topic Re: Allow Corporate Dropbox access while blocking the Personal Dropbox Account in Firewall and Security Management

Allow Corporate Dropbox access while blocking the Personal Dropbox Account

chethan_m — Thu, 18 Jan 2024 02:45:05 GMT

Hi,

One of our customers have a use case of allowing only business / corporate Dropbox accounts and block the personal ones via Checkpoint firewall.

I request your suggestions on how we can achieve this.

One possibility is to use HTTPS Inspection and leverage HTTP Header insertion and create restriction based on Dropbox team IDs.

HTTP header insertion for Application Parameters (Office 365 Tenant Restrictions / Gmail Allowed-Domains / YouTube Restrict Mode) (checkpoint.com)

(
	:appi_parameters (
		: (
			:app_id (10050988)
			:parameters (
				: (
					:parameter_type ("Header Injection")
					:parameter_values (
						: (
							:type ("Header Name")
							:value ("X-Dropbox-allowed-Team-Ids")
						)
						: (
							:type ("Header Value")
							:value ("**This will be replaced with TeamID**")
						)
					)
				)
			)
		)				
	)
)

Where 10050988 is the application ID of Dropbox and the gateway intercepts requests related to Dropbox and adds the HTTP header X-Dropbox-allowed-Team-Ids (Values of the Dropbox Team ID field). This header's value is the business account's team ID.

The above approach must block access to personal accounts and allow access to only specified teams, but the challenge here is that if there are 100s or 1000s of teams this is not a feasible / scalable approach as collection of team IDs and configuring the application parameter file is a tedious task.

I wanted to know, does checkpoint provide any out-of-the-box solution for this problem via app control? or there are any other ways that can fulfil this business requirement. For ex. restrict the access if the user is trying to login from personal mail account.

Regards,

Chethan

CCSM R80

Re: Allow Corporate Dropbox access while blocking the Personal Dropbox Account

PhoneBoy — Wed, 17 Jan 2024 06:34:22 GMT

In order to use the header injection bits, you need to use HTTPS Inspection.
Problem is, Dropbox uses Certificate Pinning and will not work with HTTPS Inspection.

Re: Allow Corporate Dropbox access while blocking the Personal Dropbox Account

chethan_m — Wed, 17 Jan 2024 09:24:30 GMT

This is how others are doing it too.

Is there any other way to block personal Dropbox accounts?

Re: Allow Corporate Dropbox access while blocking the Personal Dropbox Account

chethan_m — Wed, 17 Jan 2024 09:57:16 GMT

So, in that case bypass HTTPS inspection for Dropbox or block it entirely?

Re: Allow Corporate Dropbox access while blocking the Personal Dropbox Account

the_rock — Wed, 17 Jan 2024 12:26:15 GMT

I got private message you sent me about this, will respond there.

Best,

Andy

Re: Allow Corporate Dropbox access while blocking the Personal Dropbox Account

chethan_m — Thu, 18 Jan 2024 02:46:34 GMT

Thank you, I've replied to it.

Re: Allow Corporate Dropbox access while blocking the Personal Dropbox Account

the_rock — Thu, 18 Jan 2024 02:47:47 GMT

Same here...Im still working at 10 pm at night, never expected CP upgrade to take 4 hours LOL

Best,

Andy