Can I block uploading of confidential data via SafeSquid-SWG ( Client Discussion #1 )

Tell everybody, what you think about SafeSquid!
Speak your mind!
India aashish97
Posts: 117
Joined: Sat Jul 06, 2019 10:45 am

Can I block uploading of confidential data via SafeSquid-SWG ( Client Discussion #1 )

Post by aashish97 » Thu Apr 23, 2020 11:26 am

Hello All,

I have received questions from user focusing on blocking of confidential data, there has been scenario where the client want to block all kind of confidential data upload like uploading pdf, word , excel, ppt, etc like documents and also text file containing confidential data.

After some detailed discussion with the client

I have added that discussion below which might also solve your questions.

-----------------
Questions
-----------------

------------------------1------------------------
1) Can we block all kind of confidential data upload like uploading pdf, word , excel, ppt, etc like documents and also text file containing confidential data.

Solution:
The Answer is YES with a small drawback which will be explained in the solution below.

Yes, we can block uploading of pdf, word , excel, ppt, etc like documents and we are not limited to block only these documents. We can also block uploading of contents like executable file, images files, audio files, video files etc and other file contents very easily.

Note: SafeSquid Can Detect if the user has uploaded a Textual File, an Image etc and so on.

The detailed description on how to block these contents easily via SafeSquid-SWG DLP SECTION is described in the below forum post

Post: Smart way to block Uploading of Confidential Files ( Using SafeSquid's Granular DLP Module )

Link: viewtopic.php?f=61&t=183&sid=80f7d833d1 ... a09ebd8bef

The other part of the Answer revolve around the Content Like Textual File.
Let me first explain you why we will face difficulty blocking textual content.

SafeSquid provides full flexibility in creating policy where the user can create policy as per their requirement.

With the current requirement being blocking all kinds of confidential data without any confidential data pattern, so to best suite the requirement we can block all kinds of upload using SafeSquid-SWG DLP SECTION
This will block all kinds of upload.
It will block everything that is uploaded regardless it being text, image , multimedia, data files, compressed files, software applications etc and many more.
This is the quickest and easiest block policy.


BUT,

Here is the Problem with this, whenever we visit a site their will be files which will be downloaded by our Browser like the HTML, CSS, JavaScript, images etc and other stuff.
The website will also upload some content which is required for synchronisation, getting new content , sending your user details etc and for other purposes like fetching ads depending upon user interaction etc .
And with this BLOCK Policy these things will also get blocked.
Resulting in websites not properly getting loaded, websites not displayed problem, website break and they don't surf the purpose.

This will result in Total mess and bad user experience.

We can create policy to block all Content and only allow Textual contents ( which are detected as text/plain by SafeSquid-SWG.

--------- IMPORTANT --------

Note:

Content Detection done by the SafeSquid-SWG is on the True Content Type which means if the data is some small data used to sync web application or upload of textual file

The Content-Type detected is text/plain. And using this policy if a user uploads a textual file then in that case it will be uploaded

According to the policy and content type detection SafeSquid will not block this textual file which might be carrying Confidential Data.
----------------------------------------

------------------------2------------------------
2) Which means we cannot block Textual data and if any user uploads confidential pdf data in TXT file then it cannot be blocked by SafeSquid-SWG?

Solution:

The solution is to first understand the problem and then make Smart Policies to limit the such upload risk.

As per your problem we need to block uploading of Confidential data it might be uploaded in any format
May be in plain Textual file

Let me first explain you , how file upload works

Their are few ways the file are uploaded

A) MULTIPART

In most of the cases and by most of the web application files are uploaded in MULTIPART form.
Which means it will have multiple layer of data

-> One is the file.
-> One is the data related to the file like filename
-> One if the Upload description
-> One is the section holding folder where the file will be uploaded
-> And few more description depending upon the web application.

Example:
Google Drive File Upload
One drive File Upload

B) URL ENCODED

-> They can be by web application to SYNC data

Web application use this way to upload data which in scenarios like

Web Login Form
New Account Creation Form
Email Subscription

Etc and many more
This data is "&" Seperated.

Example:
Google SignUp & Login
LinkedIn SignUp & Login
Twitter SignUp & Login

C) DIRECT CONTENT TYPE SPECIFYING

-> They can be by web application to SYNC data

Web application send data like

XML
JSON
Plain Textual Data

, etc and other data formats by directly specifying the content type

Example:
Sending Email with Gmail
Google Ads Service Synchronisation
Error Message Send by SERVER

And many REST API Based Web Application communicate in XML or JSON

Now when the Web Application send data they will specify the content type while sending the data.

In SafeSquid we can create rule to identify the Content-Type and apply Restrictions On that.

As we have analysed now that when the web application will upload file it will provide multipart Content type on most of the cases.
And to sync data the web application will either directly provide content type or will send it using url encoded

Therefore if we create policy to block multipart content and only allow textual upload of data using the DLP section then we can achieve a much more better Restrictions.

Not Every Solution is 100% Perfect.

I have tested this kind of Configuration and found 80% Success Rate.

It can create Problem in scenarios where


A) Their is no content type provided by the Web Application while doing the upload
This is a very rare scenario because most of teh web application will provide the content type while uploading and it is as per the RFC to provide the content type.

B) Wrong Content Type provided by the web application
This is also one of the rare scenarios which will occur and content will get uploaded.

C) Some Time Web application might upload file in a smarter way
Like uploading file directly using the Direct Content Type SPECIFYING way
In this case when a textual file is uploaded
It will be uploaded directly without MULTIPART
And the data like file name , folder etc and other details required by the web application will be added the request url.

This will actually break our policy definition and upload textual file which might hold textual content.

Example:
Web application like WeTransfer uses this way of uploading content
And for textual file upload this will create problem.

But the best way to understand such scenario and take necessary option is by doing the analysis on the network and understanding the traffic using the report.

India aashish97
Posts: 117
Joined: Sat Jul 06, 2019 10:45 am

Re: Can I block uploading of confidential data via SafeSquid-SWG ( Client Discussion #1 )

Post by aashish97 » Fri Apr 24, 2020 9:33 am

NOTE: SafeSquid will only process data which can be buffered in the SafeSquid's memory i.e Buffering mentioned by the SafeSquid Configuration.
Which means if the uploaded data is more than the buffering data limit then it will not be processed and if it is not processed then the DLP Section Restrictions will not work.

The Default Buffering Policy of SafeSquid specifies 50MB as the Max Limit for Buffering Uploaded Content.

----------------3-----------

3) What if the the user uploads file of size 200MB or any file of size more than 50MB?

SOLUTION:
------------------
As Specified Previous, if the Uploaded content is more than 50MB it will not be processed and no DLP Restriction Policy will work and the Content will be Uploaded leading to security breach.


Over here, to actually solve this problem
The Best way to solve this Problem is by Creating Smart Policies or More Stringent POLICIES.

The Best Policy is To block all Such Content which has a size more than the Buffering Specified.

-------------------------
Note: Increasing the Buffering Size Means First Storing the uploaded Content in Safesquid's Memory and then processing it.

If we increase it up to suppose 200MB Then, when the user uploads a 200MB file then the SafeSquid will first accept the 200MB FILE which will require alot of time resulting in Bad User Experience.
-----------------------------

We can actually specify a limit on the Upload Content and if the user uploads a file of size more than that limit then it will directly be blocked
And for websites where the user should be able to upload such big files this policy can be easily overridden in such cases.

SafeSquid Granular Policy help you to create such polices very easily.

This Best Practise of SafeSquid Policy Creation will help you design Best Effective solutions for your organization.

Post Reply