Management Console Reference Guide

Secure Web Gateway Management Console Reference Guide

Release 10.0 • Manual Version 1.01 M86 SECURITY SETUP AND CONFIGURATION GUIDE

Version 1.01, published November 2010 for SWG software release 10.0

This document may not, in whole or in part, be copied, photo- copied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior written con- sent from M86 Security.

Every effort has been made to ensure the accuracy of this document. However, M86 Security makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. M86 Security shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. Due to future enhancements and modifications of this product, the information described in this documentation is subject to change without notice.

Trademarks

Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

II M86 SECURITY, Management Console Reference Guide CONTENT

INTRODUCTION TO THE SECURE WEB GATEWAY MANAGEMENT CONSOLE ...... 1

WORKING WITH THE MANAGEMENT CONSOLE...... 3

Management Console ...... 3 Main Menu ...... 4 Using the Management Console ...... 6 Management Wizard ...... 10 User Groups Wizard ...... 11 Log Entry Wizard ...... 28

DASHBOARD...... 33

Dashboard Console ...... 33 Functionality...... 34 Device Gauges ...... 35 Performance Graphs ...... 38 Messages (SNMP)...... 40 Device Utilization Graphs...... 41

USERS ...... 47

Users ...... 47 Users/User Groups ...... 47 User Group Details Screen ...... 49 Blocked and Revoked Cloud Users ...... 52 Unknown Users ...... 55 Independent Users...... 57 Creating a New User Group...... 60 Adding a User to a User Group ...... 63 Moving Users...... 64 The Importance of User/User Group Identifiers ...... 66 Cloud User Certificate Management ...... 67 LDAP ...... 70 General ...... 72 Advanced Settings...... 76 Example for Adding an LDAP Directory...... 80

M86 SECURITY, SECURE WEB GATEWAY 10.01

Import Groups ...... 83 Populating the LDAP Groups with Users...... 85 Settings and Defaults...... 87 Scheduled Settings ...... 88 Unassigned LDAP Groups...... 89 Assigning Policies ...... 91 Moving LDAP Groups ...... 92 Active Directory...... 95 Authentication Server...... 95

ADMINISTRATION ...... 99

Administrators...... 100 Default Permissions...... 102 Administrator Group Details...... 106 Administrator Details ...... 107 Creating a new Administrators Group ...... 109 Adding an Administrator to an Administrators Group...... 111 Permissions ...... 112 System Settings ...... 116 M86 Devices ...... 118 Available Device Tree Options...... 120 Device IP ...... 122 Network Roles ...... 130 Log Server ...... 131 Scanning Server ...... 142 Integrated SSL Scanning...... 160 Default Values ...... 200 Policy Server ...... 203 Scanning Options...... 213 Mail Server...... 217 Scanning Engines ...... 219 Administrative Settings ...... 226 Digital Certificates ...... 228 License...... 234 Debug Logs ...... 236 GUI Log Level ...... 237 Cloud ...... 239 Cloud Configuration ...... 240 Certificate Management Mode...... 240 Configuration ...... 241 Email Template ...... 264 Rollback ...... 266 Rollback Settings ...... 268

2M86 SECURITY, SECURE WEB GATEWAY 10.0 Backup Now...... 270 Restore (Rollback) ...... 271 Reports Settings ...... 272 Database Settings ...... 273 Database Restore ...... 276 Export/Import...... 277 Export...... 277 Import...... 279 Updates ...... 308 Updates Management ...... 310 Updates Configuration ...... 317 Alerts ...... 320 Alert Settings ...... 320 SNMP...... 325 Security ...... 330 System Information...... 332 General ...... 333 Licensed Modules ...... 334 Installed Components ...... 334 Change Password ...... 335

POLICIES ...... 337

Working with Policies ...... 337 Security Policies - Simplified ...... 339 URL Lists ...... 342 File Extensions...... 343 True Content Type...... 345 URL Categorization ...... 346 Assigned User Groups ...... 348 Add/Edit User Group ...... 349 Security Policies - Advanced ...... 351 Security Policies Tree ...... 353 Available Policies Tree Options ...... 356 Security Policy Details ...... 359 Security Rule Details ...... 361 Condition Details for Security Policy Rules ...... 365 Example for Creating a Security Rule ...... 413

M86 SECURITY, SECURE WEB GATEWAY 10.03

Master Security Policy ...... 416 Assigning a Master Policy ...... 418 Default Master Policy...... 420 Master Policy Log Events ...... 421 HTTPS Policies ...... 423 HTTPS Policies Tree ...... 425 HTTPS Policy Details...... 426 HTTPS Rule Details...... 428 Condition Details for HTTPS Policy Rules ...... 431 Certificate Validation Errors ...... 433 Location ...... 434 URL Filtering (IBM/Websense) ...... 435 URL Lists ...... 436 Example for Creating an HTTPS Rule...... 438 Logging Policies ...... 440 Logging Policies Tree ...... 442 Logging Policy Details ...... 446 Logging Rule Details ...... 447 Conditions for Logging Policy Rules ...... 449 Example for Creating a Logging Rule ...... 453 Identification Policies ...... 456 Identification Policies Tree ...... 457 Identification Policy Details ...... 459 Identification Rule Details ...... 460 Identification Policy Rules Condition Details ...... 463 Device Logging Policies...... 471 Identification Logging Policies Tree ...... 472 Identification Logging Policy Details ...... 473 Identification Logging Rule Details...... 474 Identification Logging Policy Rule Conditions ...... 475 Upstream Proxy...... 490 Default Policy Settings ...... 492 Condition Settings ...... 495 Available Condition Settings Tree Options ...... 497 Condition Settings: Active Content List ...... 500 Condition Settings: Archives ...... 505 Condition Settings: Binary Behavior ...... 506 Condition Settings: Content Size ...... 521 Condition Settings: Data Leakage Prevention ...... 524 Condition Settings: Destination Port Range...... 529 Condition Settings: File Extensions ...... 532 Condition Settings: Header Fields ...... 534

4M86 SECURITY, SECURE WEB GATEWAY 10.0 Condition Settings: HTTPS Certificate Validation ...... 537 Condition Settings: IP Range...... 544 Condition Settings: Pre Authenticated Headers...... 546 Condition Settings: Script Behavior ...... 548 Condition Settings: Time Frame ...... 560 Condition Settings: Upstream Proxy ...... 562 Condition Settings: URL Lists ...... 564 Condition Settings: Vulnerability Anti.dote...... 571 Caching Policy ...... 607 Caching Policy Details ...... 609 Caching Policy Rule Details...... 610 Caching Policy Rule Condition Details...... 612 End User Messages ...... 614 Block/Warn Messages ...... 616 Block/Warn Message Details...... 617 Creating a Block/Warn Message ...... 621 Message Template ...... 623

LOGS AND REPORTS...... 625

View Web Logs ...... 626 Add to URL List ...... 628 Web Logs Profile Settings ...... 629 Transaction Entry Details...... 635 View System Logs...... 646 System Logs Profile Settings...... 647 View Audit Logs ...... 651 Audit Logs Profile Settings...... 653 Log Profiles:...... 658 Web Log Profiles ...... 658 System Log Profiles...... 658 Audit Log Profiles...... 658 Reporting Tool...... 658 Reports ...... 659 Reports Categories ...... 664 Exported Reports Location ...... 676

HELP ...... 679

Help Menu ...... 679 Online Help ...... 679 Manuals ...... 680

M86 SECURITY, SECURE WEB GATEWAY 10.05

External Links ...... 680 About ...... 681

REPORTS ...... 683

END USER MESSAGES ...... 689

6M86 SECURITY, SECURE WEB GATEWAY 10.0 INTRODUCTION TO THE SECURE WEB GATEWAY MANAGEMENT CONSOLE

Chapter 1: Introduction to the Secure Web Gateway Management Console

NOTES: This Management Console Reference Guide is based on Software Version 10.0 The Secure Web Gateway Management Console provides administrators with a tool for managing the entire Secure Web Gateway deployment from the Policy Server. This capability is provided via a Web based, user-friendly interface accessible via Microsoft Internet Explorer 7.0+, Firefox 3.0+, and higher. The Secure Web Gateway Management Console provides administrators with the following functionality: • Security Management – Administrators can define Security Policies, the rules they are based on, and lists and behavior profiles that are the basis for the rules. • User Management – Administrators can define User Groups and Users, and associate Security, HTTPS, Authentication and Logging Policies with these users and groups. Importing user data from external repositories is also managed from the Management Console. • Monitoring –The Management Console enables monitoring the transactions in the system based on the Log Server stored data. Various filtering and sorting capabilities enable, for example, help desk operators to check the Web traffic and the results of the Security Policy. • Reporting -The Management Console enables deep analysis of the transactions in the system based on the Report Server stored data. The Management Console provides built-in reports. • Configuration Management – The Management Console provides the interface for updating parameters related to the actual deployment of the system.

M86 SECURITY, CONSOLE INTRODUCTION 1 INTRODUCTION TO THE SECURE WEB GATEWAY MANAGEMENT CONSOLE

• Update Management – The administrator can automatically or manually install both Software versions and Security updates for the Secure Web Gateway system.

NOTES: For information on the setting up your system, please refer to the Setup and Configuration Guide

2 M86 SECURITY, CONSOLE INTRODUCTION WORKING WITH THE MANAGEMENT CONSOLE

Chapter 2: Working with the Management Console

Management Console

The Management Console allows you to configure, update and maintain the day-to-day running of your organization’s security needs.

NOTES: Before accessing the Management Console, make sure to add the Policy Server IP to the Proxy Server Exceptions in your Internet settings. This will ensure optimum performance. Â To access the Management Console: 1. In your Internet browser, enter a URL containing the IP address assigned to your Policy Server (https://policyserverIP). 2. If you are using Internet Explorer 7 or 8, then the first time you log in, this screen will appear. Click Continue to this website.

Figure 2-1: Website's Security Certificate

M86 SECURITY, WORKING WITH THE CONSOLE 3 WORKING WITH THE MANAGEMENT CONSOLE

3. The SWG Management Console appears on your screen with the Login dialog box.

Main Menu The Main Menu of the Management Console appears as follows:

Figure 2-2: Main Menu The Main Menu drop-down options comprise the functionality of the SWG Appliance as follows: • Users: Provides options for the system administrator to import users, arrange them into groups, and assign them with Security and other Policies. • Policies: Provides simplified and advanced configuration options for Policies. Security Policies comprise the main rules of Internet behavior for the end-users in your organization. definition of secure behavior and addresses the constraints imposed on Internet traffic. HTTPS Policies also focus on securing Internet Content on HTTPS sites. Logging policies determines which actions are recorded for analysis and Authentication Policies concentrate on identifying the end- users. • Logs and Reports: Web Logs screen provides monitoring on the blocked or suspicious content that was not allowed through. Logs are also available for system monitoring and for administrator monitoring. • Administration: Provides the main bulk of administrative, monitoring and configuration on the SWG devices and other scanning abilities. You can also perform system backups and restore from here; set High Availability, set alerts for system administrators and retrieve Security and Maintenance Updates.

4 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE

• Help: Provides links, manuals and other resources for M86 Secure Web Gateway. • Logout: Provides the user with the option to log out of the M86 Secure Web Gateway console. The following Management icons found within the console are explained in the table below:

Menu Bar Icons Description

Activates the Management Wizards.

Directs you to the Web Logs screen for monitoring transactions.

Directs you to the M86 Devices screen for device configurations.

Directs you to the Dashboard - the one-stop System Monitoring component of the Management Console allowing you to keep tabs on all the Devices in real time.

“Commit Changes”. After editing and saving any changes, click Commit Changes. An additional dialog screen will pop up for you to add a Note. This Note will be displayed in the Audit Log view.

Click this icon to collapse and expand the left tree pane.

Click this icon to refresh the current screen.

Icons in Edit Screen

Click this icon to add rows.

Click this icon to add or delete specific rows.

M86 SECURITY, WORKING WITH THE CONSOLE 5 WORKING WITH THE MANAGEMENT CONSOLE

See also:

Users/User Groups

Blocked and Revoked Cloud Users

Unknown Users

50 M86 SECURITY, USERS USERS

Independent Users

Creating a New User Group

Adding a User to a User Group

Moving Users

The Importance of User/User Group Identifiers

User Details Screen User Details Screen

When creating a new User or editing the Details, the User Details screen appears.

Figure 4-4: User Details Screen

M86 SECURITY, USERS 51 USERS

The following table provides information on the fields displayed in the User Details screen:

Field Name Description

User Name Provide a descriptive User Name. Use the Identifiers section to identify the user to the system.

Email Displays the email address assigned to the user. Used primarily to send certificates to cloud users.

Security Displays the Security policy assigned to the User Group to Policy which the user belongs.

HTTPS Displays the HTTPS policy assigned to the User Group to Policy which the user belongs.

Logging Displays the Logging policy assigned to the User/ Policy User group.

Identifiers The Identifiers section is used to uniquely identify the user to the system. If you want to identify the Users, you can choose between an Identifier Type, either IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain_name\user_name in the Value field. For a detailed explanation on Identifiers, please refer to The Importance of User/User Group Identifiers.

See also:

User Group Details Screen

Independent Users

The Importance of User/User Group Identifiers

Blocked and Revoked Cloud Users Blocked Cloud Users are users that are browsing through the Secure Web Gateway whose certificates are suspected of being compromised and are therefore deemed no longer valid. The

52 M86 SECURITY, USERS USERS

current user certificate must be verified.

Figure 4-5: Blocked Cloud User Screen The following table provides information on the fields displayed in the Blocked Cloud Users Details screen

Field Name Description

Group Name Displays the group’s name. The field cannot be edited by the user.

Security Policy Displays the Security policy assigned to the Blocked Cloud User.

Logging Policy Displays the Logging policy assigned to the Blocked Cloud User.

M86 SECURITY, USERS 53 USERS

Field Name Description

HTTPS Policy Displays the HTTPS policy assigned to the Blocked Cloud User.

IP Ranges If a specific IP address is not identified in the system, then SWG searches for a match in the defined IP ranges. IP ranges should not be overlapping. If the IP matches more than one range, then it is not possible to predict which user/policy will be enforced.

Revoked Cloud Users refers to users that are browsing through the Secure Web Gateway whose certificates are known to have been compromised and are therefore deemed no longer valid. The current user certificate is revoked and a new certificate must be issued.

Figure 4-6: Revoked Cloud Users Screen

54 M86 SECURITY, USERS USERS

The following table provides information on the fields displayed in the Revoked Cloud Users Details screen:

Field Name Description

Group Name Displays the group’s name. The field cannot be edited by the user.

Security Policy Displays the Security policy assigned to the Revoked Cloud User.

Logging Policy Displays the Logging policy assigned to the Revoked Cloud User.

HTTPS Policy Displays the HTTPS policy assigned to the Revoked Cloud User.

See also:

Users/User Groups

User Group Details Screen

Unknown Users

Independent Users

Creating a New User Group

Adding a User to a User Group

Moving Users

The Importance of User/User Group Identifiers

Unknown Users Unknown users are users that are browsing through the Secure

M86 SECURITY, USERS 55 USERS

Web Gateway but have not been identified.

Figure 4-7: Unknown User The following table provides information on the fields displayed in the Unknown Users Details screen:

Field Name Description

Group Name Displays the group’s name. The field cannot be edited by the user.

Security Displays the Security policy assigned to the Unknown Policy Users group.

HTTPS Policy Displays the HTTPS policy assigned to the Unknown Users group.

Logging Displays the Logging policy assigned to the Unknown Policy Users group.

56 M86 SECURITY, USERS USERS

Field Name Description

New Users Selecting the option displayed here means that unknown users are automatically added to the Unknown Users group. You cannot manually add users to this group. The default setting is disabled which means that unknown users in this situation remain unknown. This is useful in large organizations so that hundreds of new users are not inundating the system and conversely, useful in smaller organizations, allowing manual control over addition of new users.

Once there is a list of Unknown Users in this group browsing through the system, you have the option to move these Users into predefined User Groups by using the right-click tree menu option to Move Users. See also:

Users/User Groups

User Group Details Screen

Blocked and Revoked Cloud Users

Independent Users

Creating a New User Group

Adding a User to a User Group

Moving Users

The Importance of User/User Group Identifiers

Independent Users You can create independent users (i.e. they do not belong to a User Group) and assign them their own policies.

M86 SECURITY, USERS 57 USERS

Â To create a new User: 1. Right-click on the Independent Users folder and select Add User. The User Details screen is displayed on the right hand pane. 2. Enter a User Name for the user, for example, Debra. The name supplied in this field is a descriptive name, and it does not have to be the real user name. The real user name is or IP is supplied in the Identifiers section. 3. Assign Policies as required. For example, for the Security Policy, assign the M86 Security Basic Security Policy. For the Logging Policy select Log All Protective Actions and for the HTTPS policy, assign the M86 Security HTTPS Policy.

NOTES: You can double check this via Policies > Security > Default Basic Security Policy which will show the Users that the Policy is assigned to 4. The Identifiers section is used to uniquely identify the user to the system. Click to add a row.

58 M86 SECURITY, USERS USERS

5. In the Type drop-down list, choose between IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain_name\user_name in the Value field.

Figure 4-8: Example for Creating a New User

6. The IP Ranges can be deleted by clicking next to the relevant row and selecting Delete. 7. Click Save to apply the changes. See also:

Users/User Groups

User Group Details Screen

M86 SECURITY, USERS 59 USERS

Blocked and Revoked Cloud Users

Unknown Users

Creating a New User Group

Adding a User to a User Group

Moving Users

The Importance of User/User Group Identifiers

Creating a New User Group

Â To create a new User Group: 1. Right-click on the User Groups main node and select Add Group from the drop-down menu. The User Group Details screen is displayed on the right hand pane. 2. Enter a Group Name for the new group, for example, Special Division.

60 M86 SECURITY, USERS USERS

Figure 4-9: Example for Creating New User Group 3. Assign Policies as required. For example, for the Security Policy, assign the M86 Security Basic Security Policy. For the HTTPS policy, assign the M86 Security HTTPS Policy and for the Logging Policy select Log All Protective Actions.

NOTES: All Policies have default values set via Policies > Default Policy Settings. The default values for each of the Policies (Security, HTTPS and Logging) are automatically assigned to users in the system if no other policy has been assigned to them.

4. In the IP Ranges section, click to add a new row.

5. Add the required IP addresses in the From IP and To IP fields. For a detailed explanation on IP Ranges, please refer to The Importance of User/User Group Identifiers.

M86 SECURITY, USERS 61 USERS

6. The IP Ranges can be deleted by clicking next to the relevant row and selecting Delete. 7. Click Save to apply the changes. See also:

Users/User Groups

User Group Details Screen

Blocked and Revoked Cloud Users

Unknown Users

Independent Users

Adding a User to a User Group

Moving Users

The Importance of User/User Group Identifiers

62 M86 SECURITY, USERS USERS

Adding a User to a User Group

Â To add a new user to a User Group: 1. Right-click on the required User Group and select Add User. The New User pane is displayed.

Figure 4-10: New User Pane 2. Enter a new user name. 3. The Identifiers section is used to uniquely identify the user to the system. Click and select Add.

4. In the Type drop-down list, choose between IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain_name\user_name in the Value field.

