Example: Restricting Access to Sensitive Data

The following example demonstrates how to use an access control rule, together with a Matching URL resource and End Point Control zone, to prevent a Web-based application from displaying restricted data to untrusted devices.

• For an overview of access control, see Access Control Rules.
• The example assumes that you have an EPC zone configured (named Untrusted in this example) into which devices that are not IT-managed are classified; see Managing EPC with Zones and Device Profiles for information about configuring and using zones.

Prevent a Web-based application from retrieving data using a Matching URL resource

1. In the AMC, navigate to Security Administration > Access Control.

2. Click the + (New) icon.

   The Add Access Rule page displays.

3. In the Position field, type a number to specify the rule’s position in the access rule list.

4. Use the Action buttons to specify Deny.

   This will deny users access to any resource that matches the pattern you specify in the next step.

5. Complete the information under Basic settings:

   1. Leave User selected (so that the rule applies to users trying to access a resource).

   2. The From field specifies the users to whom the rule applies. For this example, leave the value as Any user.

   3. In the To field, click Edit to specify the target resource for this rule.

      A Resources page displays.

   4. Click the + (New) icon.

   5. Select Matching URL. The Add Resource - Matching URL page displays.

   6. Type a name for the resource. For example, Patient Records.

   7. In the URL field, type the URL address of your Web-based application. For example, www.patient-records.com.

   8. In the Path and query string matching area, select Custom from the Type of match list.

   9. Click the + (New) icon.

   10. Select Path element. Type reports.aspx. (The path is not case-sensitive.)

   11. Click OK.

   12. Click the + (New) icon.

   13. Select Query string. Type last_name=. (The query string is case-sensitive.)

   14. Click OK

   15. Click Save.

       The Add Resource - Matching URL closes.

6. In the End Point Control zones section, click Edit to select the zone from which you will deny access to the resource (Untrusted).
7. When you create a rule that specifies a Matching URL resource type, the user must be allowed to use a browser as an access method. On the Advanced tab, in the Access method restrictions area, make sure that the Client software agents are either set to Any, or that Web browser is among the selected agents.

8. Click Finish.

After you save and apply your changes, users who attempt to open the Patient Records resource (using a URL that matches http://www.patient-records.com/reports.aspx?last_name=) and who are classified into the Untrusted zone will be denied access.

 

• Some Web-based applications automatically redirect users to other Web pages. Be certain to use the target URL address (the Web page to which users are redirected) when configuring the appliance to block email attachments. See Example: Working with a URL Redirect for more information.
• You cannot configure a Matching URL resource to restrict access to sensitive data for users who connect to the appliance using OnDemand Tunnel or Connect Tunnel.