Controlling Web Applications

Blue Coat Security First Steps
Solution for Controlling Web Applications
SGOS 6.5
Third Party Copyright Notices
© 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,
POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS
APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the
Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue
Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a
trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark.
All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA
REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN
OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND
REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,
PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN
COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Americas:
Blue Coat Systems, Inc.
420 N. Mary Ave.
Sunnyvale, CA 94085
Rest of the World:
Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
4/27/2015
Blue Coat Security First Steps
Contents
Solution: Control Web Applications
4
Steps
4
Configure Blue Coat WebFilter
4
Set Web Services to Intercept
6
Transparent Proxy Services
6
Explicit Proxy Services
9
Create Policy to Control Web Applications
10
Example: Control YouTube Operations
11
Test Web Application Policy
14
View the Application Mix Report
15
Web Application Troubleshooting
16
Why aren't Web apps being blocked?
16
Is the Web app policy being applied?
16
Examples
17
How does the ProxySG categorize the application and operation for a user transaction?
3
18
Controlling Web Applications
Solution: Control Web Applications
In addition to URL category filtering, you can filter content by Web application and/or specific operations or actions done
within those applications. For example, you can create policy to:
n
Allow users to access all social networking sites, except for Facebook. Conversely, block access to all social
networking sites except for LinkedIn.
n
Allow users to post comments and chat in Facebook, but block uploading of pictures and videos.
n
Prevent the uploading of videos to YouTube, but allow all other YouTube operations such as viewing videos others
have posted. Conversely, preventing uploading but block access to some videos according to the video’s category.
n
Allow users to access their personal email accounts on Hotmail, AOL Mail, and Yahoo Mail, but prevent them from
sending email attachments.
Steps
1. "Configure Blue Coat WebFilter" below.
2. Set Web services to intercept, such as External HTTP and HTTPS. See "Set Web Services to Intercept" on page
6.
3. Decide which Web applications and operations you want to control. For a list of supported Web applications, see
http://sitereview.bluecoat.com/applications.jsp.
Please note that operations may not include the full details of operations per platform (for example, a Web
application may support post messages and send email on Desktop Browser, but on the iOS platform, it could be
just allow/deny).
4. "Create Policy to Control Web Applications" on page 10.
5. "Test Web Application Policy" on page 14.
6. "View the Application Mix Report" on page 15.
Configure Blue Coat WebFilter
Blue Coat WebFilter (BCWF) is an on-box content filtering database. To control access to web applications, you need to
enable BCWF and download the latest database.
1. Confirm that you have a Proxy Edition license (not a MACH5 license). The license name appears in the
Management Console banner.
2. Enable Blue Coat WebFilter:
a. Select Configuration > Content Filtering > General.
b. For Blue Coat WebFilter, select the checkbox in the Enable column.
4
Blue Coat Security First Steps
c. Click Apply.
5
Controlling Web Applications
3. Download a current BCWF database:
a. Select Configuration > Content Filtering > Blue Coat WebFilter.
b. Click Download now.
c. Click Apply.
Note: In addition to BCWF, ProxySG also supports third-party or local content filtering databases.
Next Step: "Set Web Services to Intercept" below
Set Web Services to Intercept
Make sure web services, such as External HTTP (transparent port 80) and HTTPS (transparent port 443), are set to intercept, or if your proxy is deployed explicitly, ensure that the Explicit HTTP service has Detect Protocol enabled.To set services to intercept on the ProxySG appliance, follow the steps below for your deployment type.
Transparent Proxy Services
1. In the Management Console, select Configuration > Services > Proxy Services.
2. Under Predefined Service Groups, expand the Standard group. A list of services displays.
6
Blue Coat Security First Steps
3. Locate the service you want to set to Intercept.
4. From the drop-down menu next to the service, select Intercept. In this example, the HTTPS service is set to
Intercept.
5. Repeat steps 3 and 4 for each additional service you want to intercept.
6. (Optional) To intercept traffic types that are not predefined:
a. Click New Service.
b. Enter a name for the service and select the service group, under which the new service will be listed.
c. Select a proxy type from the Proxy drop-down menu. This menu lists all of the types of traffic the ProxySG
understands. If the type of traffic you are intercepting is not listed, select TCP Tunnel.
Caution: Tunneled traffic can only be controlled based on the information contained in the
TCP header of the request: client IP, destination IP, and source and destination ports.
d. Click Edit/Add Listeners. The New Listener dialog displays.
