Web Security Service

English

Define a User-Based Web Applications Policy

By combining several types of
WSS
 policy, you can create a robust web application policy that both protects your network, ensures acceptable web use policies, and allows employees to complete their job duties based on their roles in the organization. Consider the following use case and example policy.

Use Case

The default
WSS
 settings for all applications is
Allow
. Previously, a
WSS
 admin set the major webmail applications to
Block
 and set
E*Trade
 to
Allow
. You now want to add a more granular policy based on user groups.
  • The FIFA World Cup creates network bandwidth havoc every year; furthermore, reports indicate that Pinterest traffic is trending upward and you want to block access.
  • Both Facebook and Twitter can hinder productivity, yet are necessary marketing applications. You want to allow access only to the Marketing group; however, you also want to block security risks (such as downloading files) and block unnecessary features (such as games and chatting) for everyone in those groups.
    How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure such personnel understand this and can inform employees.
  • Human Resources also uses Facebook plus Linkedin, but you do not want other employees job-networking while working for you.

Example Policy

  1. Navigate to
    Policy > Content Filtering
    .
  2. Add
    FIFA World Cup
    ,
    Facebook
    ,
    Twitter
    ,
    Linkedin
    , and
    Pinterest
     to
    Blocked Web Applications
     to the global block list.
    1. In the
      Group B > G4
       rule, click the
      Blocked Web Applications
       link in the
      To Where
       column. The service displays the Object Edit: Blocked Web Applications dialog.
    2. The initial dialog is read-only. Click
      Edit
      .
      Advanced Policy Blocked Web Apps
    3. Select the
      FIFA World Cup
       application in the
      Sports/Recreation
       drop-down (you can search for the term).
    4. Select the
      Facebook
      ,
      Twitter
      ,
      Linkedin
      , and
      Pinterest
       applications from the
      Social Networking
       drop-down.
    5. Click
      Save.
      The
      Blocked Applications (#)
       number increments to include the four applications.
    6. Yellow triangle icons indicate non-active policies. Click
      Activate
      . At this point, anyone who attempts to access any of those applications are blocked.
  3. Allow Marketing access to Facebook and Twitter.
    1. Click
      Add Rule
      . The service displays the Create New Rule dialog.
    2. Click
      Add Sources
      .
    3. Click
      User Group
      .
    4. Select the group to be granted access—for this example,
      CorpMarketing
      .
      Web Apps for Marketing 1
    5. Click
      Save
      .
    6. Click
      Add Destinations
    7. Click
      Web Application
      .
    8. Search for
      Facebook
       and
      Twitter
       and add them; click
      Save
      .
    9. For the
      Verdict
       construct, select
      Allow > Completely
      . Click
      Finish
      , which adds the rule in
      Group B
       above the default global block rule. The order is important, as when a component of rule gets matched, subsequent rules are ignored.
  4. You now want to prevent Marketing employees from downloading attachments, playing games, and chatting from within Facebook.
    1. Repeat
      Step 3
      , creating a rule that applies to the same
      CorpMarketing
       group (
      Sources
       construct).
    2. Select the same web applications on the
      Destinations
       construct.
    3. Click
      Contents and Limits
      ; click
      Actions
      .
    4. Select the actions to block, such as
      Download Video
       and
      Games
      .
      Web Apps Block Actions
    5. Click
      Save
      .
    6. Set the
      Verdict
       construct to
      Block
      .
    7. Click
      Add Rule
      ; the service displays the new action blocking rule in
      Group B
      .
    8. Click
      Activate
      .
  5. Create another rule for the
    CorpHR
     group to be allowed
    Facebook
     and
    Linkedin
    .
  6. Click
    Activate
    . You now have conditional rules that fully allow access, limit access, or block web applications.
    Advanced Policy Web Apps Rule
How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure your support staff understand this and can inform employees.