M86 SECURITY, USERS 63 USERS

5. Click Save to apply the changes. See also:

Users/User Groups

User Group Details Screen

Blocked and Revoked Cloud Users

Unknown Users

Independent Users

Creating a New User Group

Moving Users

The Importance of User/User Group Identifiers

Moving Users

Â To move a user from one Group to another: 1. Right-click on the main folder of the source User Group you wish to move users from, and select Move Users from the drop- down menu. The Move Users screen is displayed on the right hand pane. 2. The Users in the selected group are listed in this screen. If the Users in the group exceeds the limit displayed per page (i.e. there is a large list of names spanning several pages) use the Previous and Next buttons to move between consecutive pages. Otherwise, enter a name in the Find All section and go to that particular selection. This filter may be cleared using the Clear button. 3. Select the destination User Group that you want to move your users To from the drop-down list.

64 M86 SECURITY, USERS USERS

Figure 4-11: Move Users from one Group to another 4. When you have finished moving the Users from the source User Group to the destination User Group, click OK to apply changes. See also:

Users/User Groups

User Group Details Screen

Blocked and Revoked Cloud Users

Unknown Users

Independent Users

Creating a New User Group

Adding a User to a User Group

The Importance of User/User Group Identifiers

M86 SECURITY, USERS 65 USERS

The Importance of User/User Group Identifiers A Security Policy is enforced only when it is assigned to a User or User Group. When the M86 SWG Appliance scans traffic, the first step is to identify the User and ascertain whether a security policy has been assigned. It is therefore important to enter the maximum number of available user identifiers. When working with a supported LDAP directory you do not need to enter identifiers for each individual user. You can import of LDAP groups from the LDAP server, relevant to the security policy. Or, you may prefer to create special groups for use with SWG. In order for user credentials to be available for matching with user identifiers, user authentication is required. Authentication is done by way of Identification policies. Please refer to the User Identification and Authentication Feature Description for more information. As soon as the Secure Web Gateway identifies a user by confirming a matching identifier, the assigned policy is enforced. The identification parameters are checked from the more specific to the less specific – until a match is found - in the following order: • User Name: The first transaction parameter that the system looks for is the user name. If a user name is found and can be matched to an assigned policy, then the policy is enforced and the remaining identifiers are no longer relevant. • IP Address: If a user name is not found, the system takes the IP address and looks for a user using this address. If a match is found, then the rule is enforced. • IP Range: If a specific IP address is not identified in the system, then the SWG searches for a match in the defined IP ranges. IP ranges should not be overlapping. If the IP matches more than one range, then it is not possible to predict which user/policy will be enforced. • LDAP Group: If user identifiers show that the user is included in an LDAP group, the group policy is assigned to the transaction.

66 M86 SECURITY, USERS USERS

If a user belongs to more than one group, the policy for the group highest on the list is assigned. See also:

Users/User Groups

User Group Details Screen

Blocked and Revoked Cloud Users

Unknown Users

Independent Users

Creating a New User Group

Adding a User to a User Group

Moving Users

Cloud User Certificate Management

The Cloud User Certificate Management section is used for identifying Secure Web Service users. It is a filtering system used to perform certificate issuing by supplying important user information. This screen includes the following fields:

Field Name Description

Domain Filter users within a specific domain

Name Filter for individual Users from within a particular domain by username.

Email Email address of a particular User.

Certificate Expiry date of an issued valid certificate. Expiration

M86 SECURITY, USERS 67 USERS

Field Name Description

Status Filter by status of certificate such as: •All •Blocked •Expired •Pending •Revoked • Non-issued • Valid

Click this button to run the filter

Click this button to clear all filters

Click this button to download certificates for an entire User Group en masse.

Previous or Next Click the Previous or Next buttons to view all filtered records.

Once the filter has been run and the required list of users has been obtained, right clicking on a particular user in the Domain field provides the following menu options: • Issue new certificates: In order to issue a new certificate • Block certificate: Choose this option to block an issued certificate until the certificate is confirmed not to have been compromised. • Revoke certificate: If a certificate has been deemed compromised, choose this option to revoke an issued certificate entirely. • Allow certificate: Re-allow a certificate for a particular user after initial certificate was blocked • Export certificate: Export a certificate to an external file on a per User basis

68 M86 SECURITY, USERS USERS

• Send provisioning email: Choose this option to re-send previously issued certificate information in the event that the initial certificate was lost.

Â To filter a Cloud user certificate: 1. Navigate in the Management Console to Users > Cloud Users Certificate Management. 2. In the Domain field, select the required domain from the drop- down menu. This menu will include any domains imported from LDAP and Active Directory. 3. In the Status field, select the required certificate status option from the drop-down menu. For example, All or Valid. 4. Click the Filter button.

Figure 4-12: Cloud User Certificate Management

M86 SECURITY, USERS 69 USERS

5. Once the results are shown in the window, right-click for certificate procedure menu options.

NOTES: The right-click menu options are dependant on the certificate status. Only menu options that are applicable to the particular status will be active in the drop-down 6. Select the certificate option for the domain, for example, Issue new certificate. Certificate management is complete. See also:

Users

Users/User Groups

LDAP

Active Directory

LDAP

This section allows for importing of large numbers of LDAP Groups into the Management Console and assigning them with specific Security, HTTPS and Logging Policies, as well as authenticate users against the LDAP server. LDAP Groups can be imported or deleted. The definition of users and groups is based on a retrieval mechanism that is attached to a remote directory (LDAP directory) such as Microsoft Active Directory, IBM Tivoli, Custom Directory and Sun One Directory. Right-click on one of the directory types to add a directory. When there is a demand for increased security the import process should be encrypted using the Secure Socket Layer (SSL) protocol. SSL achieves a higher level of security through the use of

70 M86 SECURITY, USERS USERS

cryptography, digital signatures, and certificates.

Figure 4-13: LDAP Directories Screen In general, the LDAP procedural steps are as follows: • Define a Directory • Import Groups • Import Users

For further information See: on

Defining a Directory General Advanced Settings Example for Adding an LDAP Directory

Import Groups Import Groups

Import Users Populating the LDAP Groups with Users

See also:

Users

Users/User Groups

Cloud User Certificate Management

Active Directory

M86 SECURITY, USERS 71 USERS

General

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

Moving LDAP Groups

General Depending on the type of directory you would like to add, right-click

72 M86 SECURITY, USERS USERS

on one of the directory types to add a new directory.

Figure 4-14: New LDAP Directory General Tab The following table provides information on the LDAP Directory

M86 SECURITY, USERS 73 USERS

fields displayed in the General tab:

Field Name Description

Name Supply a unique, descriptive, directory name. Two LDAP directories cannot share a name.

Address This enables the configuration of multiple directories. Each directory is identified with an IP or hostname, for example, 10.194.20.15. If the LDAP server does not listen to the default LDAP port, you can specify the port by adding:port_number after the IP address or hostname. For example: 10.194.20.15:636. The IPs should be separated by a comma

Base DN This is the DNS domain component name (e.g. dc=Finjan, dc=com).

Realm / This refers to the directory’s identifier in the Domain authentication process between the browser and the scanning server (e.g. M86 Security). This value will be detected automatically when working with Microsoft Active Directory.

User Authorized User DN for connecting to the directory. When using Microsoft Active Directory, enter the username only instead of its DN.

Password Password for entering into your organization’s directory.

Connect Over Enable to import the LDAP groups over SSL. Disabled by SSL default.

74 M86 SECURITY, USERS USERS

Field Name Description

Ignore This option is available only when Connect over Certificate SSL is enabled. When enabled, the Policy Server does Validation not perform certificate validation before starting the SSL session. When disabled, the Policy Server validates the certificate on each connection. If the certificate is invalid, user import fails and an event (such as a log, trap, or email) is created.

Check If checked, check the connection with the server after you Configuration press save. If the connection failed, the parameters will Settings not be saved.

See also:

LDAP

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

Moving LDAP Groups

Import Keytab Import Keytab

The General tab in the LDAP directory screen offers a Kerberos Authentication option. Performing Kerberos Authentication requires a keytab file and the following requirements must be met:

M86 SECURITY, USERS 75 USERS

• A DNS server must be present, and all directory servers must be resolved via the M86 SWG Appliance. • The times on the Policy Server and the directory machine must be synchronized.

Â To import the keytab file: 1. Right-click the LDAP directory in the left tree pane and select Import Keytab, which displays the Kerberos Keytab Upload screen. The Kerberos Authentication checkbox remains greyed-out until the keytab file has been imported to the directory that it supports. 2. After importing the keytab, return to the LDAP Directory screen and enable the Kerberos Authentication checkbox. See also:

General

Advanced Settings

Example for Adding an LDAP Directory

Advanced Settings The Advanced Settings tab provides User and Group attribute and filter settings.

76 M86 SECURITY, USERS USERS

Figure 4-15: Advanced Settings Tab The following table provides information on the LDAP Directory fields displayed in the Advanced Settings tab:

Field Name Description

User This parameter defines the attribute which indicates a Identifier user’s unique identifier. The value for this attribute is Attribute compared to the username provided by the proxy authentication. Default values are as follows: y Microsoft AD - sAMAccountName y IBM Tivoli - eraliases y SunOne - uid If this field is left empty then users/groups will be identified according to their DN.

M86 SECURITY, USERS 77 USERS

Field Name Description

User Object This parameter defines the filter in LDAP syntax that will Filter be used to identify user objects. Default values are as follows: y Microsoft AD - (&(objectclass=person)(objectclass=user)(!objectcl ass=computer)) y IBM Tivoli - (&(objectclass=person)(objectclass=organizational Person)) y SunOne - (&(objectclass=person)(objectclass=organizational Person))

Group This parameter defines the attribute which indicates a Identifier group’s unique identifier. The values of this attribute is Attribute used by the Management Console to display group names and assigning policies. Default values are as follows: y Microsoft AD - sAMAccountName y IBM Tivoli - ou y SunOne - cn If this field is left empty then users/groups will be identified according to their DN.

Group Object This parameter defines the filter in LDAP syntax that will Filter be used to identify group objects. Default values are as follows: y Microsoft AD - (objectclass=group) y IBM Tivoli - (&(objectclass=organizationalunit)(objectclass=erO rgUnitItem)) y SunOne - (objectclass=groupofuniquenames)

Connection This parameter enables you to set the maximum number Timeout of seconds for an unanswered LDAP query (the default is 120 seconds for all directory types).

78 M86 SECURITY, USERS USERS

Field Name Description

memberOf This parameter specifies which attribute holds the list of Attribute groups in which the user is a member. This attribute may remain empty, in which case the Member attribute is used to establish hierarchy. Default values are as follows: y Microsoft AD - memberOf y IBM Tivoli - erparent y SunOne - not supported Note: memberOf Attribute and Member Attribute cannot both be empty. If both attributes have values, the memberOf Attribute has priority.

Member This parameter specifies which attribute holds the list of attribute members of a selected group. This attribute may remain empty, in which case the memberOf Attribute is used to establish hierarchy. Default value is as follows: y SunOne - uniqueMember

Set Default Returns all the parameters above to their default values.

See also:

LDAP

General

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

Moving LDAP Groups

M86 SECURITY, USERS 79 USERS

Example for Adding an LDAP Directory

Â To add an LDAP Directory: 1. As an example, add a Microsoft Active Directory, right-click on the Microsoft AD server from the LDAP Directory tree on left pane and select Add Directory. The right pane is enabled for you to insert the Directory settings. 2. In the General tab, enter your company Base DN (for example, dc=finjan, dc=com), and IP Address for the new directory. To add a row for IP Address, click .to add a new row.

NOTES: The Realm/Domain is not required when the server is Microsoft Active Directory. An example for a different directory is FINJAN. 3. Enter the user name (for example, cn=administrator) and password for logging in to your organization's directory.

NOTES: LDAP passwords cannot include the < , > or space characters. Do not use non-English characters when using the Kerberos authentication method.

NOTES: For the Microsoft Active Directory, the user name should be the user’s account name (meaning, the name that appears on emails before the @company.com) 4. Select the connection mode. When increased security is recommended, select Connect over SSL. (Optional) When Connect over SSL is enabled, you can select to Ignore Certificate Validation. 5. Select the authentication mode. Select Use Kerberos Authentication. The Import button is enabled.

NOTES: You can use either SSL authentication or Kerberos authentication, or disable both and rely on simple authentication

80 M86 SECURITY, USERS USERS

Figure 4-16: Example for Adding LDAP Directory 6. Click the Import button to display the Kerberos Authentication Upload screen. 7. Browse to the location where the Kerberos Keytab file exists and then click Import to activate the changes. In order for Kerberos authentication to work, the following requirements must be met: yA DNS server must be present, and all directory servers must be resolved via the M86 SWG Appliance. yThe times on the Policy Server and the directory machine must be synchronized. 8. Configure the advanced settings in the Advanced Settings tab, as follows:

NOTES: When first selecting one of the server types the default recommended values for the advanced LDAP parameters are used.

M86 SECURITY, USERS 81 USERS

Figure 4-17: Example for Adding LDAP Directory Advanced Settings yIn the User Identifier Attribute field, enter sAMAccountName. yFor User Object Filter, enter (&(objectclass=person)(objectclass=user)(!objectcl ass=computer)) yFor Group Identifier Attribute, enter sAMAccountName. yFor Group Object Filter, enter (objectclass=group). ySelect the member Of Attribute and enter memberOf. yEnter the Connection Timeout (120 seconds is default). yTo ensure that your IP address is successful, run an automatic check of your connection by enabling the Check connection box.

82 M86 SECURITY, USERS USERS

9. Click Save. The Microsoft AD server will appear in the LDAP Servers tree. You can also check in the logs for verification.).

NOTES: Right-click on the Active Directory LDAP server in tree on the left pane and select Check Connection from the drop-down menu to check the IP address (i.e. successful connection to server). An error message is displayed if there was a problem connecting to the server(s). See also:

LDAP

General

Advanced Settings

Import Groups

Populating the LDAP Groups with Users

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

Moving LDAP Groups

Import Groups After defining the required Directory, the next step is to retrieve LDAP groups from the Directory to the Management Console, and choose those groups you want to import and define within the

M86 SECURITY, USERS 83 USERS

Secure Web Gateway.

Â To import LDAP Groups: 1. Right-click on a defined LDAP directory and select Add Groups from the drop-down menu. The LDAP Groups screen is displayed on the right hand pane. If this is the first time you are adding groups, this screen will be empty. If this is a repeat procedure, the system will display the User Groups previously imported.

NOTES: If you have more than one LDAP directory with the same properties, you can use one LDAP directory to import the users, and another LDAP directory can be used to authenticate the users. In this case, right-click on the LDAP directory used for import the users and select the option: Set Importable.

Figure 4-18: Example for Importing LDAP Groups 2. Use the Retrieve LDAP Groups option to retrieve the list of User Groups from the directory and display them on the screen.

84 M86 SECURITY, USERS USERS

3. Select the User Groups for import into the Management Console and click OK. The User Groups are displayed in the tree on the left pane. See also:

LDAP

General

Advanced Settings

Example for Adding an LDAP Directory

Populating the LDAP Groups with Users

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

Moving LDAP Groups

Populating the LDAP Groups with Users

Â To import LDAP users into an LDAP Group: 1. Right-click on the top node of the Directories tree.

M86 SECURITY, USERS 85 USERS

Figure 4-19: Import LDAP Users 2. Select Import LDAP Users. The Import begins immediately and a message should appear on the bottom left side of screen to please check system logs to confirm completion. 3. Navigate to Logs and Reports > View System Logs for confirmation that the immediate import was carried out. See also:

LDAP

General

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

Moving LDAP Groups

86 M86 SECURITY, USERS USERS

Settings and Defaults The tabs displayed refer to scheduling the importing of LDAP Users and the policies assigned to groups, which have not been defined within the system.

Figure 4-20: Settings and Defaults See also:

LDAP

General

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

M86 SECURITY, USERS 87 USERS

Moving LDAP Groups

Scheduled Settings In this screen you can configure the LDAP Import Schedule. This determines whether or not to import LDAP users, defining the frequency and time at which the import process takes place. Click Edit to edit the LDAP Import Schedule screen.

Figure 4-21: LDAP Import Schedule Screen Â To configure the Import Schedule: 1. In the LDAP Import Schedule, you can select an import to run either daily at a preconfigured time or every x number of hours. Alternatively, you can select No Scheduled Import. After

making any changes, click Save and click . 2. Another option in this bar is to perform an immediate import. This is done by right-clicking on the top level folder Directories and selecting Import LDAP Users. Navigate to Logs and Reports > View System Logs for confirmation that the immediate import was carried out. See also:

88 M86 SECURITY, USERS USERS

LDAP

General

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

Settings and Defaults

Unassigned LDAP Groups

Assigning Policies

Moving LDAP Groups

Unassigned LDAP Groups Unassigned LDAP groups are groups which have not been defined within the system. To edit the LDAP Group screen, click Edit on right hand pane.

Figure 4-22: Unassigned LDAP Group Screen

M86 SECURITY, USERS 89 USERS

The following table provides information on the fields displayed in the LDAP Group screen:

Field Name Description

Group Name Defines the LDAP Group Name.

Security Assigns a Security policy to the LDAP group. If you do Policy not specifically define a Security Policy here, the Policy defined in Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values. NOTE: The Full Bypass Policy (which does not appear in the Security Policies list) can be set here.

Logging Assigns a Logging policy to the unassigned LDAP Policy groups. If you do not specifically define a Logging Policy here, the Policy defined in Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values.

HTTPS Policy Assigns an HTTPS policy to the unassigned LDAP groups. If you do not specifically define an HTTPS Policy here, the Policy defined in Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values.

See also:

LDAP

General

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

Settings and Defaults

Scheduled Settings

90 M86 SECURITY, USERS USERS

Assigning Policies

Moving LDAP Groups

Assigning Policies User groups can be imported from various LDAP directories.

Â To assign policies to an LDAP Group: 1. Click on the imported user group to display the LDAP Group Policy screen on right hand pane.

Figure 4-23: LDAP Group Policies 2. To edit the LDAP Group screen, click Edit. 3. Assign a Security policy to the LDAP group from the drop-down menu. 4. Assign a Logging policy to the LDAP group from the drop-down menu. 5. Assign a HTTPS policy to the LDAP group from the drop-down menu.

NOTES: If you do not specifically define a policy here, the policy defined in the Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values.

M86 SECURITY, USERS 91 USERS

6. Click Save to apply changes. Otherwise, Cancel. See also:

LDAP

General

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Moving LDAP Groups

Moving LDAP Groups If an LDAP user is included in more than one group, the policy implemented will automatically be that of the first group appearing in the list. Group priority is listed from top to bottom.

Â To move an LDAP Group: (Changing the order of the imported groups.)

92 M86 SECURITY, USERS USERS

1. Right-click on the LDAP group which you want to move.

Figure 4-24: LDAP Groups Before Move 2. Select Move Group to from the drop-down menu.

Figure 4-25: LDAP Group Menu

M86 SECURITY, USERS 93 USERS

3. Right-click on the LDAP group before which you want this group to be positioned. 4. Select Above this Group from the drop-down menu. The following shows the new position of the selected LDAP Group.

