1 2 Previous Next 11 Replies Latest reply: Apr 7, 2014 10:26 PM by btlyric RSS

    Ruleset question - read-only dropbox (or any other cloud storage)


      Just for grins, say I'm getting beaten on for blocking cloud storage like Dropbox and Skydrive.  (I am.)  We are concerned about data leakage, but so many partners including other agencies are sending my users links to files.


      I was wondering if anybody has implemented rules that permit read-only access to personal network storage sites, but block uploading of files.  I think this could resolve about 90% of the griping I hear.  I'm not really enjoying having a shouting match with an executive over what I assume he thinks is my power trip, rather than trying to reduce risk...

        • 1. Re: Ruleset question - read-only dropbox (or any other cloud storage)

          Well, it certainly can be done. It's just a matter of if you want that to be your policy. It's more of a policy decision than a technological one.


          Take a look at this video on box.com to see some of the things you can do with MWG.




          part 2 of the demo shows somethings about making sites read-only.

          • 2. Re: Ruleset question - read-only dropbox (or any other cloud storage)

            Yes. Have done pretty much exactly what you're asking about.


            Using Dropbox as example...


            Client tries to go to Dropbox site to download file and is presented with a coaching page that both includes corporate acceptable use policy and a reiteration that data on the target service may be stored in multiple countries + file upload and/or creation is prohibited and how frequently the coaching page will reappear.


            The page also states that if the client selects the "I Accept" button on the coaching page, they are confirming their acceptance of the specific terms that have been highlighted + the corporate acceptable use policy. Once they select I Accept, they will be redirected to the page originally requested.


            There are multiple ways to implement this technically, but my solution looks something like this:


            Web Content Filter

            -- Coaching, criteria = Always

                 -- Dropbox Download, criteria = URL.Host.BelongsToDomains (Dropbox) equals true and URL.Categories<Default> contains Personal Network Storage. Dropbox domains are defined as dropbox.com and dd.tt.

                      -- Coaching Redirect (Dropbox Download), criteria = Quota.Coaching.IsActivationRequest.Strict<Dropbox Download> equals true, action = Redirect

                      -- Coaching AUP (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals true, action = Block <AUP Dropbox Download> -- this file contains my display text and the activation of coaching via:     <input class="button" type="button" id="activatebutton" value="I accept." onClick="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.coaching.js.activatesession"/>$">

                     -- Upload Block (Dropbox Download), criteria = (Command.Name equals "POST" OR Command.Name equals "PUT") AND (URL.Path does not match in list Read-Only Exceptions AND Media.Type.EnsuredTypes none in list Media Types for Normal Operations), action = Block<Block Upload>.  Read-Only Exceptions includes several wildcard expressions: *login*, *logon*, *logout*, *logoff*, *auth*, *browse*, *comments*, *signup*. Media Types for Normal Operations includes: application/x-empty and application/x-www-form-urlencoded

                     -- Coaching Check (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals false, action = Stop Rule Set, events = set User-Defined.CoachedDownloadDropbox = true


            The rule set above handles the coaching portion and the upload block.


            -- Exceptions (at same level as Coaching), criteria = Always

                 -- Dropbox Download Exception, criteria = URL.Host.BelongsToDomains (Dropbox) equals true AND User-Defined.CoachedDownloadDropbox equals true, action = Stop Rule Set, Events = Set User-Defined CategoryException = true


            The rule set above takes criteria from the original request and sets a new user defined property.


            -- Standard Policy, criteria = User-Defined.CategoryException equals false

               ...normal category block rules based on which categories you are blocking


            The rule set above is skipped if the user defined property of CategoryException is true.


            CAVEATS and NOTES:


            - It's relatively easy to implement this on Dropbox, but there are other sites classified as Personal Network Storage that require much more tweaking of the upload blocking -- Google Docs, for example.

            - This rule set does not absolutely guarantee that you won't leak data. By the nature of how things work, you have to permit x-www-form-urlencoded so that logins to sites will succeed so there's some risk there in that it is not easily verifiable that the data sent via that method is not data that you don't want leaked.

            - Theoretically, you could do a blanket rule for the Personal Network Storage category, but that might not catch all the possibilities (see above re: Google Docs).

            - Because of the way that coaching works, users must have javascript enabled for the destination site so that the coaching will activate.

            - You cannot use the original User-Defined.Coached* property as your determining factor for bypassing the standard policy blocks -- that would mean that if someone had been coached for anything, they would then bypass the standard policy blocks for everything.

            - There is probably a more elegant way to do this.

            • 3. Re: Ruleset question - read-only dropbox (or any other cloud storage)

              Trying to revive this post.


              I tried creating a rule for blocking only the upload as stated by btlyric. But I could still upload files after I set the rules.

              I didnt include the coaching ruleset since I just need to block the upload and no coaching is needed.


              I did the exact rule under "Upload Block" of the above response.

              Is there any rule that I should enable or check first? Say with the SSL Scanner?


              I checked the rule trace, and it says there the upload block rule didnt meet my criteria.

              The Command.Name of POST and PUT shows a "false" result.

              • 4. Re: Ruleset question - read-only dropbox (or any other cloud storage)

                Can you possibly include the XML ruleset for this.  I've tried to replicate and cant seem to get it working.  Any assistance is appreciated.   This is a * brilliant* idea.

                • 5. Re: Ruleset question - read-only dropbox (or any other cloud storage)

                  I attached a set of rules that can be imported into and above.


                  here's the basic rule set. It globally blocks POSTing to the specific categories except for certain users or groups you define. It does not have the all the coaching stuff talked about above.



                  Read Only: Web
                  Applies to: [] Requests [] Responses [] Embedded Objects
                  1: Command.Name equals "POST"
                  Enabled ReadOnly: Allowed Users or ReadOnly: Allowed Groups
                  1: Authentication.UserName is in list ReadOnly: Allowed Users°
                  2: OR Authentication.UserGroups at least one in list ReadOnly: Allowed Groups°
                  Stop Rule SetException Users or Groups that are allowed to POST
                  Enabled ReadOnly: Allowed Domains or ReadOnly: Allowed URLs
                  1: URL.Host.BelongsToDomains(ReadOnly: Allowed Domains°) equals true
                  2: OR URL matches in list ReadOnly: Allowed URLs
                  Stop Rule SetException Domains or URLs that are allowed to POST
                  Enabled ReadOnly: Categories
                  1: URL.Categories<URL Filter: Default> at least one in list ReadOnly: Categories
                  Block<Application Control>Statistics.Counter.Increment("BlockedByApplControl",1)<Default>Categories that are not allowed to POST
                  Enabled ReadOnly: Applications
                  1: Application.Name is in list ReadOnly: Applications
                  Block<Application Control>Statistics.Counter.Increment("BlockedByApplControl",1)<Default>Applications that are not allowed to POST
                  Enabled ReadOnly: Domains or ReadOnly: URLs
                  1: URL.Host.BelongsToDomains(ReadOnly: Domains°) equals true
                  2: OR URL matches in list ReadOnly: URLs°
                  Block<Application Control>Domains that are not allowed to POST


                  #ReadOnly: Categories
                  1Blogs / Wiki
                  2Personal Network Storage






                  Message was edited by: eelsasser on 1/9/14 7:51:03 PM EST
                  • 6. Re: Ruleset question - read-only dropbox (or any other cloud storage)

                    If there is significant interest, I will try to find the time to dump my ruleset and clean it up for public consumption.

                    • 8. Re: Ruleset question - read-only dropbox (or any other cloud storage)

                      Yes please also.....This is an issue we are encountering within our Organisation.  It would be a massive assist to see your Ruleset Output.

                      • 9. Re: Ruleset question - read-only dropbox (or any other cloud storage)

                        This looks great. My work is blocking SlideShare.net -- because it allows registered users to upload documents.  I just want people to see the presentations.  Could this Read Only Rule allow anyone to see a website, but prevent them from uploading documents?

                        1 2 Previous Next