Blue Coat Security First Steps Solution for Controlling Web Applications

Transcription

1 Blue Coat Security First Steps Solution for Controlling Web Applications SGOS 6.5

2 Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland 4/27/2015

3 Blue Coat Security First Steps Contents Solution: Control Web Applications 4 Steps 4 Configure Blue Coat WebFilter 4 Set Web Services to Intercept 6 Transparent Proxy Services 6 Explicit Proxy Services 9 Create Policy to Control Web Applications 10 Example: Control YouTube Operations 11 Test Web Application Policy 14 View the Application Mix Report 15 Web Application Troubleshooting 16 Why aren't Web apps being blocked? 16 Is the Web app policy being applied? 16 Examples 17 How does the ProxySG categorize the application and operation for a user transaction? 18 3

4 Controlling Web Applications Solution: Control Web Applications In addition to URL category filtering, you can filter content by Web application and/or specific operations or actions done within those applications. For example, you can create policy to: Allow users to access all social networking sites, except for Facebook. Conversely, block access to all social networking sites except for LinkedIn. Allow users to post comments and chat in Facebook, but block uploading of pictures and videos. Prevent the uploading of videos to YouTube, but allow all other YouTube operations such as viewing videos others have posted. Conversely, preventing uploading but block access to some videos according to the video s category. Allow users to access their personal accounts on Hotmail, AOL Mail, and Yahoo Mail, but prevent them from sending attachments. Steps 1. "Configure Blue Coat WebFilter" below. 2. Set Web services to intercept, such as External HTTP and HTTPS. See "Set Web Services to Intercept" on page Decide which Web applications and operations you want to control. For a list of supported Web applications, see Please note that operations may not include the full details of operations per platform (for example, a Web application may support post messages and send on Desktop Browser, but on the ios platform, it could be just allow/deny). 4. "Create Policy to Control Web Applications" on page "Test Web Application Policy" on page "View the Application Mix Report" on page 15. Configure Blue Coat WebFilter Blue Coat WebFilter (BCWF) is an on-box content filtering database. To control access to web applications, you need to enable BCWF and download the latest database. 1. Confirm that you have a Proxy Edition license (not a MACH5 license). The license name appears in the Management Console banner. 2. Enable Blue Coat WebFilter: a. Select Configuration > Content Filtering > General. b. For Blue Coat WebFilter, select the checkbox in the Enable column. 4

5 Blue Coat Security First Steps c. Click Apply. 5

6 Controlling Web Applications 3. Download a current BCWF database: a. Select Configuration > Content Filtering > Blue Coat WebFilter. b. Click Download now. c. Click Apply. Note: In addition to BCWF, ProxySG also supports third-party or local content filtering databases. Next Step: "Set Web Services to Intercept" below Set Web Services to Intercept Make sure web services, such as External HTTP (transparent port 80) and HTTPS (transparent port 443), are set to intercept, or if your proxy is deployed explicitly, ensure that the Explicit HTTP service has Detect Protocol enabled.to set services to intercept on the ProxySG appliance, follow the steps below for your deployment type. Transparent Proxy Services 1. In the Management Console, select Configuration > Services > Proxy Services. 2. Under Predefined Service Groups, expand the Standard group. A list of services displays. 6

7 Blue Coat Security First Steps 3. Locate the service you want to set to Intercept. 4. From the drop-down menu next to the service, select Intercept. In this example, the HTTPS service is set to Intercept. 5. Repeat steps 3 and 4 for each additional service you want to intercept. 6. (Optional) To intercept traffic types that are not predefined: a. Click New Service. b. Enter a name for the service and select the service group, under which the new service will be listed. c. Select a proxy type from the Proxy drop-down menu. This menu lists all of the types of traffic the ProxySG understands. If the type of traffic you are intercepting is not listed, select TCP Tunnel. Caution: Tunneled traffic can only be controlled based on the information contained in the TCP header of the request: client IP, destination IP, and source and destination ports. d. Click Edit/Add Listeners. The New Listener dialog displays. 7

8 Controlling Web Applications e. In the Port range field, enter the port your application uses to communicate. f. Ensure that the Action field is set to Intercept and click OK. g. If enabled, uncheck Enable ADN. 8

9 Blue Coat Security First Steps h. Click OK. 7. Click Apply. The appliance confirms your changes. Explicit Proxy Services 1. In the Management Console, select Configuration > Services > Proxy Services. 2. Under Predefined Service Groups, expand the Standard group. A list of services displays. 3. Locate Explicit HTTP, select it, and click Edit Service. 4. Enable Detect Protocol. 5. Under Listeners, set the explicit proxy ports (8080 and/or 80) to Intercept. 9

10 Controlling Web Applications 6. Click OK and Apply. The appliance confirms your changes. Next Step: Return to "Solution: Control Web Applications" on page 4 (step 3). Create Policy to Control Web Applications To allow and deny access to Web applications and operations, you create policy rules in the Web Access Layer. 1. Launch the Visual Policy Manager (VPM). a. In the Management Console, select Configuration > Policy > Visual Policy Manager. b. Click Launch. 2. Add a Web Access Layer. a. Select Policy > Add Web Access Layer. b. For Layer Name, enter a descriptive name and click OK. 3. Right-click the Destination column within the rule, and select Set. 4. To control Web applications, click New and select Request URL Application. In the new window that opens, select the check box of the application(s) you want to control and click OK. 5. (Optional) To control Web operations: 10

11 Blue Coat Security First Steps a. Click New and select Request URL Operation. b. In the Supporting application list, select the Web application(s) you want to control. c. Select the check box of the operation(s) you want to control. d. Click OK. 6. Set Action to Allow or Deny, depending on the policy you want to create. 7. Click Install policy. Example: Control YouTube Operations Next Step: "Test Web Application Policy" on page 14 Example: Control YouTube Operations The following example demonstrates how to add a policy to control YouTube operations. With this policy, users will not be able to post messages or upload videos in the YouTube application; all other operations will be allowed. 1. Launch the VPM. 2. Add a Web Access Layer. Name the layer YouTube Controls. 3. Right-click the Destination column within the rule, and select Set. 4. Click New and select Request URL Application. 5. In the application list, scroll down and select the YouTube check box. 6. In the Name field, enter a descriptive name such as YouTube-App, click OK. 11

12 Controlling Web Applications 7. Add an object to deny Post Messages and Upload Video operations on YouTube. a. Click New and select Request URL Operation. b. Under the Supporting application pull-down menu, select YouTube. c. Select the operations you want to block: Upload Video and Post Messages. d. Name this object Youtube-Operations. e. Click OK. 8. Create a combined object. a. Click New and select Combined Destination Object. b. Add YouTube-App to the upper-right box and add and YouTube-Operations to the lower-right box. This ensures that both conditions must match for this policy to deny requests. 12

13 Blue Coat Security First Steps c. Name the combined object YouTube app-op controls. Click OK. 9. Make sure the Action is set to Deny. 10. Install the policy. You can verify the full policy details on the ProxySG. In the VPM, click View > Current SG Appliance VPM Policy Files. If you have multiple access layers in the VPM, you can see the order in which the rules will be applied in the CPL (content policy language) file. On the VPM, go to View > Generated CPL. 13

14 Controlling Web Applications Test Web Application Policy Test the policy by verifying that you cannot access blocked Web applications. 1. Open a Web browser that is configured to use the ProxySG as proxy. Make sure that you are not using the same browser that you are currently using to access the Management Console. 2. Launch the application that you created policy for. For example, if you created policy to deny Facebook access, you will see a corresponding access denied or web page not found error depending on how you have configured the Deny functionality. 3. To customize the web page containing the error message displayed to users when they are denied access to a URL, refer to the Exception Pages solution in the First Steps WebGuide. Verify that you cannot perform blocked web operations and can perform operations that are allowed. 1. Open a Web browser that is configured to use the ProxySG as proxy. 2. Launch the application you created policy for. Make sure you can perform operations that are allowed and are denied access to the blocked operations. For example, if you created policy to block Post Message and Upload Video operations in YouTube, go to YouTube and try to upload a file or post a comment; these operations should be denied. Other operations, such as playing videos, should be allowed. 14

15 Blue Coat Security First Steps Next Step:"View the Application Mix Report" below View the Application Mix Report The Application Mix report shows a breakdown of the Web applications running on the network. This report can give you visibility into which Web applications users are accessing, the amount of bandwidth these applications are consuming, and how much bandwidth is gained by optimization of Web applications over different time periods. 1. Select Statistics > Application Details > Application Mix. 2. Select a time period from the Duration drop-down list. The pie chart displays data for the seven applications with the most traffic during the selected time period. If there are more than seven applications classified during that time, the applications with the least amount of traffic are combined into an Other slice. The <Unidentified> slice includes traffic for which the URL is not a Web application, or is a Web application that is not currently supported in the database. <Unidentified> also includes Web traffic for applications that could not be identified because there was a problem with the BCWF license or database. 15

16 Controlling Web Applications Web Application Troubleshooting Why aren't Web apps being blocked? 16 Is the Web app policy being applied? 16 How does the ProxySG categorize the application and operation for a user transaction? 18 Why aren't Web apps being blocked? Problem: The policy that is supposed to block Web applications or operations is not denying access to the objects defined in the policy. Resolution: If the application or operation you have set a policy for is not getting blocked, try the following: Make sure your browser has been configured to use the proxy with the correct port and proxy IP address. Make sure that your ProxySG is intercepting HTTP/HTTPS traffic. See "Set Web Services to Intercept" on page 6. Make sure the policy is correctly installed 1. Click Configuration > Policy > Policy Files >. 2. Under View Policy, select Current Policy and click View. Check to see if your traffic is passing through the proxy by denying all traffic temporarily. 1. Click Configuration > Policy > Policy options > under Default Proxy Policy, select Deny. 2. Open a new tab in the browser and go to any website. You should be blocked unless you have added an allow policy exception for that particular website in your VPM. You can also view a trace to see if the policy is being applied. See "Is the Web app policy being applied?" below. Is the Web app policy being applied? To see if a Web app policy is being applied, you can view a policy trace. 1. Click Configuration > Policy > Policy Options > under Default Policy Tracing, select the Trace all policy execution radio button and click Apply at the bottom of the screen 2. Open a new tab in the browser on which you are currently configuring the proxy. Type Proxy IP address:8082/policy and press Enter. 3. Click Delete all policy traces, then click Default trace.html. This opens a new page. 4. Keep this page open and open a new browser that is configured to use the proxy. Go to YouTube (assuming you added a policy for youtube earlier), and try to access YouTube or perform an operation in YouTube such as upload video. As you do this, you will see a live trace of this traffic on the Default Trace page that you had open SG IP address:8082/policy/trace/default_trace.html If the policy is being applied correctly, you will see that the policy matches some of the URLs and the traffic was denied as shown in the screenshots below. 16

17 Blue Coat Security First Steps Examples Access Denied Default Trace 17

18 Controlling Web Applications How does the ProxySG categorize the application and operation for a user transaction? Problem: When troubleshooting web application policy, it's helpful to see how the ProxySG is categorizing the application and operation for a user transaction. Resolution: A policy trace includes an indication of the application name and application operation for a particular URL or request. To create a policy trace that only captures the transactions or traffic coming from a specific IP address: 1. Open the Visual Policy Manager. 2. Select Policy > Add Web Access Layer. Type a layer name and click OK. This new Web Access layer will have just one rule in it. 3. In the Source column, right-click and select Set > New. Select Client IP address/subnet. 4. Enter the IP address of the client you are running the testing from. There is no need to enter a subnet. 5. Select Add > Close. In the Set Source Object window, select this client IP and then OK. 6. Change the Action to None. Right-click on Allow action and choose Delete. 7. In the Track column, right-click on None, select Set > New > Trace. 8. Click the Trace Level check box and the Verbose tracing radio button. Click the Trace file check box and give it a name. Click OK. Click OK again. 9. Install the policy. In the policy trace, there will be an indication of the application name and operation for that particular URL or request. Below is an example that shows a POST request that was made when a user sent an from Gmail. POST User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/ Firefox/23.0 user: unauthenticated url.category: @Blue Coat application.name: Gmail application.operation: Send DSCP client outbound: 65 DSCP server outbound: 65 stop transaction Sometimes, multiple transactions can be seen even though you have specified only one IP because a web page can make an HTTP or HTTPS request in the background without a user knowing it. Therefore, you would need to be sure that the URL in the policy trace is the request that you made when you make an action such as clicking the Send button in Gmail. 18