjones)
    Re: Temporary Access to Blocked Website

    Given how notoriously awful users are at making sound security decisions, what's the business case for allowing a user a username/login away from say, malware or pornography?

     

    Assuming there's a good answer to that above, here's how this would work I think.

     

    MWG has a notion of "remotely managed lists"   and notions of a customer managed list and mcafee managed lists.  I think that's the feature that'll enable you to do what you want somehow. 

     

    Are you doing Try-auth or any sort of authentication on the web gateway today?  

     

    If so,  a remotely managed list of approved override usernames that could be updated via some approval process or custom web app might be able to  meet this need.   Then, the MWG block page for whatever site in question could certainly be customized to do a redirect or give a link to that custom web app y'all write , and the web app could update that remotely managed list.    The MWG can point to that list via the policy> lists tab and you can create a new list (such as a string list), check the remotely managed checkbox,  check the customer managed radio button, and in setup for the list,  point to the ftp/http/https location where the list will be retrieved by the MWG every x minutes.  It's all configurable.   If your custom web app craps out a list of usernames that are authorized, or a list of IPs that are authorized, you could shim in a ruleset element to allow that username or IP to get to that specific site.  Such as a global white list rule near the top or ... something. 

  • cestrada Apprentice 92 posts since
    Nov 26, 2010
    Currently Being Moderated
    2. Sep 26, 2012 1:21 PM (in response to Regis)
    Re: Temporary Access to Blocked Website

    Say for example we block Domain Dropbox globally but we have anExecutive who requires access  - ( for whatever reason) and instead ofwhitelisting the domain or his IP address , we figure it would be easier if there was a bypass allow prompt link on the "Block page"  . This would allow my IT staff to allow access provided you know thepasscode ( similar to captcha or mcafee DLP "Request DLP EndpointBypass" )

  • eelsasser McAfee SME 841 posts since
    Mar 24, 2010
    Currently Being Moderated
    3. Sep 27, 2012 12:12 AM (in response to cestrada)
    Re: Temporary Access to Blocked Website

    There is, actually, a way to do this. I have seen an example of this internally as an experimental demonstration (way before 7.0 was even in beta)

     

    The general work flow is this:

    User hits a page that they really need to get to.

    The page contains a Site Review-like link that contains information about the URL and user, and a justification.

    This data gets emailed to the help desk to authorize the site. But the email has a link to another Authorization block page on-box.

     

    Instead of the Help Desk logging on to the GUI and adding a site to a list, the Authorization block page would:

    Authenticate, so only specific users could whitelist someone else.

    Display the details and have a Submit button that adds the URL to PDStorage for that user.

    The PDStorage has an auto-expiration time of x hours to delete the entry the next day.

     

    The Whitelist rules in general would be in the normal policy to lookup the PDStorage sites as well as the normal static sites.

     

    The original demonstration was actually to show how an admin could whitelist a site for a user from their iPhone while they were at the bar, but you can use a computer at your desk instead

     

    If anyone is feeling really creative and wants to work out those rules, have at it.

  • moros Newcomer 6 posts since
    Feb 23, 2011
    Currently Being Moderated
    4. Jan 30, 2013 1:20 AM (in response to abjones)
    Re: Temporary Access to Blocked Website

    I tried to implement a rule like you described above but with no success Is there any way to obtain the code that you saw in the demo ??

  • lubomir.cerny Apprentice 54 posts since
    Feb 8, 2012
    Currently Being Moderated
    5. Jan 30, 2013 1:32 AM (in response to cestrada)
    Re: Temporary Access to Blocked Website

    We use Active Directory groups to allow specific users to bypass globally blocked sites/category/content type.

    It is easy to configure and all VIPs can have single specific AD security group for fileshare and web access.

  • moros Newcomer 6 posts since
    Feb 23, 2011
    Currently Being Moderated
    6. Jan 30, 2013 2:08 AM (in response to lubomir.cerny)
    Re: Temporary Access to Blocked Website

    do you mean that a user can be member of multi AD security groups ?

  • lubomir.cerny Apprentice 54 posts since
    Feb 8, 2012
    Currently Being Moderated
    7. Jan 30, 2013 2:22 AM (in response to moros)
    Re: Temporary Access to Blocked Website

    Sure :-)

    We have ie INTERNET_STREAMING_G group and INTERNET_IM_G groups. Specific AD users can be member of one or more such AD groups.

    Then there is block rule which blocks access if"Authetication.UserGroups does not contain "INTERNET_xxxx"

     

    You can see result of Authetication.UserGroups function via webadmin - Accounts - Test with current settings form.

  • al.johnson Newcomer 22 posts since
    Dec 16, 2010
    Currently Being Moderated
    8. Jan 30, 2013 12:54 PM (in response to lubomir.cerny)
    Re: Temporary Access to Blocked Website

    We do the same thing with AD groups.  We have 10-12 different groups that provide access to things such as Social_Media, File_sharing, web_ads, etc. that the "normal" user doesn't need for day to day activities.

    We also set up a few special groups for the higher level executives that only blocks viruses, malware, and other really bad things. 

     

    Of course, even though the block message tells the user why they can't get to facebook.com, and provides a link to the request application, we still get calls and complaints about the Internet police stopping them from doing their jobs.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points