7
Controlling Web Applications
e. In the Port range field, enter the port your application uses to communicate.
f. Ensure that the Action field is set to Intercept and click OK.
g. If enabled, uncheck Enable ADN.
8
Blue Coat Security First Steps
h. Click OK .
7. Click Apply. The appliance confirms your changes.
Explicit Proxy Services
1.
2.
3.
4.
5.
In the Management Console, select Configuration > Services > Proxy Services.
Under Predefined Service Groups, expand the Standard group. A list of services displays.
Locate Explicit HTTP, select it, and click Edit Service.
Enable Detect Protocol.
Under Listeners, set the explicit proxy ports (8080 and/or 80) to Intercept.
9
Controlling Web Applications
6. Click OK and Apply . The appliance confirms your changes.
Next Step: Return to "Solution: Control Web Applications" on page 4 (step 3).
Create Policy to Control Web Applications
To allow and deny access to Web applications and operations, you create policy rules in the Web Access Layer.
1. Launch the Visual Policy Manager (VPM).
a. In the Management Console, select Configuration > Policy > Visual Policy Manager.
b. Click Launch.
2. Add a Web Access Layer.
a. Select Policy > Add Web Access Layer.
b. For Layer Name, enter a descriptive name and click OK.
3. Right-click the Destination column within the rule, and select Set.
4. To control Web applications, click New and select Request URL Application. In the new window that opens,
select the check box of the application(s) you want to control and click OK.
5. (Optional) To control Web operations:
10
Blue Coat Security First Steps
a.
b.
c.
d.
Click New and select Request URL Operation.
In the Supporting application list, select the Web application(s) you want to control.
Select the check box of the operation(s) you want to control.
Click OK.
6. Set Action to Allow or Deny, depending on the policy you want to create.
7. Click Install policy.
Example: Control YouTube Operations
Next Step: "Test Web Application Policy" on page 14
Example: Control YouTube Operations
The following example demonstrates how to add a policy to control YouTube operations. With this policy, users will not be
able to post messages or upload videos in the YouTube application; all other operations will be allowed.
1.
2.
3.
4.
5.
6.
Launch the VPM.
Add a Web Access Layer. Name the layer YouTube Controls.
Right-click the Destination column within the rule, and select Set.
Click New and select Request URL Application.
In the application list, scroll down and select the YouTube check box.
In the Name field, enter a descriptive name such as YouTube-App, click OK.
11
Controlling Web Applications
7. Add an object to deny Post Messages and Upload Video operations on YouTube.
a. Click New and select Request URL Operation.
b. Under the Supporting application pull-down menu, select YouTube.
c. Select the operations you want to block: Upload Video and Post Messages.
d. Name this object Youtube-Operations.
e. Click OK.
8. Create a combined object.
a. Click New and select Combined Destination Object.
b. Add YouTube-App to the upper-right box and add and YouTube-Operations to the lower-right box. This
ensures that both conditions must match for this policy to deny requests.
12
Blue Coat Security First Steps
c. Name the combined object YouTube app-op controls. Click OK.
9. Make sure the Action is set to Deny.
10. Install the policy.
You can verify the full policy details on the ProxySG. In the VPM, click View > Current SG Appliance VPM Policy Files.
If you have multiple access layers in the VPM, you can see the order in which the rules will be applied in the CPL
(content policy language) file. On the VPM, go to View > Generated CPL.
13
Controlling Web Applications
Test Web Application Policy
Test the policy by verifying that you cannot access blocked Web applications.
1. Open a Web browser that is configured to use the ProxySG as proxy. Make sure that you are not using the same
browser that you are currently using to access the Management Console.
2. Launch the application that you created policy for. For example, if you created policy to deny Facebook access,
you will see a corresponding ‘access denied’ or ‘web page not found’ error depending on how you have configured
the Deny functionality.
3. To customize the web page containing the error message displayed to users when they are denied access to a
URL, refer to the Exception Pages solution in the First Steps WebGuide.
Verify that you cannot perform blocked web operations and can perform operations that are allowed.
1. Open a Web browser that is configured to use the ProxySG as proxy.
2. Launch the application you created policy for. Make sure you can perform operations that are allowed and are
denied access to the blocked operations. For example, if you created policy to block Post Message and Upload
Video operations in YouTube, go to YouTube and try to upload a file or post a comment; these operations should be
denied. Other operations, such as playing videos, should be allowed.
14
Blue Coat Security First Steps
Next Step:"View the Application Mix Report" below
View the Application Mix Report
The Application Mix report shows a breakdown of the Web applications running on the network. This report can give you
visibility into which Web applications users are accessing, the amount of bandwidth these applications are consuming,
and how much bandwidth is gained by optimization of Web applications over different time periods.