Figure 4-26: LDAP Groups After Move See also:

LDAP

General

Advanced Settings

Example for Adding an LDAP Directory

Import Groups

Populating the LDAP Groups with Users

94 M86 SECURITY, USERS USERS

Settings and Defaults

Scheduled Settings

Unassigned LDAP Groups

Assigning Policies

Active Directory

The Authentication Server is used to store username and password information that identify the users logging on. The Authentication Server validates this information and specifies whether or not user access is granted. For access to specific network resources, the server may itself store user permissions and company policies or provide access to directories that contain the information. M86 Secure Web Gateway supports authentication against Microsoft Active Directory authentication servers using the SMB Protocol. Multiple domains with a trust between them can be supported at the same time by defining a global list of authentication realms. Each realm is identified by the NetBIOS domain name and a list of redundant domain controllers given by IP or DNS name. See also:

Users

Users/User Groups

Cloud User Certificate Management

LDAP

Authentication Server

Authentication Server In this screen, you can Add or Delete Authentication Servers and Edit the server user information. This screen shows a list of the

M86 SECURITY, USERS 95 USERS

Authentication Servers including the Realm/Domain, address and status (active or not).

NOTES: Up to 10 Authentication Servers can be defined serving many trusted domains. The authenticate action will not perform real authentication unless there is at least one Authentication Server defined

Figure 4-27: Authentication Servers The following table provides information on the Authentication Server fields:

Field Name Description

Realm/ NETBIOS This refers to the Authentication Server’s name in the Name authentication process between the browser and the Scanning Server / Authentication Device. When using Active Directory you should specify the domain NetBIOS name.

Domain Controller This is the hostname. (It should be written without periods.)

96 M86 SECURITY, USERS USERS

Field Name Description

Trusted Domains These are domains that are trusted for authentication by the primary domain controller (specified in Realm/ Domain)

Active Select to activate the Authentication Server.

Â To add an Authentication Server: 1. Right-click on the top-level heading and select Add Server. 2. Enter an appropriate Realm/NETBIOS name. 3. In the Domain Controller section, click to add a new row. Enter a new Domain name. 4. In the Trusted Domain section, click to add a new row. Enter a new Domain name. 5. Repeat for as many times necessary. You can delete entries by clicking on the same row as the item and selecting Delete Row.

6. Click Save to apply changes. Next, click to commit them.

If you need to modify these fields in the future, select Edit and make your changes. See also:

Active Directory

M86 SECURITY, USERS 97 USERS

98 M86 SECURITY, USERS ADMINISTRATION

Chapter 5: Administration The Administration menu contains various sub-sections which allow you to configure the system components and manage global settings.

Figure 5-1: Administration Menu The Administration Menu contains the following options: • Administrators - Allows a super administrator to create administrators and administrator groups and assign permissions for the various configuration options within the Management Console. • System Settings - Allows you to configure the following: M86 Devices, Scanning Options, Scanning Engines, Digital Certificates and Administrative Settings • Cloud - Allows you to manage all aspects of M86 Secure Web Service Hybrid that pertain to Policy Server configuration and GUI management. • Rollback - Used for rolling the system back to a previous stable state. This comprises the Backup and Restore functions. • Reports Settings - Allows the Administrator to either backup or restore data from the Reports database. • Export/Import - Allows you to export Policies, HTTPS Policies, Identification Policies and Identification Logging Policies - as

M86 SECURITY, ADMINISTRATION 99 ADMINISTRATION

well as their conditions - from one Policy Server and import them into another. • Updates - Allows you to configure and upload the various updates for both security and software releases onto your Appliance. • Alerts - Allows you to monitor the main modules and components of the system and notify you of system events, application events or update events (via Email or SNMP). • System Information - Provides a simple way for the administrator to view the status of the system with respect to license and module information • Change Password - Allows an administrator to change his/her password. See also: Administrators

System Settings

Cloud

Rollback

Export/Import

Updates

Alerts

System Information

Change Password

Administrators

The Management Console can support multiple administrators working within the system. This function provides administrators with different permissions on classes (such as Policies or Logs) and on specific items (such as a specific security policy or URL list). This granularity addresses two issues relating to administrator

100 M86 SECURITY, ADMINISTRATION ADMINISTRATION

management: Roles – In a typical organization, different administrators have different roles, for example one administrator can be responsible for security settings, another administrator is responsible for system settings and a third administrator requires only a monthly view of the system. This functionality is achieved by providing the different administrators with different permissions on the functions. i.e. the security administrator will have full permissions on Policies and Condition Settings and read permission on Logs and Reports, the System administrator will have full permission on System functionality and no permission on all other functionality, etc. Separate management – There are deployments where the system supports multiple departments or companies, each having its own administrators and there is no data sharing. This scenario is addressed using administrator groups. An administrator group is associated with one or more user groups it manages and the actual data which is relevant for them, for example, a security policy. Within an administrator group, administrators can be defined, each with its own role, as previously explained. The data relevant to the user group, such as a specific security policy or URL white list is managed by the relevant administrator group. Therefore, each administrator group is granted permissions to each of the data objects such as security policy, URL list, etc. As a consequence all administrators within an administrator group share the same permissions on all data objects, even though they will have different roles. Administrators from different Groups can be granted permissions to see elements such as Policies, Logs etc belonging to other Administrator Groups. Super Administrators are not limited by the above constraints and can see all the Management Console options for all user groups.

NOTES: Only super administrators can create administrator groups and add administrators to administrator groups See also:

M86 SECURITY, ADMINISTRATION 101 ADMINISTRATION

Administration

System Settings

Cloud

Rollback

Export/Import

Updates

Alerts

System Information

Change Password

Default Permissions

Administrator Group Details

Administrator Details

Creating a new Administrators Group

Adding an Administrator to an Administrators Group

Permissions

Default Permissions This screen displays the baseline defaults for administrators in the Management Console. These defaults are preconfigured by M86 for easy permissions assignment and cannot be edited. The Default Permissions window contains two tabs: • Permissions - Categories View • Permissions - Grid View

Both tabs contain the following information:

102 M86 SECURITY, ADMINISTRATION ADMINISTRATION

Field Description Example

Class Class is any entity within the Header Fields, Import/ Management Console. It can Export, Security Policies be a stand-alone entity or it can contain other objects within it.

Sub-Class Group with permissions for the N/A objects. Finjan = default permissions My = My administrator group or any administrator group I am responsible for Other = Any administrator group outside of my jurisdiction

Object Object within a class (Header Fields) Media Players,

Default Default Permissions which are Update = can make Values granted when no other changes, create new permissions have been objects, etc defined. View = can view classes/ objects only None = has no permissions to this object/ class

Access Sets the Access permission. Default = Use the default setting Update = can make changes, create new objects, etc View = can view classes/ objects only None = has no permissions to this object/ class

M86 SECURITY, ADMINISTRATION 103 ADMINISTRATION

Permissions - Categories View

Incorporating all the data found in the Grid view, the Permissions Categories View displays data intuitively, in line with the current SWG Management Console menu. When selecting a permission category, the Sub-Category drop- down menu provides corresponding information. For example, when selecting the Condition Settings category, the corresponding conditions are viewable:

Figure 5-2: Default Permissions - Categories View

104 M86 SECURITY, ADMINISTRATION ADMINISTRATION

Permissions - Grid View

Figure 5-3: Default Permissions - Grid View For information pertaining to the Permissions - Grid View tab, refer to Default Permissions. See also: Administrators

Administrator Group Details

Administrator Details

Creating a new Administrators Group

Adding an Administrator to an Administrators Group

Permissions

M86 SECURITY, ADMINISTRATION 105 ADMINISTRATION

Administrator Group Details Click Edit to change the values in this screen. Use Save after editing this screen.

Figure 5-4: Administrator Group Details The administrator group Details screen contains the following information:

Field Description

Group Name Name of the Administrators Group (e.g. Finance, Marketing)

Notes Here you can write a description of the group.

Password expiration after x Select the required number of days after days which the administrators in this group will be forced to replace the password

106 M86 SECURITY, ADMINISTRATION ADMINISTRATION

Field Description

Enforce secure password If checked, the passwords must use at least 3 of the following criteria: contains [A-Z] contains [a-z] contains [0-9] contains one of the following [!@#$%^&*()]

Require password change If checked, then a new administrator in on first login this group will need to change the password on first login

Permissions definition Refer to Permissions for more information.

See also:

M86 SECURITY, ADMINISTRATION 137 ADMINISTRATION

Syslog Target

Logging Policies

Figure 5-16: Syslog Fields Configuration

Log Archiving

The Log Archiving tab includes Log Archiving Location and Log Archiving Scheduling. This tab allows you to send Log information to an external archive location and to schedule when the archives should be sent. Please refer to How to Use Log Archiving feature

138 M86 SECURITY, ADMINISTRATION ADMINISTRATION

description for further information.

Figure 5-17: Log Archiving Log Archiving Location - The Log Archiving feature enables sending large amounts of information to an external archive location. There are two formats: Basic and Extended. The information is displayed with comma separated values and sent in a Gzip file format. This information can then be imported into an external database for viewing or running reports. The Basic file contains most of the current Log fields available, displayed in the following way:

M86 SECURITY, ADMINISTRATION 139 ADMINISTRATION

Figure 5-18: Log Archiving In order to send the log archives to an external storage location, you must select the Connection Method to be used for connecting to the required location. In addition, you must create the required Logging Policy with the Send to Archive option ticked and have this assigned to the User Group. The following connection methods are available in the Connection method drop-down list and explained in the table below:

Connection Method Description

None An external archive is not used. (This is the default option).

FTP Connects via regular File Transfer Protocol methods.

FTP Passive Connects via File Transfer Protocol; there is a firewall located between the Policy Server and the remote FTP site.

Samba Use the Server Message Block (SMB) communication protocol.

SFTP Use the Secure File Transfer Protocol.

Your selected Connection Method determines the values used to define your Archive Location, User to connect with and

140 M86 SECURITY, ADMINISTRATION ADMINISTRATION

Password fields.

Selected: Description:

None No information can be entered.

FTP The Archive Location must include the server IP address/ dir for your selected location, for example, 10.194.5.104/ Sarah_FTP. The User to connect with is the user name used when connecting to the Archive Location. The Password should be the password used by the above user.

FTP Passive The Archive Location must include the server IP address/ dir for your selected location, for example, 10.194.5.104/ Sarah_FTP_Passive. The User to connect with is the user name used when connecting to the Archive Location. The Password should be the password used by the above user.

Samba The Archive Location must include the server IP address and directory for your selected location, in the following format: //address/dir, for example, //192.168.1.10/archive. The User to connect with must include the workgroup name and the user name used when connecting to the Archive Location, in the following format: workgroup/user, for example, marketing/nicole. The Password should be the password used by the above user.

SFTP The Archive Location must include the server IP address for your selected location, for example, 10.194.5.104/ The User to connect with is the user name used when connecting to the Archive Location. The Password should be the password used by the above user.

When you click the Test button, an attempt is made to send a test file to the archive location. If the attempt failed, a message pops up. If the operation is successful, the message Archiving Operation Succeeded, displays in the bar on the bottom left of the

M86 SECURITY, ADMINISTRATION 141 ADMINISTRATION

screen. When everything is configured correctly, click Save to activate your changes. Log Archive Scheduling - you can choose to send the data to the archive location either at a fixed time every day or every number of hours as required.

NOTES: In addition to the SWG Internal Reporting Tool, M86 Security offers comprehensive support for integration with the Security Reporter. The Security Reporter (SR) is an advanced external reporter that offers organizational, security, and productivity reports. The SR option allows for sending log archives to both the Security Reporter and to an external storage location for archival purposes. See also: Log Properties

Collect Logs From

Syslog Target

Scanning Server The Scanning Server is responsible for analyzing and checking all content passing through the system in accordance with the Security Rules. The Scanning Server contains the following modules: • General • HTTP • Authentication • ICAP • FTP • WCCP • Cache • HTTPS

142 M86 SECURITY, ADMINISTRATION ADMINISTRATION

See also: Logging Policies

Logging Policy Details

Logging Rule Details

Conditions for Logging Policy Rules

Example for Creating a Logging Rule

M86 SECURITY, POLICIES 445 POLICIES

Logging Policy Details Clicking on any Logging Policy displays the Policy Details on the right pane.

Figure 6-62: Logging Policy Details The Policy Details screen contains the following information with the option to make changes using the Edit Æ Save/Cancel options.

Field Description

Policy Name Name of the specific policy

446 M86 SECURITY, POLICIES POLICIES

Field Description

Description Contains a description of the policy.

User Groups/Users Policies can be assigned to different User Groups and Users. This section displays which Users have this particular Policy assigned to them. For more information on assigning Policies to Users, please refer to Users/User Groups.

See also: Logging Policies

Logging Policies Tree

Logging Rule Details

Conditions for Logging Policy Rules

Example for Creating a Logging Rule

Available Policies Tree Options

Logging Rule Details Clicking on any Logging rule displays the Rule Details screen in the right pane.

M86 SECURITY, POLICIES 447 POLICIES

Figure 6-63: Logging Rule Details The Logging Rule Details screen contains the following information with the option to make changes using the Edit Æ Save/Cancel options.

Field Description

Rule Name Defines the name of the Logging rule.

Description Contains a description of the rule.

448 M86 SECURITY, POLICIES POLICIES

Field Description

Enable Rule When checked, the rule is enabled. When cleared, the rule is disabled.

Send To:

Archive Sends log information in files to an external remote location. This must be selected to ensure that there is relevant information to archive.

Log Sends information to the M86 log database, which can be seen via the Log View.

Report Sends information to the M86 reports database. This must be selected prior to running Reports to ensure that there is relevant information to display results.

Syslog Sends information to one or two UNIX Syslog facilities which log data.

See also: Logging Policies

Logging Policies Tree

Logging Policy Details

Conditions for Logging Policy Rules

Example for Creating a Logging Rule

Conditions for Logging Policy Rules Clicking on a condition opens up the Condition details in the right pane.

M86 SECURITY, POLICIES 449 POLICIES

Figure 6-64: Logging Policy Rules Condition Details The Condition Details screen displays the following information with the option to make changes using the Edit Æ Save/Cancel options.

Field Description

Condition Name Displays name of Condition. If you are defining a new condition, choose the required condition from the drop-down list.

450 M86 SECURITY, POLICIES POLICIES

Field Description

Select/Deselect All Choose to select/deselect all the items in the Condition

The bottom of the screen will display differently according to the Condition you have chosen.

The following Conditions are available for selection within the Logging Policy rules: • Active Content List • Anti-Virus (McAfee/Sophos/Kaspersky) • Archive Errors • Behavior Profile (Binary) • Behavior Profile (Script) • Binary VAD • Content Size • Digital Signature • Direction • File Extensions • Header Fields • IM • Location • Parent Archive Type • Protocol • Spoofed Content • Static Content List • Time Frame • True Content Type • URL Filtering (IBM/Websense) • URL Lists

M86 SECURITY, POLICIES 451 POLICIES

• Rule Action See also: Logging Policies

Logging Policies Tree

Logging Policy Details

Logging Rule Details

Example for Creating a Logging Rule

Rule Action Rule Action

This condition allows you the option of logging transactions when a specific end-user action is carried out: •Allow •Block • Block HTTPS •Bypass • Coach • Inspect Content • User Approval Rule Action is for Logging Rules only.

Figure 6-65: Rule Action Condition

452 M86 SECURITY, POLICIES POLICIES

IMPORTANT: If you want to log all end-user actions do not include the Rule Action condition in your Logging Policy Rule.

NOTES: If you want to log more than one end-user action (but not all of them), you must add a separate rule for each action you need to the Logging Policy. See also: Conditions for Logging Policy Rules

Logging Policies Tree

Logging Policy Details

Logging Rule Details

Example for Creating a Logging Rule

NOTES: When defining a Logging Rule, the conditions selected must match those of the Security Policy rule in order for the relevant transactions to appear in the Log View. Â To create a Logging Rule: 1. Create a new logging policy. 2. Right-click on this Policy and select Add Rule. The New Rule screen appears.

M86 SECURITY, POLICIES 453 POLICIES

Figure 6-66: Adding a New Logging Policy Rule 3. Enter a name for the new Logging Rule for example, Log All Transactions with Content Size Greater than 100 MB. Enter a brief description of the logging rule in the Description box. 4. Select the Enable Rule box in order to activate the new rule. 5. In the Send To area, click the required checkboxes and click Save. 6. Right-click on the rule you have created and select Add Condition, the New Condition pane is displayed. 7. in the Condition Name drop-down menu, select Content Size. 8. In the Applies To area, select Any of the items selected below.

454 M86 SECURITY, POLICIES POLICIES

9. Select Greater than 100 MB from the options below.

Figure 6-67: Creating a Logging Policy Rule Condition

10.Click Save to apply changes. Next, click to commit them.

See also: Logging Policies

Logging Policies Tree

Logging Policy Details

Logging Rule Details

Conditions for Logging Policy Rules

M86 SECURITY, POLICIES 455 POLICIES

Identification Policies

Identification Policies carry out the classification of an end-user to determine whether the end-user should browse through the system or not. The Identification Policy also enables the system to enforce the proper Security Policy for the end-user. The Rules are based on both the type of Authentication or Identification that M86 SWG will use as well as using Conditions of Header Fields, IP Ranges, Port Ranges and URLs.

NOTES: For full configuration details on the Authentication feature, please refer to the User Identification and Authentication Feature Description.

Figure 6-68: Identification Policies Menu Selection See also: Policies

Security Policies - Simplified

Assigned User Groups

Security Policies - Advanced

Master Security Policy

456 M86 SECURITY, POLICIES POLICIES

HTTPS Policies

Logging Policies

Device Logging Policies

Default Policy Settings

Condition Settings

Caching Policy

End User Messages

Identification Policies Tree

Identification Policy Details

Identification Rule Details

Identification Policy Rules Condition Details

Identification Policies Tree The Identification Policies tree holds all the current Identification Policies within that definition, as well as the rules that make up these policies and the conditions that make up the rules.

Figure 6-69: Identification Policies Tree This provides easy navigation through each Policy - displaying the components of that Policy at a glance. Policies, rules, and conditions can be added, duplicated or deleted

M86 SECURITY, POLICIES 457 POLICIES

by right-clicking on the relevant node. M86 Security's default Identification Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies. M86 Security provides several predefined Identification Policies: • Authentication: This Policy contains the Identify and Authenticate Users rule whose purpose it is to authenticate end- users using an Authentication Device. The rule in this policy is disabled by default. To activate it, configure an Authentication Domain via the Authentication Directories (), • Default Cloud Scanners Read Headers Policy: This policy contains the following rules: y Identify Branch Office Users by Headers rule whose purpose is to identify the users based on the HTTP headers that have been pre authenticated. y Always Identify Users by Headers whose purpose is to identify the end-users based on pre-defined Cloud Scanner HTTP headers. • Get User Credentials: This policy contains the Get User Credentials to Identify Users rule whose purpose is to obtain USERID information using the NTLM protocol and the default cluster of Authentication Devices IF the end-user is NOT in the defined IP Range and Header Field lists. • Read Headers: This policy contains the Always Identify Users by Headers rule whose purpose is to identify the users based on the HTTP headers that have been pre authenticated. • Source IP Only: This Policy contains the Always Identify Users by Source IP rule whose purpose is to identify the user by Source IP. This is the default identification action.

NOTES: For full configuration details on the Authentication feature, please refer to the User Identification and Authentication Feature Description. See also: Identification Policies

458 M86 SECURITY, POLICIES POLICIES

Identification Policy Details

Identification Rule Details

Identification Policy Rules Condition Details

Identification Policy Details Clicking on any Identification Policy displays the Policy Details screen in the right pane.

Figure 6-70: Identification Policy Details The Policy Details screen contains the following information with

M86 SECURITY, POLICIES 459 POLICIES

the option to make changes using the Edit > Save/Cancel options:

Field Description

Policy Name Name of the specific policy.

Authenticated By Device making the authentication.

Description Contains a description of the policy.

See also:

Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List

M86 SECURITY, POLICIES 505 POLICIES

Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote

Condition Settings: Binary Behavior M86’s binary behavior engine is based on checking security behaviors and profiles that are a subset of all available behaviors. The behaviors are examined through the inspection of the binary’s exposed mechanisms that define its required interfaces in the system, and which can be detected and filtered by the groups defined below. By applying the organizational security policy and translating it to the behaviors defined in the binary behavior profile, adequate protection and implementation of the security policy can be achieved. The behavior groups are created by Security experts from M86’s Malicious Code Research Center (MCRC), and fed into the Binary Behavior Profile, enabling the identification of malicious active content that defies the standard organizational security policy. M86 provides a Default Binary Profile Behavior, which displays the following tabs: • Automatic Execution and Termination • File Access

506 M86 SECURITY, POLICIES POLICIES

• Registry Access • Network Access • Minor Risk Operations • Disclosure of Information • Java Runtime • Change Settings • System Settings • General • Other Running Applications Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Binary Behavior. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. 6. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.

M86 SECURITY, POLICIES 507 POLICIES

See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications

508 M86 SECURITY, POLICIES POLICIES

Automatic Execution and Termination

The following Automatic Execution options are considered unsafe when performed by ActiveX and Executables:.

Automatic Execution Description

Create Process Potential misuse of function which is used to create system processes.

Dynamic Link Library Access to external DLL files in order to gain Invocation Functions additional functionality by ActiveX.

Terminate Process The binary file contains a reference to process termination operation.

Unresolved Library An attempt to access a library of functions that Access cannot be resolved directly.

The following Automatic Execution options are considered unsafe when performed by Java Applets:

Automatic Execution Description

Access Other Accessing applications outside the context of the Applications applet is considered a security violation. Applets are usually self-contained and do not need access to other applications.

Create Process Potential misuse of function, which is used to create system processes

Load Class Potential misuse of function which is used to load/ locate external Java program

Load Library Potential misuse of function which is used to load library (external library which contains program codes)

Remote Method An attempt to call a method on a remote object Invocation accessible over the network (internal or external)

M86 SECURITY, POLICIES 509 POLICIES

Automatic Execution Description

System Commands The binary file contains a reference to system commands (execute, schedule processes, etc.)

Terminate Process The binary file contains a reference to process termination operation

See also: Condition Settings: Binary Behavior File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications File Access

The following File Access options are considered unsafe when performed by ActiveX and Executables:

File Access Description

File Delete Potential misuse of local privileged functions for file/ directory remove

File Read Potential misuse of local privileged functions for file read, data read

File Write Potential misuse of local privileged functions which write data to a file (audio, text or binary types)

510 M86 SECURITY, POLICIES POLICIES

The following File Access options are considered unsafe when performed by Java Applets:

File Access Description

File Create Potential misuse of local privileged functions as File Create/File Copy

File Write Potential misuse of local privileged functions which write data to a file (audio, text or binary types)

File Delete Potential misuse of local privileged functions for file/ directory remove

File Read Potential misuse of local privileged functions for file read, data read

File Query Potential misuse of local privileged functions for file read, open file, querying files parameters, etc.

File Rename Potential misuse of local privileged functions for file rename

See also: Condition Settings: Binary Behavior Automatic Execution and Termination Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications

M86 SECURITY, POLICIES 511 POLICIES

Registry Access

The following Registry Access options are considered unsafe when performed both by Java Applets and ActiveX and Executables:.

Registry Access Description

Registry Delete Potential misuse of local privileged functions for deleting registry key/value

Registry Read Potential misuse of local privileged functions for reading registry key/value

Registry Write Potential misuse of local privileged functions for writing/changing registry key/ value

See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications Network Access

The following Network Access options are considered unsafe when

512 M86 SECURITY, POLICIES POLICIES

performed by ActiveX and Executables:

Network Access Description

Bluetooth Potential misuse of local privileged functions Networking such as sending an authentication request to a remote Bluetooth device or retrieving information on a remote Bluetooth device

DNS Functions Potential misuse of local privileged functions that use DNS Client API, such as DNS query, record compare, etc.

Network Connect Potential misuse of local privileged functions in order to connect to other network elements such as functions that use HTTP client API to send requests through HTTP protocol to other HTTP servers, etc.

Network Listen Potential misuse of local privileged functions calls in order to access network services (e.g. listen for incoming connection)

Network Receive Potential Misuse of local privileged functions calls in order to access network services (e.g. retrieving content/data from other resources such as retrieving file from FTP server)

Network Send Potential misuse of local privileged functions calls in order to access network services (e.g. send network commands)

The following Network Access options are considered unsafe when performed by Java Applets.

Network Access Description

Network Receive Suspected network behavior such as open socket, receiving data packets

Network Resolve Suspected network behavior such as communicating with DNS server, getting host information, etc.

M86 SECURITY, POLICIES 513 POLICIES

Network Access Description

Network Send Suspected network behavior such as open socket, sending data packets

Open Socket Suspected network behavior such as open socket for communication (for data packet transfer)

See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications Minor Risk Operations

The following Network Access options are considered unsafe when

514 M86 SECURITY, POLICIES POLICIES

performed by ActiveX and Executables:

Minor Risk Description Operations

Potentially Changing the way that an application uses the Dangerous Memory system memory may result in a crash or the Management disclosure of sensitive data. Functions

Potentially Process debugging functions may be used to Dangerous Process- reveal information from the system and alter the Debugging execution logic of the debugged applications. Functions

The following Minor Risk Operations options are considered unsafe when performed by Java Applets:.

Minor Risk Operations Description

CORBA Connection An attempt to create or manage a CORBA connection (Common Object Request Broker Architecture). This may utilize functionality that is provided remotely by an external object.

Memory Write An attempt to write data to a mapped memory segment.

Database Access Functionality related to database access activity.

Print Access Indicated access to printing functionality within the application.

Exit Browser Terminates the browser session.

Use Reflection Provides functionality to query existing applications and objects by examining them and gathering functionality information.

See also: Condition Settings: Binary Behavior

M86 SECURITY, POLICIES 515 POLICIES

Automatic Execution and Termination File Access Registry Access Network Access Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications Disclosure of Information

The following Disclosure of Information options are considered unsafe when performed by Java Applets:.

Disclosure of Information Description

Access Clipboard Potential misuse of local privileged functions such as reading computer clipboard and revealing sensitive information

Access Cookies Potential misuse of local privileged functions such as reading Internet cookies which might allow remote user to access bank accounts/ web based email, etc.

Enumerate Printer Potential misuse of local privileged functions Connections such as mapping or removing printer connections

Get User Information Potential misuse of local privileged functions such as getting specific user information (user name, system name, etc.)

Keystrokes Potential misuse of local privileged functions such as logging of keystrokes which might reveal user’s password

516 M86 SECURITY, POLICIES POLICIES

See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Java Runtime Change Settings System Settings General Other Running Applications Java Runtime

The following Java Runtime options are considered unsafe when performed by Java Applets since by doing so an attacker may eliminate security restrictions:.

Java Runtime Description

Set Class Loader Potential misuse of function in order to locate, run Java program

Set Properties Potential misuse of function which might change the current working environment

Set Security Manager Potential misuse of function in order to set system’s security

See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access

M86 SECURITY, POLICIES 517 POLICIES

Network Access Minor Risk Operations Disclosure of Information Change Settings System Settings General Other Running Applications Change Settings

The following Change Settings options are considered unsafe when performed by ActiveX and Executables:.

Change Settings Description

Change Network Potential misuse of local privileged functions calls Systems in order to change network settings (e.g. using HTTP server API functions)

Change System Potential misuse of local privileged functions in Settings order to change system settings (e.g. shell commands, network programming)

See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime System Settings General

518 M86 SECURITY, POLICIES POLICIES

Other Running Applications System Settings

The following System Settings options are considered unsafe when performed by Java Applets:.

System Settings Description

Change Printer Attempt to change printer connections which may Connections lead to disclosure of data

The following General options are considered unsafe when

M86 SECURITY, POLICIES 519 POLICIES

performed by ActiveX and Executables:

Database Access Description

Database Potential misuse of local privileged functions which Access allow accessing database

Exit Windows Potential misuse of local privileged functions which perform system shutdown, lock work station, etc.

The following Other Running Applications options are considered

520 M86 SECURITY, POLICIES POLICIES

unsafe when performed by ActiveX and Executables:

Other Running Description Applications

Code Injection into Potential misuse of local privileged functions Running Process which allows, for example, creating a thread that runs in the virtual address space of another process

Sending Messages to Potential misuse of local privileged functions other Applications which allows sending messages to a specific system process/procedure on local machine, etc.

The Higher Sensitivity Binary Behavior Profile contains the same Profile information. However, in this screen all the options are checked. See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General

Condition Settings: Content Size Content size refers to the amount of content being scanned. These content size values can be selected as a Condition to be included in your Policy Rules thereby limiting very large files from entering

M86 SECURITY, POLICIES 521 POLICIES

or leaving your organization. The predefined content sizes cannot be modified. However, new Content Size lists can be created.

NOTES: For containers, the content size refers to the size of the files once taken out of the containers - so while the actual container might be smaller than the size you defined, it could still be blocked. Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Content Size. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. See also: Condition Settings

Available Condition Settings Tree Options

522 M86 SECURITY, POLICIES POLICIES

Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating a Content Size Generating a Content Size

Â To generate a Content Size: 1. Right-click on the top-level heading Content Size and select Add Component. 2. Enter an appropriate Content Size name. 3. Enter the required Content Size.

4. Click Save to apply changes. Next, click to commit them. 5. If you need to modify this component in the future, select Edit and make your changes. See also: Condition Settings: Content Size

M86 SECURITY, POLICIES 523 POLICIES

Condition Settings: Data Leakage Prevention Data loss is of great concern to corporate security. M86 SWG specializes in scanning web content, thereby providing the ability to monitor and prevent specific types of data leakage. The intention is to protect information such as customer records, financial information, or intellectual property from leaving the company network. Data leakage prevention (DLP) capabilities should also assist companies in demonstrating regulatory compliance such as HIPAA, CISP etc.

NOTES: M86 provides Data Leakage prevention and monitoring capabilities for web protocols only. Email or other protocols will not be handled unless specifically mentioned. When dealing with DLP, SWG can scan HTTP, HTTPS and the FTP protocols for textual parts of documents. The document is split into multiple parts such as: Document body, Document metadata, like Microsoft Word document properties, such as, Author, Comments, and Headers/Footers.

NOTES: FTP will only be scanned for incoming content.

The supported file types are: • Microsoft Office y MS Word 2003 and 2007 (Binary), 2007 (XML) y MS Excel 2003 binary and 2007 XML y RTF • Adobe PDF The DLP rule builder enables the administrator to create on the fly rules which are a textual representation of the type of information that is not allowed to leave the company's network. Confidential Information:

The Confidential Information condition is a default condition supplied by the SWG that incorporates a multi-language built

524 M86 SECURITY, POLICIES POLICIES

condition used in a DLP rule, in X-ray mode, within a default policy. The Confidential information condition is pre-set to identify potentially harmful data.

The condition is editable by clicking and then clicking Edit. Click Save to commit changes.

Â Creating a Data Leakage Prevention Condition: 1. Navigate to Policies > Condition Settings > Data Leakage Prevention. 2. To Create a new Filter Condition, right click the Data Leakage Prevention node and select Add filter condition (You can use the left toolbar to do the same action by clicking on the icon). 3. Enter the condition name In the Data Leakage Prevention Name field. 4. When creating a new condition, the screen opens in the Condition Editor mode. Click Condition Builder to switch to the Condition Builder mode. For further information see DLP Condition Editor and Builder.

NOTES: All rules which are built using the condition editor will be automatically accessible via the condition builder and vice versa 5. When the condition is complete, click Save.

M86 SECURITY, POLICIES 525 POLICIES

6. Click on the management console (if enabled) to commit them. The new condition can be associated with any appropriate rule. See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote DLP Condition Editor and Builder DLP Condition Editor and Builder

The Data Leakage Prevention (DLP) rule builder provided by M86 has two modes of operation: the Condition Builder and the Condition Editor. Both modes use Boolean operators like And and Or to create filters. • The Condition Editor lets you manually enter the text that you want the DLP filter to search for (in a text box). In addition you

526 M86 SECURITY, POLICIES POLICIES

can use Boolean operators, like And, Or, Not and () when necessary. There are 4 different signs that represent various ASCII symbols:

y Represents any single symbol

y Represents any alphabetic single symbol

y Represents any single digit (0-9)

y Represents any single alphanumeric symbol including dash and underscore

NOTES: When copying text from another source, remove all formatting by pasting the text into Notepad or a similar plain text application first, and then re-copy it from the text application to the SWG screen. Â To Edit in Condition Editor mode: 1. Click a DLP condition listed in the left hand pane. 2. In view mode, click Edit.

M86 SECURITY, POLICIES 527 POLICIES

Figure 6-98: The Condition Editor Screen 3. Update the rule to your satisfaction. 4. Click Save.

5. Click (if enabled) to commit them.

• The Condition Builder: The condition builder lets you create or view the same rules as the condition editor using a graphical interface.

Â To Edit in Condition Builder mode: 1. Click a DLP condition listed in the left hand pane. 2. Click Condition Builder. 3. Click Edit.

528 M86 SECURITY, POLICIES POLICIES

Figure 6-99: The Condition Builder Update the rule to your satisfaction.

NOTES: To Toggle between the different views use the button when in the builder view and the

when in editor mode

4. Click Save.

5. Click (if enabled) to commit them.

See also: Condition Settings: Data Leakage Prevention Condition Details for Security Policy Rules

Example for Creating a Security Rule

Condition Settings: Destination Port Range

Condition Settings: Destination Port Range The Destination Port Range contains one or more port ranges that may be used as inclusion in the Identification Policy Rule in order

M86 SECURITY, POLICIES 529 POLICIES

to be blocked/allowed. This Range is used to distinguish a client application connecting to the SWG device by the destination port that they target.

NOTES: Persistent connections enable the client to connect to various targets via the same proxy connection. This means that the first request may target a different server port than the following requests Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Destination Port Range. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. See also: Condition Settings

530 M86 SECURITY, POLICIES POLICIES

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating an Item in the Destination Port Range Generating an Item in the Destination Port Range

Â To generate a new item in a Destination Port Range: 1. Right-click on the top-level heading Destination Port Range and select Add Component. 2. Enter an appropriate Destination Port Range name. 3. In the Destination Port Range section, click to add a new row. 4. Enter a Port number in the From/To range (for example, 443 to 450). 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Port Range.

M86 SECURITY, POLICIES 531 POLICIES

6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this range in the future, select Edit and make your changes. See also: Condition Settings: Destination Port Range

Condition Settings: File Extensions

Condition Settings: File Extensions Each File Extension listed here is actually a list of other file extensions according to topic. The File Extensions are presented here as predefined lists for ease of convenience. They can be used as rule conditions in your security policy. You cannot add or delete extensions from the existing File Extensions provided by M86. However, you can create new File Extension lists.

See also: Condition Settings

532 M86 SECURITY, POLICIES POLICIES

Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating a New Item in File Extensions

Multiple File Extensions Generating a New Item in File Extensions

Â To generate a new item in File Extensions: 1. Right-click on the top-level heading and select Add Component. 2. Enter an appropriate File Extension name.

3. In the File Extensions section, click to add a new row. 4. Enter the relevant File Extension. 5. Repeat for as many times necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Extension.

6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this list in the future, select Edit and make your changes. See also: Condition Settings: File Extensions Multiple File Extensions Multiple File Extensions

The Multiple File Extensions list can be edited here. Multiple File Extensions means that a file has more than one extension at the

M86 SECURITY, POLICIES 533 POLICIES

end of it, for example, file.txt.exe. where the last extension allows the Operating System to run the file. See also: Condition Settings: File Extensions Generating a New Item in File Extensions Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ File Extensions. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.

Condition Settings: Header Fields Headers are metadata allowing the customer to customize rules based on these header fields. For example, you can create a rule

534 M86 SECURITY, POLICIES POLICIES

that blocks requests from specific user-agents. The headers can be either request or response headers. See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating an Item in the Header Field Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Header Fields.

M86 SECURITY, POLICIES 535 POLICIES

2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. Generating an Item in the Header Field

Â To generate a new item in Header Field: 1. Right-click on the top-level heading and select Add Component. 2. Enter an appropriate Header Field name. 3. In the Header Fields section, click to add a new row. 4. Enter a Header Name, Condition, and Header Value as required.

NOTES: The Header Field value uses various parameters for Regular Expression or Equals to. For example, “.*?M86” searches for the shortest string before the word M86. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Header.

6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this Component in the future, click Edit and make your changes.

536 M86 SECURITY, POLICIES POLICIES

See also: Condition Settings: Header Fields

Condition Settings: HTTPS Certificate Validation

Condition Settings: HTTPS Certificate Validation Certificate validation includes expiration checks, revocation and matching. SWG ensures that corporate policies regarding certificates are enforced, while removing the decision from the user’s hands by automatically validating each certificate and making sure that the chain goes back to the trusted authority. Policies regarding certificates are enforced by checking individual certificate names, date, trusted authority chain and revocation lists. A list of trusted certificate authorities is supplied with the system and used for digital signature analysis and for SSL certificate validation. Digital certificate lists are updated via the M86 security updates. These lists include the required trusted certificate authorities as well as the Certificate Revocation Lists. Administrators cannot modify or delete this default profiles, however they can duplicate the Default HTTPS Profile which can then be customized. M86 includes one predefined Default Certificate Validation Profile which contains the following certificate error events: • Invalid Certificate Structure • Certificate Cannot be Trusted • Certificate is Not Currently Valid • Certificate Revoked • Host Cannot be Trusted • Bad Certificate Usage See also: Condition Settings

Available Condition Settings Tree Options

M86 SECURITY, POLICIES 537 POLICIES

Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Invalid Certificate Structure Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted Bad Certificate Usage Invalid Certificate Structure

The following table describes the options:

Invalid Certificate Description Structure

Cannot decode The certificate signature could not be decrypted issuer public key (meaningful for RSA keys).

Certificate signature The public key in the certificate cannot be decrypted SubjectPublicKeyInfo could not be read.

538 M86 SECURITY, POLICIES POLICIES

See also: Condition Settings: HTTPS Certificate Validation Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted Bad Certificate Usage Certificate Cannot be Trusted

The following table describes the options:

Certificate Cannot be Description Trusted

Authority and issuer Authority and issuer serial number mismatch - serial number The current candidate issuer certificate was mismatch rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate.

Authority and The current candidate issuer certificate was subject key identifier rejected because its subject key identifier was mismatch present and did not match the authority key identifier current certificate.

Certificate chain too The certificate chain length is greater than the long supplied maximum depth.

