Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2120 Views 11 Replies Latest reply: Apr 7, 2014 10:26 PM by btlyric RSS 1 2 Previous Next
kent.dyer Newcomer 19 posts since
Aug 1, 2011
Currently Being Moderated

Dec 12, 2012 12:41 PM

Ruleset question - read-only dropbox (or any other cloud storage)

Just for grins, say I'm getting beaten on for blocking cloud storage like Dropbox and Skydrive.  (I am.)  We are concerned about data leakage, but so many partners including other agencies are sending my users links to files.

 

I was wondering if anybody has implemented rules that permit read-only access to personal network storage sites, but block uploading of files.  I think this could resolve about 90% of the griping I hear.  I'm not really enjoying having a shouting match with an executive over what I assume he thinks is my power trip, rather than trying to reduce risk...

  • eelsasser McAfee SME 837 posts since
    Mar 24, 2010

    Well, it certainly can be done. It's just a matter of if you want that to be your policy. It's more of a policy decision than a technological one.

     

    Take a look at this video on box.com to see some of the things you can do with MWG.

     

    https://mcafee.box.com/mwg-demo

     

    part 2 of the demo shows somethings about making sites read-only.

  • btlyric Apprentice 184 posts since
    Aug 1, 2012

    Yes. Have done pretty much exactly what you're asking about.

     

    Using Dropbox as example...

     

    Client tries to go to Dropbox site to download file and is presented with a coaching page that both includes corporate acceptable use policy and a reiteration that data on the target service may be stored in multiple countries + file upload and/or creation is prohibited and how frequently the coaching page will reappear.

     

    The page also states that if the client selects the "I Accept" button on the coaching page, they are confirming their acceptance of the specific terms that have been highlighted + the corporate acceptable use policy. Once they select I Accept, they will be redirected to the page originally requested.

     

    There are multiple ways to implement this technically, but my solution looks something like this:

     

    Web Content Filter

    -- Coaching, criteria = Always

         -- Dropbox Download, criteria = URL.Host.BelongsToDomains (Dropbox) equals true and URL.Categories<Default> contains Personal Network Storage. Dropbox domains are defined as dropbox.com and dd.tt.

              -- Coaching Redirect (Dropbox Download), criteria = Quota.Coaching.IsActivationRequest.Strict<Dropbox Download> equals true, action = Redirect

              -- Coaching AUP (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals true, action = Block <AUP Dropbox Download> -- this file contains my display text and the activation of coaching via:     <input class="button" type="button" id="activatebutton" value="I accept." onClick="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.coaching.js.activatesession"/>$">

             -- Upload Block (Dropbox Download), criteria = (Command.Name equals "POST" OR Command.Name equals "PUT") AND (URL.Path does not match in list Read-Only Exceptions AND Media.Type.EnsuredTypes none in list Media Types for Normal Operations), action = Block<Block Upload>.  Read-Only Exceptions includes several wildcard expressions: *login*, *logon*, *logout*, *logoff*, *auth*, *browse*, *comments*, *signup*. Media Types for Normal Operations includes: application/x-empty and application/x-www-form-urlencoded

             -- Coaching Check (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals false, action = Stop Rule Set, events = set User-Defined.CoachedDownloadDropbox = true

     

    The rule set above handles the coaching portion and the upload block.

     

    -- Exceptions (at same level as Coaching), criteria = Always

         -- Dropbox Download Exception, criteria = URL.Host.BelongsToDomains (Dropbox) equals true AND User-Defined.CoachedDownloadDropbox equals true, action = Stop Rule Set, Events = Set User-Defined CategoryException = true

     

    The rule set above takes criteria from the original request and sets a new user defined property.

     

    -- Standard Policy, criteria = User-Defined.CategoryException equals false

       ...normal category block rules based on which categories you are blocking

     

    The rule set above is skipped if the user defined property of CategoryException is true.

     

    CAVEATS and NOTES:

     

    - It's relatively easy to implement this on Dropbox, but there are other sites classified as Personal Network Storage that require much more tweaking of the upload blocking -- Google Docs, for example.

    - This rule set does not absolutely guarantee that you won't leak data. By the nature of how things work, you have to permit x-www-form-urlencoded so that logins to sites will succeed so there's some risk there in that it is not easily verifiable that the data sent via that method is not data that you don't want leaked.

