Справочник Пользователя для SonicWALL UTM Appliance
50
Tightening Control over the Browsing Behavior of Users
Now that we’ve looked at the different ways to restrict browsing and web behavior through different
mechanisms, I’m sure ideas are spinning in your head on how you can apply these policies in your
environment. I want to close the topic of web browsing with a small bit of advice. Sophisticated users can
drive network admins insane as they try to circumvent your usage policies. It’s an arms race at times. There
are a slew of proxy systems available on the internet, VPN sites, and client applications that can be run
without admin privileges intended to circumvent your firewall filtering. So what’s the best way to deal with this
ever evolving arms race? I will outline a list of steps you should take to really lock down the environment.
mechanisms, I’m sure ideas are spinning in your head on how you can apply these policies in your
environment. I want to close the topic of web browsing with a small bit of advice. Sophisticated users can
drive network admins insane as they try to circumvent your usage policies. It’s an arms race at times. There
are a slew of proxy systems available on the internet, VPN sites, and client applications that can be run
without admin privileges intended to circumvent your firewall filtering. So what’s the best way to deal with this
ever evolving arms race? I will outline a list of steps you should take to really lock down the environment.
• SSL Control. Turn this feature on, and white list the HTTPS sites and services you want to allow.
Deny everything else.
• CFS. Turn CFS on for your users and make sure to block hacking/proxy avoidance sites and
uncategorized sites. Turn on IP based HTTPS filtering. This will catch a majority of HTTPS
proxy sites. However, you still should leverage SSL control on top of this.
proxy sites. However, you still should leverage SSL control on top of this.
• Block all outgoing IKE/VPN traffic with firewall rules. You don’t want users using an IPSec based
client to traverse the WAN from the LAN. Since the traffic within a VPN session is encrypted
there is no way to inspect the payload.
there is no way to inspect the payload.
• Change the default LAN > WAN firewall rule from ANY, ANY, ANY allow to a deny rule instead.
Build up your rules for traffic you need to allow. Yes this is more work, and can break some
applications as you work through the traffic you need to allow, but ultimately you will have a more
secure network.
applications as you work through the traffic you need to allow, but ultimately you will have a more
secure network.
• Leverage IPS. Comb through the LOW priority signatures as they include signatures for things
like P2P, IM, Skype, UltraSurf, etc. Make sure to enable the respective signatures to restrict
undesirable traffic.
undesirable traffic.