Blue Coat Security First Steps Solution for Controlling Web Applications

Blue Coat Security First Steps

Solution for Controlling Web Applications

© 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS

APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This doc-ument is for informational purposes only.

BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA

REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND

REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.

Americas:

Blue Coat Systems, Inc. 420 N. Mary Ave.

Sunnyvale, CA 94085

Rest of the World:

Blue Coat Systems International SARL 3a Route des Arsenaux

1700 Fribourg, Switzerland

Contents

Solution: Control Web Applications

4

Steps 4

Configure Blue Coat WebFilter

4

Set Web Services to Intercept

6

Transparent Proxy Services 6

Explicit Proxy Services 9

Create Policy to Control Web Applications

10

Example: Control YouTube Operations

11

Test Web Application Policy

14

View the Application Mix Report

15

Web Application Troubleshooting

16

Why aren't Web apps being blocked?

16

Is the Web app policy being applied?

16

Examples 17

How does the ProxySG categorize the application and operation for a user transaction?

18

Solution: Control Web Applications

In addition to URL category filtering, you can filter content by Web application and/or specific operations or actions done within those applications. For example, you can create policy to:

n Allow users to access all social networking sites, except for Facebook. Conversely, block access to all social networking sites except for LinkedIn.

n Allow users to post comments and chat in Facebook, but block uploading of pictures and videos.

n Prevent the uploading of videos to YouTube, but allow all other YouTube operations such as viewing videos others have posted. Conversely, preventing uploading but block access to some videos according to the video’s category. n Allow users to access their personal email accounts on Hotmail, AOL Mail, and Yahoo Mail, but prevent them from

sending email attachments.

Steps

1. "Configure Blue Coat WebFilter" below.

2. Set Web services to intercept, such as External HTTP and HTTPS. See "Set Web Services to Intercept" on page 6.

3. Decide which Web applications and operations you want to control. For a list of supported Web applications, see http://sitereview.bluecoat.com/applications.jsp.

Please note that operations may not include the full details of operations per platform (for example, a Web application may support post messages and send email on Desktop Browser, but on the iOS platform, it could be just allow/deny).

4. "Create Policy to Control Web Applications" on page 10. 5. "Test Web Application Policy" on page 14.

6. "View the Application Mix Report" on page 15.

Configure Blue Coat WebFilter

Blue Coat WebFilter (BCWF) is an on-box content filtering database. To control access to web applications, you need to enable BCWF and download the latest database.

1. Confirm that you have a Proxy Edition license (not a MACH5 license). The license name appears in the Management Console banner.

2. Enable Blue Coat WebFilter:

a. Select Configuration > Content Filtering > General.

c. Click Apply.

3. Download a current BCWF database:

a. Select Configuration > Content Filtering > Blue Coat WebFilter.

b. Click Download now. c. Click Apply.

Note: In addition to BCWF, ProxySG also supports third-party or local content filtering databases.

Next Step:

"Set Web Services to Intercept" below

Set Web Services to Intercept

Make sure web services, such as External HTTP (transparent port 80) and HTTPS (transparent port 443), are set to inter-cept, or if your proxy is deployed explicitly, ensure that the Explicit HTTP service has Detect Protocol enabled.To set ser-vices to intercept on the ProxySG appliance, follow the steps below for your deployment type.

Transparent Proxy Services

1. In the Management Console, select Configuration > Services > Proxy Services.

3. Locate the service you want to set to Intercept.

4. From the drop-down menu next to the service, select Intercept. In this example, the HTTPS service is set to Intercept.

5. Repeat steps 3 and 4 for each additional service you want to intercept. 6. (Optional) To intercept traffic types that are not predefined:

a. Click New Service.

b. Enter a name for the service and select the service group, under which the new service will be listed. c. Select a proxy type from the Proxy drop-down menu. This menu lists all of the types of traffic the ProxySG

understands. If the type of traffic you are intercepting is not listed, select TCP Tunnel.

Caution: Tunneled traffic can only be controlled based on the information contained in the TCP header of the request: client IP, destination IP, and source and destination ports. d. Click Edit/Add Listeners. The New Listener dialog displays.

e. In the Port range field, enter the port your application uses to communicate. f. Ensure that the Action field is set to Intercept and click OK.

h. Click OK .

7. Click Apply. The appliance confirms your changes.

Explicit Proxy Services

1. In the Management Console, select Configuration > Services > Proxy Services.

2. Under Predefined Service Groups, expand the Standard group. A list of services displays. 3. Locate Explicit HTTP, select it, and click Edit Service.

4. Enable Detect Protocol.

5. Under Listeners, set the explicit proxy ports (8080 and/or 80) to Intercept.

6. Click OK and Apply . The appliance confirms your changes.

Next Step:

Return to

"Solution: Control Web Applications" on page 4

(step 3).

Create Policy to Control Web Applications

To allow and deny access to Web applications and operations, you create policy rules in the Web Access Layer. 1. Launch the Visual Policy Manager (VPM).

a. In the Management Console, select Configuration > Policy > Visual Policy Manager. b. Click Launch.

2. Add a Web Access Layer.

a. Select Policy > Add Web Access Layer.

b. For Layer Name, enter a descriptive name and click OK. 3. Right-click the Destination column within the rule, and select Set.

4. To control Web applications, click New and select Request URL Application. In the new window that opens, select the check box of the application(s) you want to control and click OK.

a. Click New and select Request URL Operation.

b. In the Supporting application list, select the Web application(s) you want to control. c. Select the check box of the operation(s) you want to control.

d. Click OK.