Certificate is self The certificate is self signed and the same signed certificate cannot be found in the list of trusted certificates.

Certificate not The root CA is not marked as trusted for the trusted specified purpose.

Certificate rejected The root CA is marked to reject the specified purpose.

M86 SECURITY, POLICIES 539 POLICIES

Certificate Cannot be Description Trusted

Certificate signature The signature of the certificate is invalid. failure

Invalid CA certificate Either the CA is not valid or it may not be used to sign the tested certificate for HTTPS communication.

Issuer certificate This occurs if the issuer certificate of an untrusted could not be found certificate cannot be found.

Key usage does not The current candidate issuer certificate was include certificate rejected because it may not sign other certificates signing (keyUsage).

Root certificate The certificate chain could be built up using the could not be found untrusted certificates but the root could not be locally found locally.

Subject issuer The current candidate issuer certificate was mismatch rejected because its subject name did not match the issuer name of the current certificate.

Unable to get local The issuer certificate of a locally looked up issuer certificate certificate could not be found. This normally means the list of trusted certificates is not complete.

Unable to verify the Unable to verify the first certificate - signatures first certificate could not be verified because the chain contains only one certificate and it is not self signed.

See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted

540 M86 SECURITY, POLICIES POLICIES

Bad Certificate Usage Certificate is Not Currently Valid

The following table describes the options:

Certificate is Not Description Currently Valid

Certificate is not yet The notBefore date is after the current time. valid

Certificate has The notAfter date is before the current time. expired

Format error in The certificate notAfter field contains an invalid certificate notAfter time. field

Format error in The certificate notAfter field contains an invalid certificate notBefore time. field

See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate Cannot be Trusted Certificate Revoked Host Cannot be Trusted Bad Certificate Usage

M86 SECURITY, POLICIES 541 POLICIES

Certificate Revoked

The following table describes the options:

Certificate Revoked Description

Certificate revoked The certificate has been revoked.

CRL has expired Certificate has expired - The notAfter date is before the current time.

CRL is not yet Certificate is not yet valid - The notBefore date is valid after the current time.

CRL signature The signature of the certificate is invalid. failure

Format error in The CRL lastUpdate field contains an invalid time. CRL lastUpdate field

Format error in The CRL nextUpdate field contains an invalid time. CRL nextUpdate field

Unable to decrypt This means that the actual signature value could not CRL signature be determined rather than it not matching the expected value.

Unable to get The CRL of a certificate could not be found. certificate CRL

See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate Cannot be Trusted Certificate is Not Currently Valid Host Cannot be Trusted Bad Certificate Usage

542 M86 SECURITY, POLICIES POLICIES

Host Cannot be Trusted

The following table describes the options:

Host Cannot be Description Trusted

Cannot verify The host name is unavailable and therefore hostname cannot be verified against the certificate.

Host name does not The host name mismatches the one mentioned in match certificate the certificate. name

See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Bad Certificate Usage Bad Certificate Usage

The following table describes the options:

Bad Certificate Usage Description

Unsupported The supplied certificate cannot be used for the certificate purpose specified purpose.

Path length The basicConstraints pathlength parameter has constraint exceeded been exceeded.

See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure

M86 SECURITY, POLICIES 543 POLICIES

Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted

Condition Settings: IP Range The IP Range contains one or more IP ranges that end-users may be using in order to effectively identify or authenticate them. This can be used for inclusion as in the Identification Policy rule making. The range is used to distinguish the client machine connecting to the SWG device by its source IP. The default list named Exclude by IP was provided by M86 for the administrator to add/modify their own IP ranges as required.

See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists

544 M86 SECURITY, POLICIES POLICIES

Condition Settings: Vulnerability Anti.dote Generating a new Item in IP Range Generating a new Item in IP Range

Â To generate a new item in an IP Range: 1. Right-click on the top-level heading IP Range and select Add Component. 2. Enter an appropriate IP Range name. 3. In the IP Range section, click to add a new row. 4. Add in the appropriate addresses in the From IP Address and To IP Address fields. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the item and selecting Delete IP Range.

6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this range in the future, select Edit and make your changes. See also: Condition Settings: IP Range

Condition Settings: Pre Authenticated Headers Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example:

M86 SECURITY, POLICIES 545 POLICIES

1. Policies Æ Condition Settings Æ IP Range. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.

Condition Settings: Pre Authenticated Headers Pre Authenticated Headers includes headers, which have been pre-authenticated (i.e. assumes that header data has been previously authenticated by a downstream proxy agent). These are available for inclusion in the Identification Policy Rules. See also: Condition Settings

546 M86 SECURITY, POLICIES POLICIES

Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating a Pre Authenticated Header Generating a Pre Authenticated Header

Â To generate a Pre Authenticated Header: 1. Right-click on the top-level heading Pre Authenticated Header and select Add Component. 2. Enter an appropriate Pre Authenticated Header name. 3. Enter an IP address for example X-Client-IP. 4. Select a Domain/User, for example, a Custom header such as X-Authenticated-User, or a Basic Authenticated header from downstream proxy.

NOTES: When the Basic Authenticated header from downstream proxy checkbox is set, the proxy will use the basic authentication header per transaction and not per connection.

5. Click Save to apply changes. Next, click to commit them. 6. If you need to modify this component in the future, select Edit and make your changes. See also: Condition Settings: Pre Authenticated Headers

Condition Settings: Script Behavior

M86 SECURITY, POLICIES 547 POLICIES

Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Pre-Authenticated Headers. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.

Condition Settings: Script Behavior M86’s script behavior engine is based on checking security behaviors and profiles that are a subset of all available behaviors. The groups that drive the operation of the Application-Level Behavior Based engine are not signature-based. Groups at various levels define language tokens, semantic patterns of Active Code, forbidden combinations of operations, parameters and programming techniques. These Behavior groups are created by security experts from M86’s Malicious Code Research Center

548 M86 SECURITY, POLICIES POLICIES

(MCRC), and fed into the Behavior Profile scanning engines, enabling the identification of malicious active content. The system is preconfigured with default Behavior Profiles. These defaults are available for inclusion in your Rule Conditions. The Default Script Behavior displays the following tabs: • File System Operations • Windows Network Operations • Registry Operations • Operating System Operations • Advanced Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Script Behavior. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing.

M86 SECURITY, POLICIES 549 POLICIES

Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component

See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote File System Operations Windows Network Operations Registry Operations Operating System Operations Advanced File System Operations

The following File System operations are considered unsafe when

550 M86 SECURITY, POLICIES POLICIES

performed by VB/Java scripts:.

File System Description Operations

File Copy Attempt to copy local file

File Create Attempt to create local file

File Delete Attempt to delete local file

File Query Attempt to detect whether a file exists under specific path in the local file system

File Read Attempt to read local file

File Write Attempt to write to a local file

See also: Condition Settings: Script Behavior Windows Network Operations Registry Operations Operating System Operations Advanced Windows Network Operations

The following Windows Network operations are considered unsafe when performed by VB/Java scripts:.

Windows Network Description Operations

Network Drive Attempt to remove a shared network drive from the Delete computer system

Network Drive Query Attempt to detect whether a specific network drive exists

M86 SECURITY, POLICIES 551 POLICIES

Windows Network Description Operations

Network Printer Attempt to manipulate network printers by adding/ Operations removing a remote MS-DOS-based or windows printer connection to the computer system or set different default printer, etc.

Query Logged-On An attempt to query for specific user domain User name, user name, computer name, etc.

Windows Log An attempt to manipulate a Windows log event Operations

See also: Condition Settings: Script Behavior File System Operations Registry Operations Operating System Operations Advanced Registry Operations

The following Registry operations are considered unsafe when performed by Java applets:.

Registry Description Operations

Registry Read Attempt to read system registry key or value

Registry Write An attempt to create a new key within the system registry, add another value-name to an existing key (and assign it a value), or change value of an existing value-name

Registry Delete An attempt to delete a key or one of its values from the system registry

See also:

552 M86 SECURITY, POLICIES POLICIES

Condition Settings: Script Behavior File System Operations Windows Network Operations Operating System Operations Advanced Operating System Operations

The following Operating System operations are considered unsafe when performed by Java applets:.

Operating System Description Operations

Access Microsoft An attempt to run Microsoft Outlook could Outlook result in accessing sensitive data (reading and sending out of corporate network)

Access Attempt to execute an application on a local Potentially machine. These applications are legitimate Dangerous ones and are used to bypass local machine Applications security to perform non legitimate acts such as accessing restricted data

Create Process An attempt to open shell command and execute system processes

Inter-Process An attempt to perform communication Communication between running processes by sending parameters which may results in performing non legitimate processes.

Environment Environment variables are strings that Variables-Related contain information about the environment Operations for the system, and the currently logged on user. This group refers to any manipulation performed on those variables.

See also: Condition Settings: Script Behavior File System Operations

M86 SECURITY, POLICIES 553 POLICIES

Windows Network Operations Registry Operations Advanced Advanced

The following Advanced operations are considered unsafe when performed by Java applets:

Advanced Description

Access to Web content that tries to access local environment Environment variables may use the information for malicious or Variables identity theft purposes

Bogus Script Function Some non-legitimate script functions can cause the Usage to Crash browser to stop working Browser

Browser Status Bar The browser's status bar can be changed using Modification specially crafted scripts.

Channel Adding to the Remote scripts can be used to add active desktop Active Desktop channels

Clipboard Referencing Remote scripts can be used to grab information stored in the user’s clipboard

Code Obfuscation These are a set of different programmatic (Home- Encoding) techniques used to obfuscate code. Usually the purpose of code obfuscation is to bypass signature based security products and are considered potentially malicious

Code Obfuscation These are a set of different programmatic (Home- Encoding) techniques used to obfuscate code. Usually the (Complementary purpose of code obfuscation is to bypass signature Rule) based security products and are considered potentially malicious

554 M86 SECURITY, POLICIES POLICIES

Advanced Description

Code Obfuscation These are a set of different programmatic (Home-Encoding) techniques used to obfuscate code. Usually the Type II purpose of code obfuscation is to bypass signature based security products and are considered potentially malicious

Code Obfuscation These are a set of different programmatic (Home-Encoding) techniques used to obfuscate code. Usually the Type III purpose of code obfuscation is to bypass signature based security products and are considered potentially malicious

Dangerous ActiveX Some ActiveX Objects can be used to remotely Objects Remote read, write and execute files. Creation Protection, Remote File Read and Execution Protection

DHTML Properties Some uncommon DHTML attributes can be used to Setting mask malicious actions.

Dynamic Addition of Dynamically adding HTML elements can be used to HTML Elements mask malicious content.

Dynamic creation of Dynamic creation of HTML elements can be used to HTML Element mask malicious actions.

Dynamic HTML Dynamic assignment of HTML content can be used Assignment to mask malicious actions.

Dynamically setting a Dynamically setting a mouse event can be used to Mouse Event mask malicious actions.

Endless Loop Denial Scripts using endless loops can take over the CPU. of Service

Environment Referring to local environment variables can allow Variables Remote remote cross-zone scripting. Access/Reference Protection

M86 SECURITY, POLICIES 555 POLICIES

Advanced Description

Faking a known Displaying a fake version of a known local Application Dialog application dialog in the browser can be used for phishing and spoofing attacks.

Generic History Theft Scripts that try to access the browsing history can Protection use the information to collect browsing habits for the purpose of marketing, as well as refining attack vectors where the victim may visit a site who's profile matches his browsing habits

Generic Internet Specially created URLs can be used for phishing Explorer Remote and spoofing attacks. Zone Bypass, Address Bar Spoofing and Status Bar Spoofing

Generic Local Links to local files can be used for remote cross- Resource Remote zone scripting. Reference

Generic Shellcode Detect the use of shellcode. Shellcode should be Detection blocked since it compromises the end user’s computer.

Generic Shellcode This is another type of shellcode detection Detection Type II technique.

Generic VB Script/ Links containing script injections can be used for Java Script Injection remote cross-zone scripting. Attempts

Help Protocols and Help protocol handlers that are part of the help Windows Help System system provided by Microsoft Windows can be used Remote Code for remote cross-zone scripting. Execution

Help Protocols Usage Help protocol handlers can be used for remote cross-zone scripting and buffer overflow attacks.

HTML Code Injection HTML code injections can be used for masking malicious actions.

556 M86 SECURITY, POLICIES POLICIES

Advanced Description

HTML Code Injection HTML code injections at a specific location in the at a Specific Location data object model can be used for masking malicious actions.

HTML Elements Special ActiveX Objects that hide HTML elements hiding by ActiveX can be used in phishing and spoofing attacks. Objects

HTML Elements Special style attributes that hide HTML elements can Hiding by Setting the be used for phishing and spoofing attacks. HTML Style

IE Favorites Manager The Internet Explorer Favorites Manager can be Remote File used to overwrite local files. Overwriting Protection

IE NavigateAndFind The Internet Explorer NavigateAndFind function can Zone Bypass be used for remote cross-zone scripting. Protection

Import HTML Tag The HTML Import tag can be used to mask malicious Usage actions.

Importing a Style Scripts that add external style sheets to an existing Sheet into an Existing style sheet can be used to mask malicious actions. Style Sheet

Location.Assign Setting the "Assign" property of a location object can Remote Code be used for remote cross-zone scripting. Execution Vulnerability

MHTML Protocol When referring to MHT files, MHTML protocol Remote File Creation, handlers can be used for remote cross-zone Cross-Domain scripting or buffer overflow attacks. Scripting and/or Remote Code Execution

Mailto: Protocol The mailto protocol handler, when combined with Injection specially crafted scripts, can be used for remote cross-zone scripting.

M86 SECURITY, POLICIES 557 POLICIES

Advanced Description

Media Protocols Some media protocol handlers can be used for Usage remote cross-zone scripting or buffer overflow attacks.

Media/Search Bars Directing pages to the Internet Explorer Media and Code Injection Search bars can be used for remote cross-zone Protection scripting.

Microsoft IE popup Scripts that try to open popup windows may try to blocker bypass bypass the built-in protection in recent versions of vulnerability Internet Explorer.

Microsoft Office Microsoft Office protocol handlers can be used for Protocols Usage remote cross-zone scripting or buffer overflow attacks.

Microsoft Windows Scripts that refer to a user's desktop can be used for Remote Permanent remote cross-zone scripting. Code Execution/Script Injection into Desktop

Miscellaneous Some common protocol handlers can be used for Protocols Usage remote cross-zone scripting or buffer overflow attacks.

Mozilla Firefox Scripts attempting to use the about: protocol in (About:) Protocol Mozilla may try to alter system settings and make the security mechanisms built into the browser less effective.

Netscape/Mozilla The Privilege Manager in Netscape/Mozilla can be Privilege Manager used for remote cross-zone scripting. Protection

News Protocols News protocol handlers (e.g. http) can be used for Usage remote cross-zone scripting or buffer overflow attacks.

Obfuscated Text Obfuscating text content can be used for masking Content malicious actions.

Opening Non-focused This malicious behavior can be used for spoofing/ window from a link phishing attacks.

558 M86 SECURITY, POLICIES POLICIES

Advanced Description

P2P Protocols Usage P2P protocol handlers can be used for remote cross- zone scripting or buffer overflow attacks.

Potentially exploitable Detects and blocks the use of potentially exploitable protocol handlers protocol handlers

Reference to Local Any remote access to a local file is a clear violation Resources of the Internet Zones separation.

Remote Code Certain Internet Explorer default style behaviors can Execution, Remote be used for remote cross-zone scripting. Data Theft, and all Drag and Drops Generic Protection

Reoccuring Function Expression evaluation and time elapsed function Invocation or invocation functions can be used for masking Expression Evaluation malicious actions.

Resource Protocols Resource protocol handlers (e.g. using the “res” Usage protocol handler) can be used for remote cross-zone scripting.

Script Source The link tag allows loading a custom image as the Attributed to an Icon icon for a website, displayed in the location bar and in the tab title. Setting the href attribute of this tag to a javascript url is potentially malicious and non standard behavior.

Sensitive Data Some Internet Explorer HTML Tags and style Compromise behaviors can be used to disclose sensitive private information.

Show Modeless Modeless dialog, when combined with specially Dialog Suspicious crafted scripts, can be used for phishing and Usage of Function spoofing attacks.

Size Limitation of Tag Setting a very long value in HTML tag attributes can Property Inside HTML be used for buffer overflow attacks. Content

Telnet Protocols Telnet protocol handlers can be used for remote Usage cross-zone scripting or buffer overflow attacks.

M86 SECURITY, POLICIES 559 POLICIES

Advanced Description

Using Script Encoded Scripts that are encoded or may attempt to encode Functions content are considered potentially malicious as this technique is used to bypass signature based security protocols.

Web Forms Auto Scripts that use auto-complete functions can Completion Text disclose a user’s private information.

Windows and Frames Setting the position of windows or frames can be Showing in an used for phishing and spoofing attacks. Absolute Position

The Higher Sensitivity Script Behavior Profile contains the same Profile information. However, in this screen all the options are checked. See also: Condition Settings: Script Behavior File System Operations Windows Network Operations Registry Operations Operating System Operations

Condition Settings: Time Frame The existing M86 time frames given with the system can be modified to suit local times and customs. New Time Frames can also be added. This condition enables the administrator to modify organizational demands and needs according to varying times of the week, thereby increasing system efficiency and productivity. The Time Frame included as a Condition for Policy Rules can be configured here.

Â To generate a new item in a Time Frame: 1. Right-click on the top-level heading Time Frame and select Add Component.

560 M86 SECURITY, POLICIES POLICIES

2. Enter an appropriate Time Frame name. 3. In the Time Frames section, click to add a new row. 4. Enter a Name, From Day, From Time and To Day, To Time values as required. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Time Frame.

6. Click Save to apply the changes. Next, click to commit them. 7. If you need to modify this list in the future, click Edit and make your changes. Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Time Frame. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing.

M86 SECURITY, POLICIES 561 POLICIES

Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component

See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote

Condition Settings: Upstream Proxy

After traffic is scanned by the SWG system, it can be sent either to a router, based on routing table information, or to an upstream proxy, where the request is sent in proxy format. Before configuring any upstream policy, the upstream proxy must first be configured in the Condition Settings upstream screen. Right click the top Upstream Proxy node to Add Component, or click in the left tree pane.

562 M86 SECURITY, POLICIES POLICIES

NOTES: Direct is the default Upstream Proxy component and is therefore not editable. The Upstream Proxy window provides settings for upstream proxy configuration.

Figure 6-100: Upstream Proxy The following table provides information on the HTTP Upstream fields

Field Name Description

Client IP Header Header information for user identifiers supplied by an upstream proxy.

User Name Header Specifies the User Name in the Header Field.

M86 SECURITY, POLICIES 563 POLICIES

Field Name Description

Protocol

Protocol - Host - For each protocol - HTTP, HTTPS, FTP click Active Port - Active and add the required IP address. To use the same proxy for all protocols, select Use for all protocols

The Enable caching per whole proxy definition checkbox allows caching to be activated globally, OR on a per upstream proxy basis.

