Introduction
This document describes the steps to block less-known or the latest web browsers using Cisco Cloud Web Security.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Prerequisites
- Active Cisco Cloud Web Security service
- Redirection of traffic to Cisco Cloud Web Security (any deployment methodology or connector)
- User account with "Full Access" or "Admin (No forensic)" role permissions to create rules stated in the steps below on the ScanCenter Portal
Question
How to block less-known or the latest web browsers using Cisco Cloud Web Security?
Answer
On many occasions business needs and audit requirements require us to only allow certain web browsers on corporate end points. The biggest challenge with this requirement is blocking uncommon or less known or at times latest version of popular browsers. We have pre-defined filter options for browsers like FireFox, IE and Chrome. But, in order to block browsers like Opera, Safari, SeaMonkey, NetSurf, Lunascape, etc we need to create a filter using the Custom User Agent field.
Steps
- Firstly, we need to create a Filter to be used in a Policy/Rule. Go to,
Web Filtering >> Management >> Filter >> "Create Filter" >> Custom User Agents
- In order to block browsers, we need to identity the User-Agent String of the browser we wish to block.
- The same can be identified by running a packet analyzer tool like WireShark or Ethereal. Request a URL in the browser while we capturing traffic, in the HTTP GET Request, we can get the user-string for this browser.
For Example
GET / HTTP/1.1 Host: www.cisco.com Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de,en;q=0.7,en-us;q=0.3 Accept-Encoding: gzip Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
We can also use inbuilt "http.user_agent" filter in WireShark to filter out the relevant packet.
- The User-Agent string can also be retrieved using public online tools like UserAgentString.com, WhatsMyUserAgent.com
- Once we have the User-Agent, we can use the same in the Custom User Agents field while creating the filter. We need to ensure that user-agent string are added in separate lines for multiple browsers. Refer to the snapshot below :
- Next step would be to use this filter as a part of every policy (multiple filters) or just the first policy. This will again depend on allowed rules (if any), rule structure and desired results.
If we use the PolicyTrace Utility from the same browser when traffic is going via Cisco Cloud Web Security service, the following will be seen:
<snip> Evaluating rule 'Block_Unknown_browser_policy'. Taking block action because of userAgent 'Mozilla/5.0 (Macintosh; <snip> 10.9; rv:29.0) Gecko/20100101 <snip>/29.0;' <snip>
Example/Use Case :
With each release or update patch for web browsers, the user-agent string is often changed. Recently, Microsoft made quite a few changes to the user-agent string structure for Internet Explorer 11. Hence, blocking browsers with short development cycles and update intervals would be difficult to accomplish using pre-defined filters. The procedure outlined above would be hence useful to achieve desired results.
Common User-Agent String to block internet explorer 11 :
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.3; Win64, x64; Trident/7.0; Touch; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko