SonicWALL SonicWALL UTM Appliance manual Tightening Control over the Browsing Behavior of Users

Page 50

Tightening Control over the Browsing Behavior of Users

Now that we’ve looked at the different ways to restrict browsing and web behavior through different mechanisms, I’m sure ideas are spinning in your head on how you can apply these policies in your environment. I want to close the topic of web browsing with a small bit of advice. Sophisticated users can drive network admins insane as they try to circumvent your usage policies. It’s an arms race at times. There are a slew of proxy systems available on the internet, VPN sites, and client applications that can be run without admin privileges intended to circumvent your firewall filtering. So what’s the best way to deal with this ever evolving arms race? I will outline a list of steps you should take to really lock down the environment.

SSL Control. Turn this feature on, and white list the HTTPS sites and services you want to allow. Deny everything else.

CFS. Turn CFS on for your users and make sure to block hacking/proxy avoidance sites and uncategorized sites. Turn on IP based HTTPS filtering. This will catch a majority of HTTPS proxy sites. However, you still should leverage SSL control on top of this.

Block all outgoing IKE/VPN traffic with firewall rules. You don’t want users using an IPSec based client to traverse the WAN from the LAN. Since the traffic within a VPN session is encrypted there is no way to inspect the payload.

Change the default LAN > WAN firewall rule from ANY, ANY, ANY allow to a deny rule instead. Build up your rules for traffic you need to allow. Yes this is more work, and can break some applications as you work through the traffic you need to allow, but ultimately you will have a more secure network.

Leverage IPS. Comb through the LOW priority signatures as they include signatures for things like P2P, IM, Skype, UltraSurf, etc. Make sure to enable the respective signatures to restrict undesirable traffic.

50

Image 50
Contents Contents Page Configuring the CA on the Active Directory Server Integrating LDAP/Active Directory with Sonicwall UTMConfiguring the SonicWALL Appliance for Ldap Importing the CA Certificate onto the SonicWALLPage Page Page Page Page Page Page Enable Radius to Ldap Relay Enables this feature Authentication Page Page Page SonicOS Options That Leverage Groups/Users Creating Firewall Rules with Ldap Groups/UsersPage Page Firewall Rules with Bandwidth Management & Logging Page Blocking Websites Domain Names for Groups/Users Blocking Domains with Firewall RulesPage Page Navigate to Firewall Access Rules Create a rule to allow Http traffic for your allowed lists Do the same for Https Create the deny rules for Http and Https Firewall rules should now look like the below picture Blocking Https SSL Domains with SSL Control Configuring a SSL Blacklist and Whitelist Page Applying Different CFS Policies to Groups Page Creating Custom CFS Policies Navigate to the Policy tab and add a new CFS policy Page Page Page Variables for Custom Block Page in SonicOS Http//$$fwinterface$$/$#SWLSTYLESCSS#$Basic Sample Code for SonicOS Advanced Sample Code for SonicOSPage Page Sample JavaScript Code for SonicOS Sample Code for SonicOS 5.1 or EarlierApplying Application Firewall Polices to Groups/Users Page Page Page Page Tightening Control over the Browsing Behavior of Users Blocking IM Traffic Categorically Applying Granular IM Policies Applying VPN Access Policies to Groups/Users Global VPN Client GVCPage SSL-VPN NetExtender Guest Services Wireless Guest Services