WARNING: A valid caching-enabled SWG license is required for the Enable caching per whole proxy definition to work. If no valid license exists, enabling this checkbox becomes irrelevant. See also: HTTP HTTPS Header Fields Device IP

Condition Settings: URL Lists The URL lists allow you to include specific URLs in a white list (allowed) or black list (blocked) to accelerate system performance. URL lists play a large part in Security Policy making. M86 predefined URL lists, such as M86 Security Recommended White List cannot be modified. The following right-click options are available from the URL Lists

564 M86 SECURITY, POLICIES POLICIES

tree:

Action Description

Available from specific URL list Component. Delete List Deletes the list

Available from specific Component. Import to List Allows importing many URL addresses into a list. Please refer to Generating a New Item in a URL List

Available from specific Component. Export to File Allows exporting the URL addresses within a list to a file which can then be edited, printed, imported etc.

Available from specific Component. Delete all Items Deletes all the URL addresses in the list on the right screen.

Available for all Components. Allows the Used In administrator to see in which policies and rules this particular condition was used.

NOTES: The Bypassed Context Scanning List can be edited here but is not included in Rule Conditions. You can edit this list to decide which embedded objects do NOT need to be scanned in their full context. This is automatically used as part of the scanning process Generating a New Item in a URL List

There are two different ways to add URLs to this new list. The first option involves importing pre-created text files or xml files containing URL addresses (without protocols).

Â To add xml or txt files containing URLs to the list: 1. First, write a text file of URLs, with each URL starting on a new line. OR - write an xml file with each node representing a URL

M86 SECURITY, POLICIES 565 POLICIES

2. Next, save the file to a known location. Alternatively, export an existing list of URLs to a known location and edit the list. 3. Right-click on the list you want to import the files to on the right of the screen and select Import to List. 4. Click Browse and navigate to your saved file. Next, click Open on the Windows dialog box. 5. Click Import, located on the bottom of the screen. The contents of the file – that is, the URL addresses, appear in the pane.

6. Click Save to apply changes. Next, click to commit them. The second option involves adding individual URLs (without protocols) to the list.

Â To add individual URLs to a given list: 1. Right-click on the top-level heading and select Add List. 2. Enter an appropriate URL List name.

NOTES: To include the entire domain, a slash (/) and an asterisk (*) must be added. 3. In the URL section, click to add a new row. 4. Enter an appropriate URL. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete URL. 6. In the Regular Expressions tab, click Edit.

7. Click to Add a Regular Expression URL. Enter a brief description of this URL. For information on allowable syntax in this field, see Regular Expressions.

8. Right click in subsequent rows to add or delete Regular Expression URL records.

566 M86 SECURITY, POLICIES POLICIES

9. Click Save to apply changes. Next, click to commit them. 10.If you need to modify this list in the future, click Edit and make your changes. See also: Condition Settings: URL Lists

Condition Settings: Vulnerability Anti.dote

Â To find a specific URL: 1. Right-click on the top-level heading and select Find URL. 2. In the Find URL field of the URL Lists screen, enter an appropriate URL. This field requires only partial URL 3. In the URL section, click to add a new row. 4. Enter an appropriate URL. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete URL. Regular Expressions

The URL list also allows the use of Regex (Regular Expressions used to describe or match a set of strings according to certain syntax rules) to support regular expressions usage for URL categorization. The regular expression may be defined for each category as well for the URL List, with the ability to define several regular expressions for each category. As with all Regular Expressions, specific syntax rules vary depending on the specific library used. The following tables contain the supported Regular Expression Syntax used in the M86 SWG URL lists:

M86 SECURITY, POLICIES 567 POLICIES

Character representations:

Sequence Meaning

\a Alert (bell).

\b Backspace.

\e ESC character, x1B.

\n Newline.

\r Carriage return.

\f Form feed, x0C.

\v Horizontal tab, x09.

\t Vertical tab, x0B.

\octal Character specified by a three-digit octal code.

\xhex Character specified by a hexadecimal code.

\cchar Named control character.

"..." All characters taken as literals between double quotes, except escape sequences.

Character classes and class-like constructs:

Sequence Meaning

[...] A single character listed or contained within a listed range.

[^...] A single character not listed and not contained within a listed range.

. Any character.

\d Digit character ([0-9]).

\D Non-digit character ([^0-9]).

568 M86 SECURITY, POLICIES POLICIES

Sequence Meaning

\s Whitespace character ([ \t\n\r\f\v]).

\S Non-whitespace character ([^ \t\n\r\f\v]).

\w Word character ([a-zA-Z0-9_]).

\W Non-word character ([^a-zA-Z0-9_]).

Alternation and Repetition:

Sequence Meaning

...|... Try subpatterns in alternation.

* Match 0 or more times (greedy).

+ Match 1 or more times (greedy).

? Match 0 or 1 times (greedy).

{n} Match exactly n times.

{n,} Match at least n times (greedy).

{n,m} Match at least n times but no more than m times (greedy).

*? Match 0 or more times (abstemious).

+? Match 1 or more times (abstemious).

?? Match 0 or 1 times (abstemious).

{n,}? Match at least n times (abstemious).

{n,m}? Match at least n times but no more than m times (abstemious).

{MACRO} Include the regex MACRO in the current regex.

M86 SECURITY, POLICIES 569 POLICIES

Anchors:

Sequence Meaning

^ Start of string or after a new line.

See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: Vulnerability Anti.dote Generating a New Item in a URL List

Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

570 M86 SECURITY, POLICIES POLICIES

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ URL Lists. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component

Condition Settings: Vulnerability Anti.dote Vulnerability Anti.dote utilizes a multi-layered rule-based engine that can “understand” HTML, scripts and other programmatical components that make up HTTP-based content, at a level similar to compiler analysis. M86’s MCRC experts create detailed rules that capture the essence of the various possible vulnerabilities in browser applications, Windows operating system and services, and other applications that can be accessed by active content such as FTP, Windows Media Player, etc. Based on these behavioral rules, M86's scanning servers detect any attempt to exploit one or more vulnerabilities and block such content from entering your network. Vulnerability Anti.dote appears as several tabs of identifiable browser and operating system vulnerabilities proprietary to M86. This Vulnerability Anti.dote profile is not configurable, but is

M86 SECURITY, POLICIES 571 POLICIES

updated by MCRC Security Updates as new Windows vulnerabilities are discovered. It is also possible to create a customized Vulnerability Anti.dote profile, selecting the required vulnerabilities to be added to the profile. The Vulnerability Anti.dote profile contains the following list of vulnerabilities: • Crashing Internet Clients • Remote Script • Remote ActiveX • Cross-Site and Spoofing • Buffer Overflows • 3rd Parties See also: Condition Settings

Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists

572 M86 SECURITY, POLICIES POLICIES

Crashing Internet Clients Remote Script Remote ActiveX Cross-Site and Spoofing Buffer Overflows 3rd Parties Crashing Internet Clients

The following table describes the following Denial of Service vulnerabilities:

Crashing Internet Description Clients

BrowseDialog BrowseDialog ActiveX control is prone to class Internet Denial of Service vulnerability. Could allow Explorer Denial of remote attacker to cause Denial of Service Service vulnerability

DirectAnimation.S Microsoft Internet Explorer is vulnerable to tructuredGraphics a denial of service, caused by a NULL Control ActiveX pointer dereference denial of service vulnerability

FireFox object Mozilla Firefox is prone to denial of service DoS vulnerability

IE ActiveX Multiple ActiveX controls in Microsoft bgColor Property Windows operating systems allow attacker Denial of Service to cause Denial of Service to Internet vulnerability Explorer.

IE CLSID Denial of Microsoft Internet Explorer allows remote Service attackers to cause a denial of service Vulnerability (crash) via an OBJECT tag that contains a crafted CLSID

M86 SECURITY, POLICIES 573 POLICIES

Crashing Internet Description Clients

IE Microsoft Internet Explorer is vulnerable to DirectAnimation. a denial of service using the DirectX DAUser Data component responsible for animations in a Denial of Service certain manner. vulnerability

IE Microsoft Internet Explorer is vulnerable to DXImageTransfor a denial of service, caused by a NULL m.RevealTrans pointer dereference Denial of Service Vulnerability

IE HREF Save as A vulnerability in Microsoft Internet Explorer Denial of Service allows a remote user to create a link that will vulnerability cause the target user's browser to crash when attempting to save the link

IE Microsoft Internet Explorer is vulnerable to HtmlDlgSafeHelpe a denial of service, caused by a NULL r Denial of Service pointer dereference Vulnerability

IE Listbox Object A vulnerability in Microsoft Internet explorer DoS vulnerability which could cause Denial of Service.

IE Malformed File The affected browser will crash when a URI Denial of malformed 'file:' URI is processed. Service Vulnerability

IE Meta Tag Denial Internet Explorer allows remote attackers to of Service cause a denial of service (crash), which vulnerability triggers a null dereference

IE MHTML A Denial of Service occurs when Internet Redirect Denial of Explorer attempts to parse certain Service malformed HTML content. Vulnerability

574 M86 SECURITY, POLICIES POLICIES

Crashing Internet Description Clients

IE MHTMLFile Microsoft Internet Explorer is vulnerable to Denial of Service a denial of service, caused by a NULL Vulnerability pointer dereference

IE Microsoft Internet Explorer is vulnerable to Object.DXTFilter a denial of service, caused by a NULL Denial of Service pointer dereference Vulnerability

IE OVCtl Microsoft Internet Explorer is vulnerable to NewDefaultItem a denial of service, caused by an integer Denial of Service underflow and a NULL pointer dereference Vulnerability

IE Print Without Uses OLE object method ExecWB to Prompt bypass page-print dialog box Vulnerability

IE Recursive Indirect recursive calling of an onError JavaScript Event event which redefines an invalid source to Denial of Service an image tag Vulnerability

IE Style Tag Microsoft Internet Explorer is vulnerable to Comment Memory a heap-based buffer overflow which can be Corruption exploited by a remote attacker to execute Vulnerability arbitrary code

IE Vulnerability in Microsoft Internet Explorer TriEditDocument. that may allow a denial of service. TriEdit Document Denial of Service Vulnerability

IE Window Prevents IE crash when calling window Function Crash function or with no user interaction when Vulnerability calling from onload event.

M86 SECURITY, POLICIES 575 POLICIES

Crashing Internet Description Clients

IE7 DoS Microsoft Internet Explorer 7 is prone to a Vulnerability denial-of-service vulnerability which allow attackers to consume excessive CPU resources

Microsoft ADODB.Connection ActiveX object ADODB.Connecti contains a vulnerability which may cause on ActiveX Denial Remote Code Execution of Service vulnerability

Microsoft CEnroll Microsoft Internet Explorer is vulnerable to stringToBinary a denial of service, caused by a memory DoS vulnerability access error

Microsoft IE Vulnerability in Microsoft Internet Explorer OutlookExpress.A that may allow a denial of service due to a ddressBook COM null-pointer dereference. Object memory corruption vulnerability

Microsoft Internet Microsoft Internet Explorer version 6 Explorer crashes when executing 'for' scripts Malformed HTML Null Pointer Dereference Vulnerability (mshtml.dll)

Microsoft Office Microsoft Recipient ActiveX control in Outlook Recipient Windows XP SP2 allows remote attackers Control (ole32.dll) to cause a denial of service (Internet Denial of Service Explorer 7 hang) via crafted HTML vulnerability

576 M86 SECURITY, POLICIES POLICIES

Crashing Internet Description Clients

Microsoft OWC11 Microsoft Internet Explorer is vulnerable to DataSourceContr a denial of service, caused by an integer ol DoS underflow and a NULL pointer dereference vulnerability

Mozilla Firefox A Denial of Service vulnerability can occur Range Object in Mozilla Firefox. Denial of Service Vulnerability

MS dxtmsft.dll IE may crash when handling Multiple COM DoS vulnerability Objects.

MS A Microsoft Internet Explorer crash (Denial RDS.DataControl of Service) can be caused by the Remote heap overflow Data Service Object (RDS.DataControl). vulnerability

MS Shell32.dll Shell32.dll is vulnerable to a buffer overflow Dos vulnerability in the ShellExecute API function. A remote attacker can overflow a buffer and possibly cause a denial of service or execute code on the system

Multiple Vendor Microsoft Windows is prone to a denial of Graphics Driver service vulnerability which manifests when Large JPEG an image is resized using very large Processing dimensions Vulnerability

Several COM Initiation of a non-ActiveX COM object can Objects Initiation lead to IE crash. Internet Explorer Crash Vulnerability

See also: Condition Settings: Vulnerability Anti.dote

M86 SECURITY, POLICIES 577 POLICIES

Remote Script Remote ActiveX Cross-Site and Spoofing Buffer Overflows 3rd Parties Remote Script

The following table describes the Remote Script options:

Remote Script Description

Acer Notebook A vulnerability in LunchApp.APlunch ActiveX LunchApp.APlun Control, which can lead to remote code ch ActiveX execution. Control Remote Code Execution vulnerability

Acrobat Using a long argument string in the LoadFile AcroPDF.dll method in an AcroPDF ActiveX control could ActiveX Control allow an attacker full control over the victim's Remote Code machine. These flaws are due to memory Execution corruption errors in the AcroPDF ActiveX control (AcroPDF.dll) Vulnerabilities

ActiveX Control Microsoft Internet Explorer 5.01, 5.5, and 6 and COM objects allows remote attackers to cause a denial of Memory service (application crash) and possibly Corruption execute arbitrary code Vulnerability

Alipay Password Alipay ActiveX Control is vulnerable to a Input ActiveX remote code-execution vulnerability. Control Vulnerability

578 M86 SECURITY, POLICIES POLICIES

Remote Script Description

AOL A vulnerability in AOL’s ActiveX, which could CDDBControlAO allow Remote Code Execution L.CDDBAOLCon trol ActiveX Remoe Code Execution vulnerability

AOL A vulnerability found in ICQ, could lead to ICQPhone.SipxP Remote Code Execution honeManager ActiveX remote code execution vulnerability

AOL The AOL YGP (You've Got Pictures) Pic YGPPicDownloa Download ActiveX control is vulnerable to a d.dll Heap buffer overflow in the downloadFileDirectory Corruption property. A remote attacker could exploit this Vulnerabilities vulnerability to execute arbitrary code on a victim's system.

Attacker toolkit Detects and blocks Web Attacker toolkit detection which is a bundled hacking utility which allows anyone to upload client side browser exploit to web server and create malicious web page

Citrix ICAClient A vulnerability has been discovered in Citrix ActiveX Remote Presentation Server Client which could allow Code Execution Remote Code Execution. vulnerability

Code Base A vulnerability exists where the codebase of Vulnerability an ActiveX can be modified in a way that would allow an attacker to exploit the system, and may allow code execution.

M86 SECURITY, POLICIES 579 POLICIES

Remote Script Description

COM Object Microsoft Internet Explorer uses certain COM Instantiation objects as ActiveX controls, which allows Memory remote attackers to execute arbitrary code. Corruption Vulnerability - CVE-2007-0218

daxctle.ocx Heap Microsoft Internet Explorer is vulnerable to a Overflow denial of service, caused by a heap overflow Vulnerability when the DirectAnimation.PathControl COM object is instantiated as an ActiveX control with an invalid Spline method

DirectAnimation Vulnerability in DirectAnimation ActiveX ActiveX Controls controls. An attacker who successfully Memory exploited this vulnerability could take Corruption complete control of an affected system. Vulnerability

IE Microsoft Internet Explorer is prone to an %USERPROFILE issue which could permit an attacker to load a % Folder known, existing file in a user's temporary Disclosure directory Vulnerability

IE AutoScan A flaw has been reported in Microsoft Internet Method Browser Explorer in the way the AutoScan method is Security Policy implemented. This weakness may result in Violation the violation of the browser security policy. Vulnerability

580 M86 SECURITY, POLICIES POLICIES

Remote Script Description

IE Microsoft Internet Explorer versions 5.01, 5.5, BackToFramedJ and 6.0 are vulnerable to cross-site scripting PU Cross- Domain Policy Vulnerability

IE Cached Internet Explorer allows remote attackers to Objects Zone bypass the cross-domain security model and Bypass access information on the local system or in Vulnerability other domains, and execute code, via cached methods and objects

IE Cascading Microsoft Internet Explorer versions 5.01, 5.5, Style Sheet File and 6.0 could allow a remote attacker to read Disclosure portions of files on other user's systems, Vulnerability caused by a vulnerability in Cascading Style Sheets (CSS).

IE Codebase A vulnerability in IE may potentially permit Double HTML documents to gain unauthorized Backslash Local access to local resources by using specific Zone File syntax Execution

IE createObject This rule handlesa vulnerability in some COM vulnerability objects which could allow remote code execution.

IE Cross-Domain Microsoft Internet Explorer is prone to an Event Leakage issue that may leak sensitive information Vulnerability across foreign domains.

IE Custom HTTP A vulnerability in Internet Explorer, which can Error HTML be exploited by malicious people to execute Injection arbitrary script code due to an input validation Vulnerability error in the custom errors generated by IE.

IE DHTML Object Race condition in the memory management handling routines in the DHTML object processor in vulnerabilities Microsoft Internet Explorer allows remote attackers to execute arbitrary code

M86 SECURITY, POLICIES 581 POLICIES

Remote Script Description

IE DHTML Script A remote code execution vulnerability exists Function in the way Internet Explorer interprets certain Memory DHTML script function calls. Corruption Vulnerability

IE Dialog Same Cross-site scripting vulnerability in Internet Origin Policy Explorer allows remote attackers to execute Bypass scripts in the Local Computer zone Vulnerability

IE Document A vulnerability has been reported in Microsoft Reference Zone Internet Explorer that may allow for remote Bypass attackers to execute script code in the context Vulnerability of other domains/security Zones.

IE Double Microsoft Internet Explorer version 6.0 could Backslash CHM allow a remote attacker to execute files on a File Execution vulnerable system. Vulnerability

IE DragDrop The file upload control in Microsoft Internet Method Local Explorer allows remote attackers to File Reading automatically upload files from the local Vulnerability system via a web page containing a script to upload the files

IE Implicit Drag Microsoft Internet Explorer could allow a and Drop File remote attacker to execute arbitrary code on Installation a victim's system, caused by a vulnerability Vulnerability regarding the dragDrop method

IE ITS Protocol Microsoft Internet Explorer is prone to a Zone Bypass vulnerability that may permit hostile content to Vulnerability be interpreted in the Local Zone exploited via the ITS Protocol URI handler

IE Java Script Javascript can be used to enumerate files on Local File the local machine and reveal confidential Enumeration information regarding the system. Vulnerability

582 M86 SECURITY, POLICIES POLICIES

Remote Script Description

IE Local Local resources on the system (files and Resource applications) can be referenced and used Reference from within IE, which may lead to information Vulnerability disclosure, and code execution.

IE Malicious A vulnerability exists in Microsoft Internet Shortcut Self- Explorer which allows a malicious web Executing HTML content to create a self-executing HTML file. Vulnerability When that file contains scripting that creates, modifies and saves a link (.lnk) file on the system, it leads to remote code execution.

IE MMS Protocol Prevents MMS Protocol Handler Executable Handler Command Line Injection. Executable Command Line Injection Vulnerability

IE Script URL Microsoft Internet Explorer allows a remote Cross-Domain attacker to bypass the cross-domain security Access Violation model, caused by a vulnerability when a Vulnerability specific programming function is used.

IE Self-Executing Microsoft Internet Explorer contains a HTML File vulnerability that can allow script code within Vulnerability an HTML document to run an embedded executable file.

