Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to block less-known or the latest browsers using Cisco Cloud Web Security?

Introduction

This document describes the steps to block less-known or the latest web browsers using Cisco Cloud Web Security.

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Prerequisites

  1. Active Cisco Cloud Web Security service
  2. Redirection of traffic to Cisco Cloud Web Security (any deployment methodology or connector)
  3. User account with "Full Access" or "Admin (No forensic)" role permissions to create rules stated in the steps below on the ScanCenter Portal

Question

How to block less-known or the latest web browsers using Cisco Cloud Web Security?

Answer

On many occasions business needs and audit requirements require us to only allow certain web browsers on corporate end points. The biggest challenge with this requirement is blocking uncommon or less known or at times latest version of popular browsers. We have pre-defined filter options for browsers like FireFox, IE and Chrome. But, in order to block browsers like Opera, Safari, SeaMonkey, NetSurf, Lunascape, etc we need to create a filter using the Custom User Agent field.

Steps

  • Firstly, we need to create a Filter to be used in a Policy/Rule. Go to,

      Web Filtering >> Management >> Filter >> "Create Filter"  >> Custom User Agents

  • In order to block browsers, we need to identity the User-Agent String of the browser we wish to block.
  • The same can be identified by running a packet analyzer tool like WireShark or Ethereal. Request a URL in the browser while we capturing traffic, in the HTTP GET Request, we can get the user-string for this browser.

      For Example

GET / HTTP/1.1
Host: www.cisco.com
Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de,en;q=0.7,en-us;q=0.3
Accept-Encoding: gzip
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

    We can also use inbuilt "http.user_agent" filter  in WireShark to filter out the relevant packet.

  • The User-Agent string can also be retrieved using public online tools like UserAgentString.com, WhatsMyUserAgent.com
  • Once we have the User-Agent, we can use the same in the Custom User Agents field while creating the filter. We need to ensure that user-agent string are added in separate lines for multiple browsers. Refer to the snapshot below :

Screen Shot 2014-05-21 at 5.28.46 PM.png

 

  • Next step would be to use this filter as a part of every policy (multiple filters) or just the first policy. This will again depend on allowed rules (if any), rule structure and desired results. 

Screen Shot 2014-05-21 at 5.36.19 PM.png

 

If we use the PolicyTrace Utility from the same browser when traffic is going via Cisco Cloud Web Security service, the following will be seen:

<snip>

Evaluating rule 'Block_Unknown_browser_policy'.
Taking block action because of userAgent 'Mozilla/5.0 (Macintosh; <snip> 10.9; rv:29.0) Gecko/20100101 <snip>/29.0;'

<snip>

Example/Use Case :

With each release or update patch for web browsers, the user-agent string is often changed. Recently, Microsoft made quite a few changes to the user-agent string structure for Internet Explorer 11. Hence, blocking browsers with short development cycles and update intervals would be difficult to accomplish using pre-defined filters. The procedure outlined above would be hence useful to achieve desired results.

   Common User-Agent String to block internet explorer 11 :

Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; Win64, x64; Trident/7.0; Touch; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko

Related Information

Version history
Revision #:
1 of 1
Last update:
‎07-24-2014 02:03 PM
Updated by:
 
Labels (1)