Hello,
We are having a security breach in our environment, we are using SD-WAN solution based on MX.
We have a L3 FW rule that permit TCP/80 and TCP/443 for web surfing and we are limiting websites by configuring whitelist.
We are discovered that some non-HTTPS trafic can pass through the MX bypassing the web filtering probably because the web filtering is acting only for HTTP/HTTPS.
We are now trying to find a way to block those trafic and only allow HTTP/HTTPS protocols.
Is there a way to achieve this ?
Thanks
What is the URL category?
Isn't it easier to block everything by default and only allow what you need?
Agree with @alemabrahao , if you’re dealing with a breach restrict everything and only allow through what’s required.
This is what we do, the port tcp/443 is open for any destinations and we are only allowing domains on the webfiltering but some tools that are not allowed like teamviewer are bybassing the webfiltering.
I dont see teamviewer in the L7 firewall.
You could try add a deny in the L3 and/or L7 firewall to
*.teamviewer.com
Not sure that will work @ww @as TeamViewer is also available as an App
Teamviewer advises to block that.
I think it could work in some cases. (Asuming apps also use some dns lookup)
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support
But with doh and other encryptions im not to sure
Ok, we just did a test by adding L3 FW rule to deny tcp/443 to *.teamviewer and it works but in this way it will only block Teamviewer and not some other tools that are working in the same way.
Dificult to imagine that a solution like Meraki cannot block specific apps of threats.
There are some apps that the L7 firewall can block. You could take a look at those options. (But the list could be bigger..)
threats (should) be blocked by the IPS