Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1941 Views 10 Replies Latest reply: Mar 21, 2013 9:10 PM by cscoup8 RSS 1 2 Previous Next
hivemind Newcomer 4 posts since
May 24, 2012
Currently Being Moderated

Sep 26, 2012 5:54 AM

Limiting the browsers supported by Web Gateway 7.2

Hello everyone,

 

I am planning a rollout of Web Gateway 7.2 to out users and enforcing it as a mandatory proxy through a proxy pak sent down to them via Group Policy (WCCP is not an option unfortunately)

 

Further more I have extended group policy to include the Google Chrome and Firefox GPO extentions, seems to be working fine so far 

 

 

I have been wondering is it possible to limit from within Web Gateway which browsers it will support? so it only accepts connections from Internet Explorer, Google Chrome and Firefox?

 

It is something thats just a tick box in IPCop and Squid, but I can't find any rule for it in McAfee Gateway 7.2 or any mention of 'browser' based properties for that matter.

 

 

Thanks in advanced for tips on your experiences.

  • eelsasser McAfee SME 842 posts since
    Mar 24, 2010
    Currently Being Moderated
    1. Sep 26, 2012 7:46 AM (in response to hivemind)
    Re: Limiting the browsers supported by Web Gateway 7.2

    Yes, you can. But you have to maintain the list yourself.

    You would have to create a rule that uses criteria such as:

     

     

    Header.Request.Get ("User-Agent") does not match in list "AllowedBrowsers: User Agents"

    Action: Block

     

    This is a wildcard list where you would put in values like:

    Mozilla/*Firefox/*

    Mozilla/*Trident/*

    Mozilla/*Chrome/*

    etc.

     

    When you have a only a check-box solution, you cannot get very granular and make changes. If you limit it to just browser checkmark, what happens when a particular browser is vulnerable and you want to block the specific version? If you limit to only browsers, you will block content from Flash, Java, iTunes, Adobe Reader, etc.

     

    That's why it is preferred to make your own specific list.

  • cscoup8 Newcomer 34 posts since
    Nov 13, 2012

    eelsasser wrote:

     

    [...]

     

    When you have a only a check-box solution, you cannot get very granular and make changes. If you limit it to just browser checkmark, what happens when a particular browser is vulnerable and you want to block the specific version? If you limit to only browsers, you will block content from Flash, Java, iTunes, Adobe Reader, etc.

     

    Java and iTunes send a unique user-agent string with version information, but how would one go about blocking Adobe Flash and Reader, or more specifically, outdated versions of Flash and Reader?

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009
    Currently Being Moderated
    4. Mar 7, 2013 6:26 AM (in response to cscoup8)
    Re: Limiting the browsers supported by Web Gateway 7.2

    Hello,

     

    we would like to block outdated plugins since a while but so far do not have a good way to do it. It would require a part on the client that tells MWG the version of the plugins or requires the client to visit a pre-defined welcome page once a day to check the plugin version, and then block him until he has the correct versions installed.

     

    Unfortunately there is no smart way (that I am aware of) to collect the versions of the plugins in real-time and block users running old plug-ins. There are several ideas moving around which could improve this in the future, but at the moment it is rather complicated to set up.

     

    Best,

    Andre

  • pbrickey McAfee Employee 79 posts since
    Oct 13, 2011
    Currently Being Moderated
    5. Mar 11, 2013 12:29 PM (in response to cscoup8)
    Re: Limiting the browsers supported by Web Gateway 7.2

    Hi Cscoup8,

     

    From what I've seen, Flash sends a header called x-flash-version in the request rather than using a custom user-agent. Therefore, you can use the same critiera, Header.Request.Get ("x-flash-version") to block older versions of the flash plugin. I can't be sure that this is always included for 100% of requests. I haven't checked for reader.

     

    -Patrick

  • cscoup8 Newcomer 34 posts since
    Nov 13, 2012
    Currently Being Moderated
    6. Mar 12, 2013 6:44 PM (in response to pbrickey)
    Re: Limiting the browsers supported by Web Gateway 7.2

    Awesome information about the x-flash-version.  Thank you.

  • cscoup8 Newcomer 34 posts since
    Nov 13, 2012
    Currently Being Moderated
    7. Mar 20, 2013 8:18 PM (in response to pbrickey)
    Re: Limiting the browsers supported by Web Gateway 7.2

    FYI: I haven't done extensive testing but the x-flash-version doesn't appear to get sent for Flash that is displayed in Firefox.  For Internet Explorer there seems to be certain scenarios where it doesn't send x-flash-version either, however using this field is definitely useful and catches a lot of it.

     

    Using Wireshark I haven't seen any identifier related to Adobe Reader plugin version information including whether PDF files are displayed within the web browser window or not. But given that certain browsers now include a native PDF viewer, this might become less important.

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    8. Mar 20, 2013 9:48 PM (in response to asabban)
    Re: Limiting the browsers supported by Web Gateway 7.2

    Hi All,

     

    This is an interesting concept that I've seen the for firefox plugin checker:

    https://www.mozilla.org/en-US/plugincheck/

     

    It checks the plugins installed in the browser and gives you a pretty report with action to take.

     

    I havent explored how it detects these things though. I'm wondering if it invokes something in the brower to get a response from the plugin and determine its version. Or perhaps it has a better user-agent detection.

     

    The help page seems to indicate it uses some sort of javascript detection mechanism:

    https://www.mozilla.org/en-US/plugincheck/more_info.html

     

    IE has limited support because it requires ActiveX code to run properly. Theoretically this could be done with a welcome page as Andre described using javascript for non-IE browsers using javascript.

     

    Best,

    Jon

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009

    Hello,

     

    or use our plugin check (still beta):

     

    http://www.browser-info.net/

     

    We had some ideas of creating a welcome page which embedds the browser check, e.g. if you start your browser you have to pass a plugin check. After that is performed MWG will grant access based on installed plugins/versions and/or browser/os versions.

     

    Best,

    Andre

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points