Define a User-Based Web Applications Policy
By combining several types of
WSSpolicy, you can create a robust web application policy that both protects your network, ensures acceptable web use policies, and allows employees to complete their job duties based on their roles in the organization. Consider the following use case and example policy.
WSSsettings for all applications is
Allow. Previously, a
WSSadmin set the major webmail applications to
Allow. You now want to add a more granular policy based on user groups.
- The FIFA World Cup creates network bandwidth havoc every year; furthermore, reports indicate that Pinterest traffic is trending upward and you want to block access.
- Both Facebook and Twitter can hinder productivity, yet are necessary marketing applications. You want to allow access only to the Marketing group; however, you also want to block security risks (such as downloading files) and block unnecessary features (such as games and chatting) for everyone in those groups.How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure such personnel understand this and can inform employees.
- Human Resources also uses Facebook plus Linkedin, but you do not want other employees job-networking while working for you.
- Navigate toPolicy > Content Filtering.
- AddFIFA World Cup,Blocked Web Applicationsto the global block list.
- In theGroup B > G4rule, click theBlocked Web Applicationslink in theTo Wherecolumn. The service displays the Object Edit: Blocked Web Applications dialog.
- The initial dialog is read-only. ClickEdit.
- Select theFIFA World Cupapplication in theSports/Recreationdrop-down (you can search for the term).
- Select theSocial Networkingdrop-down.
- ClickSave.TheBlocked Applications (#)number increments to include the four applications.
- Yellow triangle icons indicate non-active policies. ClickActivate. At this point, anyone who attempts to access any of those applications are blocked.
- Allow Marketing access to Facebook and Twitter.
- ClickAdd Rule. The service displays the Create New Rule dialog.
- ClickAdd Sources.
- ClickUser Group.
- Select the group to be granted access—for this example,CorpMarketing.
- ClickAdd Destinations
- ClickWeb Application.
- Search forSave.
- For theVerdictconstruct, selectAllow > Completely. ClickFinish, which adds the rule inGroup Babove the default global block rule. The order is important, as when a component of rule gets matched, subsequent rules are ignored.
- You now want to prevent Marketing employees from downloading attachments, playing games, and chatting from within Facebook.
- RepeatStep 3, creating a rule that applies to the sameCorpMarketinggroup (Sourcesconstruct).
- Select the same web applications on theDestinationsconstruct.
- ClickContents and Limits; clickActions.
- Select the actions to block, such asDownload VideoandGames.
- Set theVerdictconstruct toBlock.
- ClickAdd Rule; the service displays the new action blocking rule inGroup B.
- Create another rule for theCorpHRgroup to be allowed
- ClickActivate. You now have conditional rules that fully allow access, limit access, or block web applications.
How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure your support staff understand this and can inform employees.