IE Microsoft Internet Explorer could allow a Shell.Application remote attacker to execute code on a victim's Object Script system. A remote attacker could create a Execution malicious Web page that uses the Vulnerability Shell.Application ActiveX object, which would execute arbitrary code on the victim's system.

IE ShowHelp Microsoft Internet Explorer versions 5.01, 5.5, Arbitrary and 6.0 could allow a remote attacker to Command bypass the cross-domain security model, Execution caused by a vulnerability in the Windows Vulnerability showHelp() method.

M86 SECURITY, POLICIES 583 POLICIES

Remote Script Description

IE Temporary An attacker can gain access to the path of the Internet Files temporary internet files folder on a remote Folder machine. This can lead to exploitation of Disclosure existing vulnerabilities to enable an attacker Vulnerability to execute any program

IE Unauthorized Microsoft Internet Explorer is prone to a Document vulnerability that may enable a frame or Object Model iframe to gain unauthorized access to the Access Document Object Model (DOM) of other Vulnerability frames/iframes in a different domain.

IE Unconfirmed Internet Explorer may be prone to a potential Memory memory corruption vulnerability that could Corruption allow a remote attacker to cause a denial of Vulnerability service condition in the browser

IE VML A remote code execution vulnerability exists Vulnerability in the Vector Markup Language (VML) implementation in Microsoft Windows.

IE Microsoft Internet Explorer could allow a WebViewFolderI remote attacker to execute arbitrary code on con vulnerability the system.

IE window.open Microsoft Internet Explorer may be prone to a Media Bar cross-zone scripting vulnerability that could Cross-Zone ultimately lead to execution of malicious script Scripting code and Active Content Vulnerability

IE window.open A vulnerability in Microsoft Internet Explorer Search Pane could enable unauthorized access by Cross-Zone malicious scripts and Active Content to Scripting document properties across different Security Vulnerability Zones and foreign domains

584 M86 SECURITY, POLICIES POLICIES

Remote Script Description

IE This rule handles a vulnerability in WMIScriptUtils WMISCriptUtils CreateObject. An attacker createObject who successfully exploits this vulnerability, vulnerability could gain the same user rights as a local user and gain full control over the victim's machine.

IE XML Page Internet Explorer does not properly handle Object Type object types, when rendering XML based web Validation sites. This may result in possible execution of Vulnerability malicious software.

IE5 with Office Prevents Remote Code Execution for 2000 Remote Microsoft Internet Explorer 5 users with Command Microsoft Office 2000 installed. Execution Vulnerability

MHTML Forced A vulnerability has been discovered in File Execution Microsoft Outlook Express when handling Vulnerability MHTML file and res URIs that could lead to an unexpected file being downloaded and executed.

MHTML A vulnerability in Microsoft Outlook Express Redirection may allow an attacker to parse local files on a Local File system. The vulnerable component is also Parsing used by Microsoft Internet Explorer. Vulnerability

MHTML URL Microsoft Outlook Express introduced a URL Handler File handler called MHTML (MIME Encapsulation Rendering of Aggregate HTML). This allows Internet Vulnerability Explorer to pass MHTML files to Outlook Express for rendering

Microsoft Vulnerability in Vector Markup Language Windows VML could allow Remote Code Execution. Buffer Overrun Vulnerability (MS07-004)

M86 SECURITY, POLICIES 585 POLICIES

Remote Script Description

Microsoft A vulnerability in Microsoft XML Core XMLHTTP.4.0 Services XMLHTTP ActiveX control which ActiveX remote could lead to Remote Code Execution. code execution vulnerability

MMC Redirect Microsoft Windows 2000 Management Cross-Site Console (MMC) is vulnerable to cross-site Scripting scripting, caused by improper restrictions on Vulnerability, certain embedded resource files used by the CVE-2006-3643 Microsoft Management Console library (MS06-044)

Mozilla Browser Mozilla Browser is prone to multiple Cache File vulnerabilities that could eventually allow for Multiple code execution on the local computer Vulnerabilities

Mozilla Browser A remote attacker could create a malicious Input Type HTML Web page containing JavaScript code, which Tag would cause a malicious file to upload to a Unauthorized server, once the Web page is visited Access Vulnerability

Mozilla data: URI Prevents bypass security restrictions and Remote Code Remote Code Execution. Execution Vulnerability

Mozilla Firefox Mozilla Firefox JavaScript Navigator Object JavaScript Remote Code Execution Vulnerability Navigator Object Remote Code Execution Vulnerability

586 M86 SECURITY, POLICIES POLICIES

Remote Script Description

Mozilla Shared Prevents Remote Code Execution Function Objects vulnerability exploitation in some of Mozilla's Remote Code shared function objects. Execution Vulnerability

MS ADODB Microsoft's ADODB is vulnerable to a buffer Buffer overflow overflow attack that can result in remote code vulnerability execution.

MS A remote code execution vulnerability exists CAPICOM.Certifi in Cryptographic API Component Object cates RCE Model (CAPICOM) that could allow an Vulnerability attacker who successfully exploited this vulnerability to take complete control of the affected system.

MS IE COM Microsoft Internet Explorer uses certain COM Object objects from Imjpcksid.dll as ActiveX controls, Instantiation which allows remote attackers to execute Memory arbitrary code. Corruption Vulnerability

MS IE COM A remote code execution vulnerability exists Object in the way Internet Explorer instantiates COM Instantiation objects that are not intended to be Memory instantiated in Internet Explorer. An attacker Corruption could exploit the vulnerability by constructing a specially crafted Web page that could Vulnerability - potentially allow remote code execution. CVE-2007-0219

M86 SECURITY, POLICIES 587 POLICIES

Remote Script Description

MS The Microsoft Windows Media Server ActiveX MDSAuth.DLL control is prone to a remote code-execution ActiveX Control vulnerability. Remote Code Successfully exploiting this issue allows Execution remote attackers to execute arbitrary code on Vulnerability an affected system.

MS Shell Object The Shell object used from Microsoft Internet Vulnerability Explorer can be exploited to allow remote code execution.

Multiple IE Script Multiple issues in Microsoft Internet Explorer Execution Vulnerabilities

Multiple Vendor A vulnerability has been identified in multiple URI Protocol products from multiple vendors that may allow Handler a remote attacker to create or modify arbitrary Arbitrary File files. Creation/ Modification Vulnerability

Object tag Crafting an Object tag in a certain manner can vulnerability allow an attacker to execute code from web pages viewed by Internet Explorer.

RDS Cross Zone Blocks Cross-Zone Scripting using RDS Scripting ActiveX Object. Vulnerability

Rediff Bol This vulnerability allows remote code Downloader execution and may compromise affected (ActiveX Control) computers. Remote Code Execution vulnerability

588 M86 SECURITY, POLICIES POLICIES

Remote Script Description

Softwin The AVXSCANONLINE.AvxScanOnlineCtrl.1 BitDefender ActiveX control in BitDefender Scan Online AvxScanOnlineC allows remote attackers to obtain sensitive trl COM Object information or download and execute arbitrary Remote File code Upload and Execution Vulnerability

Sun Java The Java plug-in used to run applets from Runtime within a web page is vulnerable to an attack Environment vector that would allow bypassing the built-in Java Plug-in security mechanisms, and result in code Java Script execution. Security Restriction Bypass Vulnerability

SupportSoft Some vulnerabilities have been reported in ActiveX Remote various SupportSoft ActiveX controls, which Code Execution can be exploited by malicious people to Vulnerability compromise a user's system.

VeriSign A vulnerability has been identified in VeriSign ConfigChk ConfigChk ActiveX control, which could be ActiveX Control exploited by remote attackers to take Buffer Overflow complete control of an affected system. Vulnerability

Windows Media Buffer overflow in the plug-in for Microsoft Player Plugin Windows Media Player 9 and 10 allows Buffer Overflow remote attackers to execute arbitrary code via Vulnerability HTML with an EMBED element containing a long src attribute.

Windows Media Microsoft Windows Media Player is prone to a Player PNG remote code-execution vulnerability. This Vulnerability vulnerability is related to handling of malicious PNG images.

M86 SECURITY, POLICIES 589 POLICIES

Remote Script Description

Windows XP Microsoft Windows XP Explorer allows Explorer Self- attackers to execute arbitrary code via a Executing Folder HTML and script in a self-executing folder that Vulnerability references an executable file within the folder, which is automatically executed when a user accesses the folder.

Windows XP Microsoft Windows XP is vulnerable to cross- HCP URI Handler site scripting, caused by a vulnerability in the Arbitrary helpctr.exe program. Command Execution Vulnerability

Winzip remote WinZip is prone to multiple remote code- code execution execution vulnerabilities in an ActiveX control vulnerability that is installed with the package.

See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote ActiveX Cross-Site and Spoofing Buffer Overflows 3rd Parties

590 M86 SECURITY, POLICIES POLICIES

Remote ActiveX

The following table describes the options:

Remove ActiveX Description

DigWebX Prevents initiation of old versions of ActiveX Control DigWebX ActiveX Control. Unspecified Vulnerability

IE Cross Frame Internet Explorer versions 5.5 and 6.0 are security vulnerable to a Cross Frame Scripting attack, vulnerability which may allow execution of arbitrary code.

IE Internet Explorer allows remote attackers to NavigateAndFind bypass zone restrictions by using the Zone Bypass NavigateAndFind method to load a file. Protection

IE RDS ActiveX Microsoft Data Access Components (MDAC) Vulnerability is a collection of components that provide the back-end technology which enables database access for Windows platforms.

IE Self-Executing The WebBrowser ActiveX control, or the HTML Arbitrary Internet Explorer HTML rendering engine, Code Execution allows remote attackers to execute arbitrary Vulnerability code in the Local Security context.

IE ShowHelp Microsoft Internet Explorer versions 5.01, Arbitrary 5.5, and 6.0 could allow a remote attacker to Command bypass the cross-domain security model, Execution caused by a vulnerability in the Windows Vulnerability showHelp() method.

Office Web A vulnerability in an Microsoft Office Web Components Components (OWC) Spreadsheet Active Script component makes it possible to execute Execution arbitrary Active Script code, even when Vulnerability Active Scripting has been disabled by the client.

M86 SECURITY, POLICIES 591 POLICIES

Remove ActiveX Description

Office Web A vulnerability in OWC Spreadsheet Components component makes it possible to gain control Clipboard of the clipboard operations, even when the Information “Allow paste operations via script” security Disclosure feature in IE is disabled. Vulnerability

Outlook Web An interaction between the Outlook Web Access HTML Access (OWA) and Internet Explorer allows Attachment attackers to execute malicious script code Script Execution against a user's mailbox via a message Vulnerability attachment that contains HTML code.

Spyware object This rule was created in order to avoid false detected positives in top sites.

Windows HTML The windows Help Control is used to display Help Control Help information when using the PC. When Cross-Zone exploiting this vulnerability from a web page, Scripting the permissions of the malicious script could Vulnerability be elevated to those of the Help object and bypass security mechanisms.

Windows Media Vulnerability in Windows Media Player which Player Automatic allows remote attackers to execute arbitrary File Download code via a skins file with a URL containing and Execution hex-encoded backslash characters. Vulnerability

Windows Media A method for evading the Zone based Player IE Zone access control model used by Microsoft Access Control Internet Explorer which relies on a flaw in Bypass Windows Media Player that allows for Vulnerability untrusted content to access the Local Zone.

See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script

592 M86 SECURITY, POLICIES POLICIES

Cross-Site and Spoofing Buffer Overflows 3rd Parties Cross-Site and Spoofing

The following table describes the options:

Cross-Site and Description Spoofing

Bookmark URL-check Prevents security validations bypass Bypass Vulnerability vulnerability on URIs saved on favorites

Cross Site Scripting Scripts in HTML attributes such as style in HTML Script can be used for malicious actions. Sections

HTTP Request Protecting proxy from HTTP request splitting protection splitting which could be used to "smuggle" malicious sites by tricking the Proxy into unintentionally associating a URL to another URL page (content).

IE CDROM Ejection Prevents a remote attacker from Vulnerability via WMP opening the CDROM tray using WMPlayer ActiveX Object.

IE DHTML Script A remote code execution vulnerability Function Memory exists in the way Internet Explorer Corruption interprets certain DHTML script function Vulnerability calls.

IE FTP Commands Prevents command injections using Injection Vulnerability FTP protocols as part of a URL.

IE Java Script It is possible for a user to create a Desktop Spoofing webpage containing JavaScript, which Vulnerability will consume the entire screen of an unknowing Internet Explorer user.

M86 SECURITY, POLICIES 593 POLICIES

Cross-Site and Description Spoofing

IE Java Script Method Assigning methods from within a Assignment Cross- malicious script in a certain manner Domain Scripting could allow the privilege escalation of Vulnerability the script and execute arbitrary code on the attacked machine.

IE mailto URI Handler Blocks information disclosure Arbitrary File vulnerability in Microsoft Outlook Attachment caused by injection of command line Vulnerability argument.

IE Meta Data Foreign In Internet Explorer enables someone Domain Spoofing to use an ssl certificate in a website Vulnerability which belongs to someone else. This vulnerability can be used in Phishing scams.

IE MSXML XML File Cross-site scripting (XSS) in Internet Parsing Cross-Site Explorer allows remote attackers to Scripting insert arbitrary web script via an XML Vulnerability file that contains a parse error.

IE Popup.show A vulnerability exists in Microsoft Mouse Event Internet Explorer that may permit a Hijacking malicious Web page to hijack mouse Vulnerability events. This could potentially be exploited to trick an unsuspecting user into performing unintended actions such as approving pop-up dialogs.

IE showModalDialog The WebBrowser ActiveX control, or Cross-Site Scripting the Internet Explorer HTML rendering Vulnerability engine, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method.

594 M86 SECURITY, POLICIES POLICIES

Cross-Site and Description Spoofing

IE Unauthorized Internet Explorer 4 allows remote Clipboard Contents attackers (malicious web site operators) Disclosure to read the contents of the clipboard via Vulnerability the Internet WebBrowser ActiveX object.

IE Internet Explorer allows remote window.createPopup attackers to create chromeless windows Interface Spoofing using the Javascript Vulnerability window.createPopup method, which (chromeless) could allow attackers to simulate a victim's display, conduct unauthorized activities or steal sensitive data.

IE Window.MoveBy/ Internet Explorer allows remote Method Caching attackers to direct drag and drop Mouse Click Event behaviors, as well as other mouse click Hijacking actions to other windows. Vulnerability

Internet Explorer and Internet Explorer and Mozilla Firefox Mozilla Firefox Local are vulnerable to a JavaScript bug that File Disclosure could allow an attacker to trick users Vulnerability into giving up sensitive personal information (for version 8.4.x and above).

Internet Explorer CSS Microsoft Internet Explorer allows Cross-Domain remote attackers to bypass cross- Vulnerability domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files.

Microsoft Agent Prevents loading Microsoft Agent Spoofing ActiveX Control in order to avoid Vulnerability spoofing.

M86 SECURITY, POLICIES 595 POLICIES

Cross-Site and Description Spoofing

Mozilla FireFox about Mozilla Firefox might allow remote blank phishing attackers to conduct spoofing and vulnerability phishing attacks by writing to an about:blank tab and overlaying the location bar.

Mozilla Firefox Block attempt to use Java.net.socket Java.net.Socket API in a malicious manner. Information disclosure vulnerability

Mozilla Firefox Mozilla Firefox is vulnerable to data location.hostname theft. Remote attackers can steal Cross-Domain cookies and other information by writing Vulnerability CVE- a URI with a null byte to the hostname 2007-0981 (location.hostname) DOM property, due to interactions with DNS resolver code.

Multiple Browser URI A weakness has been reported in Display Obfuscation multiple browsers that may allow Vulnerability attackers to obfuscate the URI for a visited page.

Multiple Vendor Web In Internet Explorer and Opera Browser Java Script malicious JavaScript may subvert some Modifier Keypress keypress events, with consequences Event Subversion including the disclosure of arbitrary Vulnerability local files to a remote server.

Onunload Multiple The vulnerability is caused due to an Browser Entrapment error in multiple browsers' handling of Vulnerability "on-unload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar.

596 M86 SECURITY, POLICIES POLICIES

Cross-Site and Description Spoofing

Opera Web Browser A condition in Opera web browser IFrame OnLoad causes Opera to fill in the address bar Address Bar URL before the page has been loaded, which Obfuscation allows remote attackers to spoof the Vulnerability URL in the address bar.

Outblaze Webmail Outblaze Webmail is reported prone to HTML Injection an-HTML injection vulnerability Vulnerability because the application fails to properly sanitize user-supplied HTML email content.

See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script Remote ActiveX Buffer Overflows 3rd Parties

M86 SECURITY, POLICIES 597 POLICIES

Buffer Overflows

The following table describes the options:

Buffer Overflows Description

IE Shell: IFrame The Windows Shell application allows remote Cross-Zone attackers to execute arbitrary code by Scripting spoofing the type of a file via a CLSID Vulnerability specifier in the filename.

Internet Explorer This new rule blocks attempts to exploit the Input- createTextRange() function vulnerability. createTextRange Memory Corruption Vulnerability

Macrovision Multiple buffer overflows in an ActiveX control FLEXnet (boisweb.dll) in Macrovision FLEXnet boisweb.dll Connect could allow remote code execution ActiveX Control of malicious code. Buffer Overflow Vulnerability

Microsoft An exploitable buffer overflow in Microsoft Windows Windows DirectSpeechSynthesis and XVoice.dll and DirectSpeechRecognition which may allow Xlisten.dll Buffer remote code execution. Overflow Vulnerability

Mozilla A Remote Code Execution vulnerability exists InstallVersion- in the way Mozilla compares installation compareTo versions. It is possible to control the EIP and Remote Code therefore construct a Remote Code Execution Execution. Vulnerability

598 M86 SECURITY, POLICIES POLICIES

Buffer Overflows Description

MS Office Buffer overflow in the Microsoft Office DeleteRecordSo MSODataSourceControl ActiveX object urceIfUnused allows remote attackers to cause a denial of vulnerability service (crash) and possibly execute arbitrary code.

MS Office Buffer overflow in the HelpPopup method in OUACTRL.OCX the Microsoft Office ActiveX control HelpPopup (OUACTRL.OCX) allows remote attackers to method Remote cause a denial of service through a specially Buffer Overflow crafted web page.

Office XP RTF A buffer overflow in Office XP RTF file format Buffer Overflow can allow Remote Code Execution. Vulnerability

Several COM Prevents memory corruption vulnerability Objects Memory remote code execution exploitation of several Corruption COM objects. Remote Code Execution Vulnerability

See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script Remote ActiveX Cross-Site and Spoofing 3rd Parties

M86 SECURITY, POLICIES 599 POLICIES

3rd Parties

The following table describes the options:

3rd Parties Description

Acrobat reader Vulnerability Anti.dote Multiple cross-site XSS vulnerability scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin allows remote attackers to inject malicious JavaScript.

Akamai Download Stack-based buffer overflow vulnerability Manager ActiveX was detected in Akamai Download Stack Buffer Manager ActiveX Control. Successful Overflow exploitation allows execution of arbitrary Vulnerability code.

AOL SuperBuddy A vulnerability in America Online (AOL) ActiveX Control SuperBuddy ActiveX control was detected, Code Execution which can be exploited to compromise a Vulnerability user's system.

