Endpoint Protection

 View Only

Use Customize IPS to Forbit the Access to Special Subsite 

Jan 16, 2012 11:14 PM

Thinking about this scenario:

There is a top website in your corporation, for example, wudi.com. Each BU/department obtain a subsite by themselves under this site, for example, the Finance Department obtains a subsite named wudi.com/finance, and, the Development Department obtains a subsite named wudi.com/development. Under each subsite, there are some pages/documents that cannot be reviewed by other department. For example, the employee of the Development Department cannot have the rights to see the pages/documents under wudi.com/finance. How could you archive this?

One of the solution is using Customize Intrustion Prevention Signatures (IPS) policy in SEP.

Just following the above example, the below steps are used to create the Cuszomize IPS policy to forbit the employee of the Development Department to access the wudi.com/finance:

1. On the endpoint desktop, run WireShark to capture the packages when access the wudi.com/finance, record the signature of the packages:

In our example, the signature of the package is just like: GET /finance/

2. Login to the SEPM, choose 'Policies' --> 'Intrusion Prevention' --> 'Customize Intrustion Prevention Signatures', click 'Add Customize Intrusion Prevention Signatures'.

3. Input the name of this signature, click 'Add' of the 'Signatures', input the name of the signature group:

4. Click 'Add' of the 'Signatures for this group':

5. In the 'Content' box, input the following signature content:

rule tcp, dest=(80), saddr=$LOCALHOST, msg="You are forbit to access the finance subsite!", regexpcontent="[Gg][Ee][Tt] .*[/][Ff][Ii][Nn][Aa][Nn][Cc][Ee][/].*"

Here are the meaning of this signature:

rule tcp, dest=(80), saddr=$LOCALHOST: a tcp traffic from localhost to access a destinate 80 port

msg="": the message display on the SEP client when this signature trigger

regexpcontent="": the regular expression of the content that following the C language syntax

6. Assign this signature to the group that the development located.

7. From the endpoint, try to access the wudi.com/finance, there will be a notification after the block:

Good Luck!

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jun 08, 2015 06:55 AM

This is not a particularly effecting way of blocking access to a website. IPS scans the content of each packet - this method of blocking relies on finding the "website.com" string inside one of the packets going between the browser and the web server, which doesn't necessarily have to be the case. And with HTTPS traffic IPS will only see the encrypted data stream, not the decrypted bytes (the secure channel is between the browser and the web server).

Feb 27, 2015 09:36 AM

The contect should start like this to add support for https:

rule tcp, dest=(80,443), saddr=$LOCALHOST

Jul 31, 2013 09:09 AM

Nice Article. Please can you let me know what would be the signature for the same scenario if the URL's are https://wudi.com/finance (i.e. SSL based URLs), The same regexpcontent is not working for port 443.

Related Entries and Links

No Related Resource entered.