How to Prevent Policy Avoidance Using Direct IP of Website within Local database on ProxySG
Last Updated June 26, 2018
A customer wants to use a local database rather then BCWF but is concerned that users will be able to bypass the policy by accessing the URL directly via the IP address.
In order to prevent this, RDNS restrictions should be set to None. This is because if the ProxySG does not perform a RDNS lookup and relates it to the host domain, then it will not be able to match the rule within the Policy as the database does not contain the IP address like the BCWF does.
During testing this was found to be correct for some websites such as BBC.co.uk:
...but on other websites such as www.speedhunters.com (ns: lookup 220.127.116.11), access to the frame of the website was possible using the IP address but when clicking on any related URLs resulted in an exception page.
This was due to the IP resolving to a content server rather than the URL.
Block the content server in order to prevent this (ec2-52-87-84-8.compute-1.amazonaws.com).
Imported Document ID: 000032456
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe