This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ED
Advisor
‎2018-09-30 04:52 AM

School exam

Hi,

For school exam we get several ranges of IP-addresses that is on the list for technical specs required to pass the firewall. The students log in and start their exam and when they are finished, uploads their finished documents. White-list approach is used to allow only port 80 and 443 destined for the specified IP-addresses. Everything else is blocked. 

What is new this year is that they are allowed to access additional online based help, like dictionaries. The problem is the white-list approach where you allow only specified IP-address(es) for that domain. You end up with a web page that is not completely loaded since todays web sites are dynamic and gets their content from several places. Forexample images hosted somewhere else. 

The question is really general, how do you allow a specified site/domain to pass through in a white-list approach when you have the problem explained above? Let's imagine you don't have time to test all functionality on that site to see that everything is working and loaded. 

6 Replies
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-09-30 05:51 AM

What about to create the policy based on: ?

User-awareness

Application-awareness

Content awareness 

Time-Object

In short:

Identity awareness will ensure the SRC of the users

Application control + URLF filtering / dynamic object  will ensure to application type + DST

Content awareness will ensure upload documents 

Time object will ensure the time that rule/s be active 

Of course, you can add Sandblast security solution to ensure documents are not malicious 

HTH,

Ofir S

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-09-30 06:30 AM

Why so complicated approach ?

Just download all needed stuffs to the all workstations to be available offline (even without internet).

Kind regards,
Jozko Mrkvicka
0 Kudos
ED
Advisor
‎2018-09-30 09:42 AM
In response to JozkoMrkvicka

Hi Jozko,

It's stated in the technical requirements that it should be online based help. It can be minimum 2 and up to maximum 15 different online resources. Not just dictionaries.

School owners, in cooperation with school leaders, shall ensure that pupils and adult participants have access to a limited number of online resources during a centrally-conducted exam in primary school.

PhoneBoy
Admin
Admin
‎2018-09-30 11:17 AM

Application Control, URL Filtering, and HTTPS Inspection will probably make your life easier here in terms of building and enforcing that whitelist (versus using IP addresses that can change), but you still need to test periodically to ensure only the resources you want to allow actually are.

0 Kudos
ED
Advisor
‎2018-09-30 01:27 PM
In response to PhoneBoy

There has been no need to do it more complicated than needed. You get each year around 7 IP-addresses that need to be allowed (barely change). The IP-addresses ranges are for check of CRL of SSL-certificates. So it has not been difficult to enable a disabled rule each year when needed Smiley Happy 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-30 05:14 PM
In response to ED

If you can achieve your desired result by whitelisting specific IPs only, then by all means.

It's just a lot harder when you're accessing resources that are hosted in, say, AWS.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top