Baofeng Storm Multiple vulnerabilities in the Baofeng ActiveX Remote Storm application's ActiveX control may Heap Overflow enable an attacker to allow execution of vulnerability arbitrary code on the attacked system.

BlueSkychat Heap-based buffer overflow in the ActiveX Remote BlueSkychat ActiveX control allows remote Heap Overflow attackers to execute arbitrary code. vulnerability

CA caller dll RCE A vulnerability exists in eTrust Intrusion vulnerability Detection, that can allow a remote attacker to execute arbitrary code.

EnjoySAP ActiveX A vulnerability has been discovered in Controls Memory EnjoySAP ActiveX control which could Corruption allow remote attackers to execute arbitrary Vulnerabilities code.

600 M86 SECURITY, POLICIES POLICIES

3rd Parties Description

Hewlett Packard Hewlett Packard 'hpqvwocx.dll' ActiveX hpqvwocx.dll control library is prone to a stack-based Stack Overflow buffer-overflow vulnerability. Successfully vulnerability exploiting this issue allows remote attackers to execute arbitrary code.

HP Digital Imaging A vulnerability has been discovered in HP ActiveX Arbitrary Digital Imaging ActiveX control, which can Data Write be exploited by attackers to overwrite arbitrary files or compromise a user's system.

HP Mercury Quality The HP Mercury Interactive Quality Center Center ActiveX Spider Module ActiveX control contains a Control ProgColor stack buffer overflow. Successful Buffer Overflow exploitation allows execution of arbitrary Vulnerability code when visiting a malicious website.

IBM Access eEye Digital Security has discovered a Support security vulnerability in IBM's signed (eGatherer) "eGatherer" activex. ActiveX Dangerous Methods Vulnerability

IBM acpRunner acpRunner ActiveX allow remote attackers ActiveX Dangerous to execute arbitrary code via the (1) Methods DownLoadURL, (2) SaveFilePath, and (3) Vulnerability Download ActiveX methods.

IBM and Lenovo The IBM and Lenovo Access Support Access Support acpRunner ActiveX control could allow a acpRunner ActiveX remote attacker to execute arbitrary commands on the system.

IE Heartbeat An unspecified vulnerability exists in the ActiveX Control Microsoft Internet Explorer Heartbeat MSN Unspecified gaming ActiveX control (heartbeat.ocx). Vulnerability

M86 SECURITY, POLICIES 601 POLICIES

3rd Parties Description

Image ActiveX Prevents remote code execution using unspecified Image ActiveX. Vulnerability

jetAudio 7.x A vulnerability in jetAudio can be exploited ActiveX to overwrite files on the local system by DownloadFomMusi using specially crafted code on a web cStore RCE page. vulnerability

LinkedIn ActiveX Critical vulnerability exists in LinkedIn RCE vulnerability ActiveX control which can allow a remote attacker to execute arbitrary code.

McAfee Security Remote exploitation of a buffer overflow in Center an ActiveX control distributed with McAfee IsOldAppInstalled Security Center could allow for the ActiveX Buffer execution of arbitrary code. Overflow Vulnerability

Microsoft DXMedia A vulnerability was reported in Microsoft SDK 6 Remote DirectX in an ActiveX control. A remote Code Execution user can cause arbitrary code to be Vulnerability executed on the target user's system.

Microsoft Outlook A vulnerability in Microsoft Outlook which Mailto: Parameter causes insufficient filtering of parameters Quoting Zone of mailto: URLs which allow remote Bypass attackers to execute arbitrary programs. Vulnerability

Microsoft Visual Microsoft Visual FoxPro ActiveX control is FoxPro 6.0 prone to a stack-based buffer-overflow FPOLE.OCX vulnerability because it fails to perform Remote Stack adequate boundary checks on user- Overflow supplied data. vulnerability

602 M86 SECURITY, POLICIES POLICIES

3rd Parties Description

Microsoft Visual This vulnerability in Microsoft Visual Studio Studio 6.0 can be exploited to execute arbitrary PDWizard RCE commands on your computer. vulnerability

Microsoft Visual Absolute directory traversal vulnerability in Studio 6.0 a certain ActiveX control in the VB To VSI VBTOVSI.DLL Support Library (VBTOVSI.DLL) in Arbitrary Data Microsoft Visual Studio 6.0 allows remote Write vulnerability attackers to create or overwrite arbitrary files on the system.

MS Office RCE A remote code execution vulnerability vulnerability exists in Microsoft Office

NCTAudioEditor Multiple vulnerabilities have been identified ActiveX DLL in NCTAudioEditor and NCTAudioStudio, Arbitrary Data which could be exploited by attackers to Write vulnerability bypass security restrictions and manipulate arbitrary files

NCTAudioFile2.Au Stack-based buffer overflow in the dioFile ActiveX NCTAudioFile2.AudioFile ActiveX control Remote Stack (NCTAudioFile2.dll), as used by multiple Overflow products, allows remote attackers to execute arbitrary code.

Nesus ActiveX Directory traversal vulnerability in a certain Remote Code ActiveX control in Nessus Vulnerability Execution Scanner 3.0.6 allows remote attackers to Vulnerability create or overwrite arbitrary files

Norton Anti-Virus Multiple unspecified "input validation error" 2006 ActiveX vulnerabilities in multiple ActiveX controls Remote Code in Norton Antivirus, Internet Security, and Execution System Works products for 2006, allows remote attackers to execute arbitrary code

PPStream Buffer overflow in PPStream allows remote (PowerPlayer.dll) attackers to execute arbitrary code via a ActiveX Remote long Logo parameter. Overflow Exploit

M86 SECURITY, POLICIES 603 POLICIES

3rd Parties Description

Real Player Denial A vulnerability in RealPlayer may allow an of Service attacker to perform a denial of service by vulnerability using specially crafted web page content.

Sony Network A vulnerability has been discovered in Camera SNCP5 Sony Network Camera viewer ActiveX v1.0 ActiveX control which could allow remote code viewer Heap execution. Overflow

Sony/First4Internet The CodeSupport ActiveX contains CodeSupport methods which allow remote code ActiveX Remote execution and remote denial of service. Code Execution Vulnerability

Sony/SunnComm This ActiveX contains some methods MediaMax which allow remote code execution and AxWebRemoveCtrl remote denial of service. ActiveX Remote Code Execution Vulnerability

Symantec COM A vulnerability has been reported in various Object Security Symantec products, which can be ByPass exploited by malicious people to bypass Vulnerability (CVE- certain security restrictions. 2006-3456)

Symantec Two vulnerabilities in various Symantec NavComUI ActiveX products allow remote attackers to execute Control RCE code and to compromise affected Vulnerability computers.

604 M86 SECURITY, POLICIES POLICIES

3rd Parties Description

Symantec Norton Buffer overflow in the ISAlertDataCOM Internet Security ActiveX control for Norton Personal 2004 Firewall and Internet Security, may allow ISAlertDataCOM remote code execution. ActiveX control stack buffer overflow vulnerability

VMware multiple Some vulnerabilities have been reported in vulnerabilities several VMware products, which can be exploited by malicious users to cause a DoS (Denial of Service) or bypass certain security restrictions

Windows Media A remote code execution vulnerability Player RCE exists in windows media player that can be Vulnerability exploited by a web page containing specially crafted malicious code.

Xunlei Web Some vulnerabilities have been reported in Thunder several VMware products, which can be ThunderServer.we exploited by malicious users to cause a bThunder ActiveX DoS (Denial of Service) or bypass certain multiple security restrictions Vulnerabilities

Yahoo Messenger A vulnerability was reported in Yahoo! ActiveX Control Messenger where a remote user can Buffer Overflows create specially crafted HTML.When Vulnerability loaded by the target user, the HTML will trigger a buffer overflow and execute arbitrary code on the target system.

Yahoo Messenger Yahoo! Messenger is vulnerable to a stack- AudioConf ActiveX based buffer overflow, caused by improper Control Buffer bounds checking by the Yahoo.AudioConf Overflow ActiveX control.

M86 SECURITY, POLICIES 605 POLICIES

3rd Parties Description

Yahoo Messenger This vulnerability in a certain ActiveX CYFT Object control in Yahoo! Messenger allows remote Arbitrary File attackers to force download of arbitrary Download files, and create or overwrite arbitrary files. vulnerability

Yahoo Widget dll Stack-based buffer overflow in Yahoo! Remote Code Widgets allows remote attackers to Execution execute arbitrary code Vulnerability

Yahoo! Messenger Buffer overflow in the Yahoo! Webcam ywcupl.dll ActiveX Upload ActiveX control in ywcupl.dll 2.0.1.4 Control Buffer for Yahoo! Messenger 8.1.0.249 could Overflow allow remote code execution of malicious code.

Yahoo! Messenger Buffer overflow in the Yahoo! Webcam ywcvwr.dll ActiveX Viewer ActiveX control in ywcvwr.dll Control Buffer 2.0.1.4 for Yahoo! Messenger 8.1.0.249 Overflow could allow remote code execution of malicious code.

See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script Remote ActiveX Cross-Site and Spoofing Buffer Overflows Condition Settings Tree Options

The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.

606 M86 SECURITY, POLICIES POLICIES

Â To access the Used In data

Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Vulnerability Anti.dote. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component

Caching Policy

The SWG Appliance can be used as a caching device. This means that the content is stored in the appliance for future use - thereby speeding up performance time. Caching policies consist of both an Action and a Condition and are configured by system administrators. • Action: The administrator can set the Action to bypass caching according to specific URL or file extension lists, ensuring that specific, non-cacheable URLs or specific file extensions are not cached. System administrators can also cache only specific sites or file extensions. • Condition: Once an action is set, the administrator can select the criteria to which the rule will or will not match. The condition

M86 SECURITY, POLICIES 607 POLICIES

can be a specific URL list, multiple URL lists, or all lists excluding selected URL lists. Administrators can also select file extensions that M86 SWG caches or bypasses.

NOTES: M86 provides two predefined Caching Policies.

The Caching policy is a global policy that applies to all users who browse using the system. By default, when caching is enabled, all content is cached. The default policy also contains the Bypass Caching rule and has two conditions: • Bypass Cache based on URL list • Bypass Cache based on file extension lists

NOTES: The URL list and the file extension lists are empty. Should you want to bypass a specific type of traffic, these lists should first be edited. See Condition Settings: File Extensions and Condition Settings: URL Lists for more information For related information see:

Condition Settings: Active Content List To enable Secured Caching on a global basis using a specific policy, see Cache. See also: Policies

Security Policies - Simplified

Assigned User Groups

Security Policies - Advanced

Master Security Policy

HTTPS Policies

Logging Policies

608 M86 SECURITY, POLICIES POLICIES

Identification Policies

Device Logging Policies

Default Policy Settings

Condition Settings

End User Messages

Caching Policy Details

Caching Policy Rule Details

Caching Policy Rule Condition Details

Caching Policy Details Click on any Cache Policy to display the Details screen in the right pane.

Figure 6-101: Caching Policy Details Screen The Caching Policy Details screen contains the following information with the option to make changes using the Edit >

M86 SECURITY, POLICIES 609 POLICIES

Save/Cancel options:

Field Description

Policy Name Name of the specific policy

Description Contains a description of the policy.

See also:

620 M86 SECURITY, POLICIES POLICIES

End User Messages

Block/Warn Messages

Creating a Block/Warn Message

Message Template

Creating a Block/Warn Message

Â To create a new Block/Warn message: 1. Right-click on the top level heading and select Add Message.

Figure 6-107: Add End User Message 2. Type in the Message Name. 3. In the Message section, enter the required message text. Use the Place-Holders to provide the end-user with more information. 4. Click Save. The new message can now be selected from the Rule Details screen, in the End-User Message drop-down list.

M86 SECURITY, POLICIES 621 POLICIES

5. If you need to modify this message in the future, click Edit and make your changes.

NOTES: For a full list of the pre-defined Block/Warn Messages that will appear in the Page Blocked/Coach/User Approval messages and their corresponding Security Rule (where applicable), please refer to Appendix B: Block/ Warn Messages. The end result of this message page is either a Coach/User Approval (Warning) message or a Page Blocked message sent to the end-user as in the following example.

Figure 6-108: Page Blocked Message to End-User See also: End User Messages

Block/Warn Messages

Block/Warn Message Details

Message Template

622 M86 SECURITY, POLICIES POLICIES

Message Template In this screen, you can edit the template for the End-User Message.

Â To edit a Message page: 1. In the Select Action to Edit drop-down list, select either the Block Page or one of the Warning message pages. 2. Click Preview Window to see the actual message that is displayed on the end-user’s computer. 3. Select Back button on the right-hand side of the screen to reveal the code for the Back button. Next, select Preview in pane to see the actual look of the Back button. 4. Select the Redirect button to reveal the code for the Redirect button. Next, select Preview in pane to see the actual look of the Redirect button.

5. Click Save to apply changes. Next, click to commit them. See also: End User Messages

Block/Warn Messages

Block/Warn Message Details

Creating a Block/Warn Message

M86 SECURITY, POLICIES 623 POLICIES

624 M86 SECURITY, POLICIES LOGS AND REPORTS

Chapter 7: Logs and Reports The Log Server logs all transactions according to a defined logging policy. The Logs windows incorporates a number of viewing and configuration options, all of which can be used to help you view the logging data in line with your requirements.

Figure 7-1: Logs and Reporting Tool The log types are described in the following table:

Log Type Description

Web Logs Displays all web-surfing transactions of users in your network depending on your logging policy.

System Logs View events that have taken place in the system, for example, updates that have been installed, a module that is not responding and so on.

Audit Logs Displays all changes made or actions taken from the Management Console, including tracking the creation of and changes to, policies, as well as system configuration.

See also: Transaction Entry Details

Details: User

Details: Policy Enforcement

Details: Content

Details: Scanning Server

Transaction Entry: Request and Response Phases Details: User

Figure 7-8: User Tab

638 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS

The User tab contains the following fields:

Field Description

User Name Name of the user defined in the Users tab who requested the transaction.

Client IP Address IP address of the end-user.

Authenticated User User Name as provided by NTLM or basic Name authentication.

Authenticated User Domain as provided by NTLM or basic Domain authentication.

See also: Transaction Entry Details

Details: Transaction

Details: Policy Enforcement

Details: Content

Details: Scanning Server

Transaction Entry: Request and Response Phases

M86 SECURITY, LOGS AND REPORTS 639 LOGS AND REPORTS

Details: Policy Enforcement

Figure 7-9: Policy Enforcement Tab The Policy Enforcement tab contains the following fields:

Field Description

Action Rule Action (Block, Allow, Coach or Block HTTPS, Bypass, Inspect or User Approval).

X-Ray Mode Defines whether or not the transaction was processed in X-Ray mode. If X-Ray mode is enabled, the log view shows what would have happened to the transaction had the rule/policy been active.

Master Policy Name Name of the master policy used to process the transaction.

Security Policy Name of the Security Policy used to process the Name transaction.

HTTPS Policy Name Name of the HTTPS Policy used to process the transaction.

Identification Policy Name of the Identification Policy used to process Name the transaction.

640 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS

Field Description

Upstream Proxy Name of the Upstream Proxy Policy used to Policy Name process the transaction

Block Reason Message sent to the end-user explaining the reason the content was blocked.

Master Rule Name Name of the master rule used to process the transaction.

Security Rule Name Name of the Security rule used to process the transaction.

Security Rule Text that appears in the Rule Description field. Description

HTTPS Rule Name Name of the HTTPS rule used to process the transaction.

Identification Rule Name of the Identification rule used to process the Name transaction.

Identification Status If identification succeeded or not.

Upstream Proxy Name of the Upstream Proxy rule used to process Rule Name the transaction

Upstream Proxy If the connection to the Upstream Proxy was a Status success or failure.

See also: Transaction Entry Details

Details: Transaction

Details: User

Details: Content

Details: Scanning Server

Transaction Entry: Request and Response Phases

M86 SECURITY, LOGS AND REPORTS 641 LOGS AND REPORTS

Details: Content

Figure 7-10: Content Tab The Content tab contains the following fields.

Field Description

File Name Name of the file specified in the requested URL.

Behavior Profile Behavior profile (binary) that matched the content (Binary) in the transaction.

True Content Type True Content Type that matched the content in the transaction.

Behavior Profile Behavior profile (script) that matched the content in (Script) the transaction.

Parent Archive Type Parent Archive Type that matched the content in the transaction.

Active Content List Active Content List that matched the content in this Found transaction.

642 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS

Field Description

File Extension File extension (including Multiple Extension) that matched the content in this transaction.

Header Field Header Field that matched the content in this transaction.

URL Category URL Category that matched the content in this transaction

URL Category URL Category that matched the Websense content (Websense) in this transaction.

URL Category (IBM) URL Category that matched the IBM content in this transaction.

Advanced Binary Scanning

Anti-Virus (Sophos) Virus detected by the Sophos Anti-Virus engine. Scan Result

Anti-Virus (McAfee) Virus detected by the Mcafee Anti-Virus engine. Scan Result

Anti-Virus Virus detected by the Kaspersky Anti-Virus engine. (Kaspersky) Scan Result

Cache Hits Lists how many times the cache was used instead of the original site.

See also: Transaction Entry Details

Details: Transaction

Details: User

Details: Policy Enforcement

Details: Scanning Server

Transaction Entry: Request and Response Phases

M86 SECURITY, LOGS AND REPORTS 643 LOGS AND REPORTS

Details: Scanning Server

Figure 7-11: Scanning Server Tab The Scanning Server tab contains the following fields:

Field Description

Scanning Server IP IP address of the Scanning Server that scanned this transaction.

Scanning Server Type Type of Scanning Server that scanned this transaction. (Cloud or otherwise)

See also: Transaction Entry Details

Details: Transaction

Details: User

Details: Policy Enforcement

Details: Content

Transaction Entry: Request and Response Phases Transaction Entry: Request and Response Phases

For each transaction, the content is scanned on both the request

644 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS

and/or the response phase depending on the nature of the content and the nature of the rule that it triggered.

Figure 7-12: Request Phase

Figure 7-13: Response Phase

M86 SECURITY, LOGS AND REPORTS 645 LOGS AND REPORTS

The information displayed in these panes depends on the nature of the transaction and is useful in determining why the transaction was blocked. See also: Transaction Entry Details

Details: Transaction

Details: User

Details: Policy Enforcement

Details: Content

Details: Scanning Server

View System Logs

The System Logs view displays information relevant to the components of the M86 Secure Web Gateway Appliance.

Figure 7-14: System Logs View The View System Logs screen provides the following settings:

646 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS

• Profile: Choose the profile from the drop-down list. The Profile includes the columns for display in the System Log ID view as well as filtering specifications for each log entry. These can be set via the Edit Profile tab at the bottom right of the screen. • Find Log ID: Search for the transaction using the unique item ID (Log ID) number field. The and buttons apply to the Find Log ID filter only. • Manage Profiles: Clicking this button directs you to the System Log Profiles screen in which you can create and/or manage current profile settings. To return to the View System Logs page, navigate in the console to Logs and Reports Æ View System Logs. • Edit Profile: Clicking this button directs you to the System Log screen in which System logs are defined by determining which columns and filters are used and the number of entries to be displayed. The Default View has no specified filters, but filters can be defined in the appropriate tab. Please refer to System Logs Profile Settings for more information. Click the OK button to return to the View System Logs page.