6. Set Action to Allow or Deny, depending on the policy you want to create. 7. Click Install policy.

Example: Control YouTube Operations

Next Step:

"Test Web Application Policy" on page 14

Example: Control YouTube Operations

The following example demonstrates how to add a policy to control YouTube operations. With this policy, users will not be able to post messages or upload videos in the YouTube application; all other operations will be allowed.

1. Launch the VPM.

2. Add a Web Access Layer. Name the layerYouTube Controls. 3. Right-click the Destination column within the rule, and select Set. 4. Click New and select Request URL Application.

5. In the application list, scroll down and select the YouTube check box. 6. In the Name field, enter a descriptive name such asYouTube-App, click OK.

7. Add an object to deny Post Messages and Upload Video operations on YouTube. a. Click New and select Request URL Operation.

b. Under the Supporting application pull-down menu, select YouTube.

c. Select the operations you want to block: Upload Video and Post Messages. d. Name this objectYoutube-Operations.

e. Click OK.

8. Create a combined object.

a. Click New and select Combined Destination Object.

c. Name the combined objectYouTube app-op controls. Click OK. 9. Make sure the Action is set to Deny.

10. Install the policy.

You can verify the full policy details on the ProxySG. In the VPM, click View > Current SG Appliance VPM Policy Files.

If you have multiple access layers in the VPM, you can see the order in which the rules will be applied in the CPL

(content policy language) file. On the VPM, go to View > Generated CPL.

Test Web Application Policy

Test the policy by verifying that you cannot access blocked Web applications.

1. Open a Web browser that is configured to use the ProxySG as proxy. Make sure that you are not using the same browser that you are currently using to access the Management Console.

2. Launch the application that you created policy for. For example, if you created policy to deny Facebook access, you will see a corresponding ‘access denied’ or ‘web page not found’ error depending on how you have configured the Deny functionality.

3. To customize the web page containing the error message displayed to users when they are denied access to a URL, refer to the Exception Pages solution in the First Steps WebGuide.

Verify that you cannot perform blocked web operations and can perform operations that are allowed. 1. Open a Web browser that is configured to use the ProxySG as proxy.

Next Step:

"View the Application Mix Report" below

View the Application Mix Report

The Application Mix report shows a breakdown of the Web applications running on the network. This report can give you visibility into which Web applications users are accessing, the amount of bandwidth these applications are consuming, and how much bandwidth is gained by optimization of Web applications over different time periods.

1. Select Statistics > Application Details > Application Mix. 2. Select a time period from the Duration drop-down list.

The pie chart displays data for the seven applications with the most traffic during the selected time period. If there are more than seven applications classified during that time, the applications with the least amount of traffic are combined into an Other slice. The <Unidentified> slice includes traffic for which the URL is not a Web

application, or is a Web application that is not currently supported in the database. <Unidentified> also includes Web traffic for applications that could not be identified because there was a problem with the BCWF license or database.

Web Application Troubleshooting

Why aren't Web apps being blocked? 16

Is the Web app policy being applied? 16

How does the ProxySG categorize the application and operation for a user transaction? 18

Why aren't Web apps being blocked?

Problem: The policy that is supposed to block Web applications or operations is not denying access to the objects defined in the policy.

Resolution: If the application or operation you have set a policy for is not getting blocked, try the following: n Make sure your browser has been configured to use the proxy with the correct port and proxy IP address.

n Make sure that your ProxySG is intercepting HTTP/HTTPS traffic. See "Set Web Services to Intercept" on page 6. n Make sure the policy is correctly installed

1. Click Configuration > Policy > Policy Files >.

2. Under View Policy, select Current Policy and click View.

n Check to see if your traffic is passing through the proxy by denying all traffic temporarily.

1. Click Configuration > Policy > Policy options > under Default Proxy Policy, select Deny.

2. Open a new tab in the browser and go to any website. You should be blocked unless you have added an ‘allow policy exception’ for that particular website in your VPM.

n You can also view a trace to see if the policy is being applied. See "Is the Web app policy being applied?" below.

Is the Web app policy being applied?

To see if a Web app policy is being applied, you can view a policy trace.

1. Click Configuration > Policy > Policy Options > under Default Policy Tracing, select the Trace all policy execution radio button and click Apply at the bottom of the screen

2. Open a new tab in the browser on which you are currently configuring the proxy. Type Proxy IP

address:8082/Policyand press Enter.

3. Click Delete all policy traces, then click Default trace.html. This opens a new page.

Examples

Access Denied

Default Trace

How does the ProxySG categorize the application and

oper-ation for a user transaction?

Problem: When troubleshooting web application policy, it's helpful to see how the ProxySG is categorizing the application and operation for a user transaction.

Resolution: A policy trace includes an indication of the application name and application operation for a particular URL or request. To create a policy trace that only captures the transactions or traffic coming from a specific IP address:

1. Open the Visual Policy Manager.

2. Select Policy > Add Web Access Layer. Type a layer name and click OK. This new Web Access layer will have just one rule in it.

3. In the Source column, right-click and select Set > New. Select Client IP address/Subnet.

4. Enter the IP address of the client you are running the testing from. There is no need to enter a subnet. 5. Select Add > Close. In the Set Source Object window, select this client IP and then OK.

6. Change the Action to None. Right-click on Allow action and choose Delete. 7. In the Track column, right-click on None, select Set > New > Trace.

8. Click the Trace Level check box and the Verbose tracing radio button. Click the Trace file check box and give it a name. Click OK. Click OK again.

9. Install the policy.

In the policy trace, there will be an indication of the application name and operation for that particular URL or request. Below is an example that shows a POST request that was made when a user sent an email from Gmail.

POST http://mail.google.com/mail/...

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 user: unauthenticated

url.category: Email@Blue Coat application.name: Gmail

application.operation: Send Email DSCP client outbound: 65

DSCP server outbound: 65

stop transaction