    - Theoretically, you could do a blanket rule for the Personal Network Storage category, but that might not catch all the possibilities (see above re: Google Docs).

    - Because of the way that coaching works, users must have javascript enabled for the destination site so that the coaching will activate.

    - You cannot use the original User-Defined.Coached* property as your determining factor for bypassing the standard policy blocks -- that would mean that if someone had been coached for anything, they would then bypass the standard policy blocks for everything.

    - There is probably a more elegant way to do this.

  • philiprey Newcomer 5 posts since
    Oct 17, 2013

    Trying to revive this post.

     

    I tried creating a rule for blocking only the upload as stated by btlyric. But I could still upload files after I set the rules.

    I didnt include the coaching ruleset since I just need to block the upload and no coaching is needed.

     

    I did the exact rule under "Upload Block" of the above response.

    Is there any rule that I should enable or check first? Say with the SSL Scanner?

     

    I checked the rule trace, and it says there the upload block rule didnt meet my criteria.

    The Command.Name of POST and PUT shows a "false" result.

  • cestrada Apprentice 92 posts since
    Nov 26, 2010

    Can you possibly include the XML ruleset for this.  I've tried to replicate and cant seem to get it working.  Any assistance is appreciated.   This is a * brilliant* idea.

  • eelsasser McAfee SME 837 posts since
    Mar 24, 2010

    I attached a set of rules that can be imported into 7.3.2.3-16052 and above.

     

    here's the basic rule set. It globally blocks POSTing to the specific categories except for certain users or groups you define. It does not have the all the coaching stuff talked about above.

     

     

    Read Only: Web
    Disabled
    Applies to: [] Requests [] Responses [] Embedded Objects
    1: Command.Name equals "POST"
    EnabledRuleActionEventsComments
    Enabled ReadOnly: Allowed Users or ReadOnly: Allowed Groups
    1: Authentication.UserName is in list ReadOnly: Allowed Users°
    2: OR Authentication.UserGroups at least one in list ReadOnly: Allowed Groups°
    Stop Rule SetException Users or Groups that are allowed to POST
    Enabled ReadOnly: Allowed Domains or ReadOnly: Allowed URLs
    1: URL.Host.BelongsToDomains(ReadOnly: Allowed Domains°) equals true
    2: OR URL matches in list ReadOnly: Allowed URLs
    Stop Rule SetException Domains or URLs that are allowed to POST
    Enabled ReadOnly: Categories
    1: URL.Categories<URL Filter: Default> at least one in list ReadOnly: Categories
    Block<Application Control>Statistics.Counter.Increment("BlockedByApplControl",1)<Default>Categories that are not allowed to POST
    Enabled ReadOnly: Applications
    1: Application.Name is in list ReadOnly: Applications
    Block<Application Control>Statistics.Counter.Increment("BlockedByApplControl",1)<Default>Applications that are not allowed to POST
    Enabled ReadOnly: Domains or ReadOnly: URLs
    1: URL.Host.BelongsToDomains(ReadOnly: Domains°) equals true
    2: OR URL matches in list ReadOnly: URLs°
    Block<Application Control>Domains that are not allowed to POST

     

    #ReadOnly: Categories
    CategoryComment
    1Blogs / Wiki
    2Personal Network Storage

     

     

     

     


     

    Message was edited by: eelsasser on 1/9/14 7:51:03 PM EST
    Attachments:
  • btlyric Apprentice 184 posts since
    Aug 1, 2012

    If there is significant interest, I will try to find the time to dump my ruleset and clean it up for public consumption.

  • DBO Apprentice 158 posts since
    Nov 4, 2009

    Yes please...

     

  • middleton_loiner Newcomer 1 posts since
    Jan 20, 2014

    Yes please also.....This is an issue we are encountering within our Organisation.  It would be a massive assist to see your Ruleset Output.

  • tomgsac Newcomer 1 posts since
    Apr 2, 2014

    This looks great. My work is blocking SlideShare.net -- because it allows registered users to upload documents.  I just want people to see the presentations.  Could this Read Only Rule allow anyone to see a website, but prevent them from uploading documents?

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points