Welcome readers to the fifth publication of a series of articles dedicated to the company’s products UserGate… This article will discuss the section “Security Policies”. In particular, we will look at “SSL Inspection”, “Content Filtering”, “Web Security”.
To begin with, let’s take a look at the “SSL Inspection”, the inspection technology is that the device performs a man-in-the-middle attack. In order to carry out this attack, we need a subordinate certificate CA, which will be used to generate SSL certificates for Internet hosts. UserGate comes with a set of certificates, among which there is CA (Default) – this is a self-signed certificate for SSL inspection. It can be downloaded via a direct link from the gateway: http: // UserGate_IP: 8002 / cps / ca…
Using the SSL Inspection section, the administrator can configure the inspection of data transmitted over the TLS / SSL protocol (HTTPS, SMTPS and POP3S).
Let’s go directly to setting up the survey. Create a new rule and on the “General” tab define what to do if all the conditions specified on the other tabs match. The action can be: decrypt or not decrypt. At the bottom of the tab, you can set additional conditions for triggering the rule:
Block sites with invalid certificates
Check against CRL
Block expired certificates
Block self-signed certificates
Next are the “Users”, “Source” (“Trusted” zone) and “Destination” tabs (lists of traffic destination IP addresses are indicated here). The settings of these tabs are the same as in the previous articles. The “Service” tab allows you to select the traffic used in this rule, available: HTTPS, SMTPS, POP3S. “Categories” tab, in this place you can specify a specific category of sites (checked against the UserGate database (UserGate URL filtering 4.0), where sites are categorized), and not a specific host. In the same tab, you can check to which category this or that site belongs.
Domains – Here you can specify a list of sites. Only domain names (www.example.com, not http://www.example.com/home/) can be used.
Often, for the websites of banks to work correctly, they should not be included in the SSL inspection, so let’s create the following rule:
Let’s specify the name of the rule “bypassbank ”, the action“ Do not decrypt ”, it should be located above the rules that decrypt traffic, so we insert it“ At the beginning of the list of rules ”. On the “Source” tab, set the “Trusted” zone and then go to the “Services” tab and select “HTTPS”. On the “Categories” tab, we check several banks’ sites and see that they are included in the “Finance” category, so we add it. The final rule looks like this:
With the first rule, we pass traffic to sites of the “Finance” category without making an inspection, with the second rule, we decrypt the rest of the traffic. In the SSL inspection policy, if no rules are created, then SSL is not intercepted or decrypted, respectively, the content transmitted over SSL is not filtered.
Content filtering rules allow an administrator to allow or deny specific content sent over HTTP and HTTPS if HTTPS inspection is configured.
Likewise with other policies, rules are applied from top to bottom, until the first rule that fires. As we can see, at the very bottom of the policy is the “Allow all” rule, it cannot be deleted, moved, or changed. From the name it is clear that this rule allows any HTTP and HTTPS content and if the traffic did not fall into other rules, then it will be allowed.
There are new tabs in the content filtering rules that have not yet been seen in other policies. On the “Content Type” tab (formerly called “MIME Content Types”), you need to select what content is transmitted in traffic. There are lists of content types provided by the UserGate developers. These lists of content types cannot be edited, they can be used when defining content filtering rules. You can also create your own lists by adding the required MIME content type. The Morphology tab allows you to add a morphological dictionary for recognizing individual words and phrases on a website. If the text contains a sufficient number of the specified words and phrases to block, then access to the site is blocked. Morphological analysis is performed both when checking the user’s request and when receiving a response from the web server and before sending it to the user. On the “Useragent” tab, you can prohibit or allow users to work only with a certain type of browsers. The “HTTP Method” tab allows you to specify which method is used in HTTP requests, usually POST or GET. The “Referrers” tab on it you can prohibit or allow content for certain referrers, ie. the rule will be triggered if the referrer for this page matches the list of specified URLs. On the “General” tab, you can select an action: “Deny”, “Warn” and “Allow”. Whether to log when the rule is triggered. If the action “Deny” is selected, then two settings become available – “Scan with UserGate streaming antivirus” and “Heuristic scan”. If you select both settings in one rule, then it will be executed only when two verification methods are triggered simultaneously. It is also worth noting that “Heuristic Check” affects system performance.
Let’s consider the rules that are already in the policy after installing UserGate. The first two rules in the screenshot regulate access to various sites from the built-in UserGate lists.
So the first rule allows access to the websites of educational institutions, while the second rule blocks access to the websites of the prohibited websites of Roskomnadzor included in the register.
The third rule checks the site for belonging to the “Productivity” category group, which, in turn, consists of various categories (for example, “Social networks”).
If the site falls under this rule (social network facebook), then in this case a page with a warning appears:
The following rule checks information from sites included in the “Recommended for virus check” category with UserGate streaming antivirus.
There are a few more rules that work with built-in category and URL lists, but I’m not going to cover them. Let’s create some rules of our own.
The first rule will be blocking content such as zip archives. Press the “Add” button and on the “General” tab fill in the lines we need: “On”, “Name”, “Action”. Next, on the “Source” tab, select the “Trusted” zone.
After that, go to the “Content Types” tab. When we click on the “Add” button, we see that there is no zip content, so we create our own content list with one application. For zip, the MIME type can be application / zip.
Now, when trying to download a zip, a blocking page appears, which contains the name of the rule and the blocked content.
The second rule will block work in the Internet Explorer browser. To create it, select Internet Explorer from the list on the “Useragent” tab. Now, when you open any page on the Internet through Internet Explorer, a blocking page should appear.
Let’s create the following rule that blocks by morphological dictionary. There are already dictionaries on the “Morphology” tab, but I will create my own dictionary and block pages where the word bank is found, after disabling the rule that passes traffic through the gateway without inspection for the finance category. I’ll create a simple dictionary that blocks the page at least one mention of a word from the dictionary:
After creating this rule, the pages containing the word bank should be blocked, for example, when you enter the word bank in the Yandex search box, we get:
Let’s move on to the rule that works with HTTP referrals. Take a website for example Tssolution.ru, it uses CDN (Content Distribution Network), however, like most other sites. By blocking the CDN by means of UserGate, we will get a broken site.
In order to solve this problem, it is necessary to add the URL tssolution.ru in the new rule above the blocking CDN rule on the “Referrals” tab, after that the site will work.
At the end of this section, I want to note that here I analyzed examples of setting rules. For the entire “Content Filtering” policy to work, it is necessary to create a priority for the rules. due to the large number of conditions, the rule may not work due to the higher rules.
Using the Web Security section, the administrator can enable additional web security settings for the HTTP and HTTPS protocols if HTTPS inspection is configured.
The following options are available:
“Block ads”. UserGate has a built-in engine that removes ads; therefore, users do not need to install additional plugins in their browsers that perform similar functions.
The “Inject Script” feature allows you to insert the required code into all web pages that the user views. The injected script will be inserted into web pages before the tag.
“Safe Search” forcibly enables the safe search function for various search engines (as a rule, where there is such a possibility, for example, Google, Yandex, YouTube).
Using the “Search history” checkbox, you can enable logging of user search queries.
“Block social networking applications”. Provides the ability to block applications such as games without affecting the normal functionality of social networks.
In this article we have covered the sections “Content Filtering”, “Web Security”, “SSL Inspection”. These very important areas from a security point of view are indispensable components of modern network protection.