Data Filtering - Reverse possible?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Data Filtering - Reverse possible?

L4 Transporter

For a client, we are working on a regulatory need where we need to block any administrator attempts to login to a web application sitting behind the firewall. I created a data filtering rule which looks for the admin names and it DOES block it, however, this is an explicit deny and is the opposite of best practices. What would work best is if we could only ALLOW the 4-5 standard user logins and block anything else.

Is there a way to make the data filtering work in reverse?

1 accepted solution

Accepted Solutions

L3 Networker

Hello mackwage.

Your best bet for this would be a custom application.  You will need to:

1.) Do a packet capture and get the login string.  For example, if your web application uses cookies, a good way would be to look for the cookie string in the HTTP request header, which would look something like: Cookie: username=administrator.

2.) Create a custom application which looks for this string:

Objects->Applications->Add,

     Configuration->(fill out to your needs)

     Advanced->(choose "port" and add: tcp/80 and tcp/443)

     Signatures->Add->(add "OR" conditions with pattern-match (as many as you need): example: context: http-req-headers, patthern: username=admin)

3.) Create a security policy which matches your login traffic:

example:

zones: trust->dmz, destination ip: <web application server ip>, application: Your new custom application, action: deny.

Commit and test it out.  If you have your  "Application Block Page" enabled in Device->Response Pages, you should get the block pages when you login as administrator (or whatever the login name was).  All other users should not get the page.

*** Remember if you use the string that is in the Cookie, the users will need to clear their cookies if they try with the admin user and get blocked, then want to try again with another user.

Good luck,

-chadd.

View solution in original post

1 REPLY 1

L3 Networker

Hello mackwage.

Your best bet for this would be a custom application.  You will need to:

1.) Do a packet capture and get the login string.  For example, if your web application uses cookies, a good way would be to look for the cookie string in the HTTP request header, which would look something like: Cookie: username=administrator.

2.) Create a custom application which looks for this string:

Objects->Applications->Add,

     Configuration->(fill out to your needs)

     Advanced->(choose "port" and add: tcp/80 and tcp/443)

     Signatures->Add->(add "OR" conditions with pattern-match (as many as you need): example: context: http-req-headers, patthern: username=admin)

3.) Create a security policy which matches your login traffic:

example:

zones: trust->dmz, destination ip: <web application server ip>, application: Your new custom application, action: deny.

Commit and test it out.  If you have your  "Application Block Page" enabled in Device->Response Pages, you should get the block pages when you login as administrator (or whatever the login name was).  All other users should not get the page.

*** Remember if you use the string that is in the Cookie, the users will need to clear their cookies if they try with the admin user and get blocked, then want to try again with another user.

Good luck,

-chadd.

  • 1 accepted solution
  • 2227 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!