1. Select Statistics > Application Details > Application Mix.
2. Select a time period from the Duration drop-down list.
The pie chart displays data for the seven applications with the most traffic during the selected time period. If there
are more than seven applications classified during that time, the applications with the least amount of traffic are
combined into an Other slice. The <Unidentified> slice includes traffic for which the URL is not a Web
application, or is a Web application that is not currently supported in the database. <Unidentified> also includes
Web traffic for applications that could not be identified because there was a problem with the BCWF license or
database.
15
Controlling Web Applications
Web Application Troubleshooting
Why aren't Web apps being blocked?
16
Is the Web app policy being applied?
16
How does the ProxySG categorize the application and operation for a user transaction?
18
Why aren't Web apps being blocked?
Problem: The policy that is supposed to block Web applications or operations is not denying access to the objects
defined in the policy.
Resolution: If the application or operation you have set a policy for is not getting blocked, try the following:
n
n
n
n
Make sure your browser has been configured to use the proxy with the correct port and proxy IP address.
Make sure that your ProxySG is intercepting HTTP/HTTPS traffic. See "Set Web Services to Intercept" on page 6.
Make sure the policy is correctly installed
1. Click Configuration > Policy > Policy Files >.
2. Under View Policy, select Current Policy and click View.
Check to see if your traffic is passing through the proxy by denying all traffic temporarily.
1. Click Configuration > Policy > Policy options > under Default Proxy Policy, select Deny.
2. Open a new tab in the browser and go to any website. You should be blocked unless you have added an
‘allow policy exception’ for that particular website in your VPM.
n
You can also view a trace to see if the policy is being applied. See "Is the Web app policy being applied?" below.
Is the Web app policy being applied?
To see if a Web app policy is being applied, you can view a policy trace.
1. Click Configuration > Policy > Policy Options > under Default Policy Tracing, select the Trace all
policy execution radio button and click Apply at the bottom of the screen
2. Open a new tab in the browser on which you are currently configuring the proxy. Type Proxy IP
address:8082/Policy and press Enter.
3. Click Delete all policy traces, then click Default trace.html. This opens a new page.
4. Keep this page open and open a new browser that is configured to use the proxy. Go to YouTube (assuming
you added a policy for youtube earlier), and try to access YouTube or perform an operation in YouTube such
as ‘upload video.’ As you do this, you will see a live trace of this traffic on the Default Trace’ page that you
had open https://Proxy SG IP address:8082/Policy/Trace/default_trace.html
If the policy is being applied correctly, you will see that the policy matches some of the URLs and the traffic
was denied as shown in the screenshots below.
16
Blue Coat Security First Steps
Examples
Access Denied
Default Trace
17
Controlling Web Applications
How does the ProxySG categorize the application and operation for a user transaction?
Problem: When troubleshooting web application policy, it's helpful to see how the ProxySG is categorizing the application
and operation for a user transaction.
Resolution: A policy trace includes an indication of the application name and application operation for a particular URL or
request. To create a policy trace that only captures the transactions or traffic coming from a specific IP address:
1. Open the Visual Policy Manager.
2. Select Policy > Add Web Access Layer. Type a layer name and click OK. This new Web Access layer will have
just one rule in it.
3. In the Source column, right-click and select Set > New. Select Client IP address/Subnet.
4. Enter the IP address of the client you are running the testing from. There is no need to enter a subnet.
5. Select Add > Close. In the Set Source Object window, select this client IP and then OK.
6. Change the Action to None. Right-click on Allow action and choose Delete.
7. In the Track column, right-click on None, select Set > New > Trace.
8. Click the Trace Level check box and the Verbose tracing radio button. Click the Trace file check box and give it
a name. Click OK. Click OK again.
9. Install the policy.
In the policy trace, there will be an indication of the application name and operation for that particular URL or request.
Below is an example that shows a POST request that was made when a user sent an email from Gmail.
POST http://mail.google.com/mail/...
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
user: unauthenticated
url.category: Email@Blue Coat
application.name: Gmail
application.operation: Send Email
DSCP client outbound: 65
DSCP server outbound: 65
stop transaction -------------------Sometimes, multiple transactions can be seen even though you have specified only one IP because a web page can make
an HTTP or HTTPS request in the background without a user knowing it. Therefore, you would need to be sure that the
URL in the policy trace is the request that you made when you make an action such as clicking the Send button in Gmail.
18