6.5. File Control

Home Prev	cOS Core 14.00.17 Administration Guide	Next

The File Control feature in cOS Core performs checks on files passing through the firewall. The transfer could be done using any of the following protocols:

HTTP
FTP
POP3
SMTP
IMAP

File Control Setup

The recommended way of performing file control is using an IP Policy object. The set steps are the following:

Create a new File Control Profile object and adjust its properties accordingly.
Associate the profile with an IP Policy that triggers on the target traffic. The Service property of the IP policy must be set to a service object which has its Protocol property set to the targeted traffic type (for example, HTTP).

A File Control Policy can be used in combination with one or more other types of processing that is enabled on an IP policy. For example, an Anti-Virus Policy could be assigned and enabled on the same IP policy so that files are also scanned for malware.

File Control Profile Object Properties

A File Control Profile object has the following properties:

Name

A suitable logical name for the profile.
File Type Action

This property can be set to Allow or Block (the default) in order to block or allow specific file types specified by the File Types property.
File Types

This property lists the filetypes which are to be blocked or allowed. The block/allow feature operates independently of the Validate File Extension property but is based on the predefined filetypes listed in Appendix C, Verified MIME filetypes. These two modes function as follows:

i. Block

The filetypes marked in the list will be dropped as downloads. To make sure that this is not circumvented by renaming a file, cOS Core looks at the file's contents (in a way similar to MIME checking) to confirm the file is what it claims to be.

If, for example, .exe files are blocked and a file with a filetype of .jpg (which is not blocked) is found to contain .exe data then it will be blocked. If blocking is selected but nothing in the list is marked, no blocking is done.

ii. Allow

Only those filetypes in the list will be allowed in downloads and others will be dropped. As with blocking, file contents are also examined to verify the file's contents. If, for example, .jpg files are allowed and a file with a filetype of .jpg is found to contain .exe data then the download will be dropped. If nothing is marked in this mode then no files can be downloaded.

Additional filetypes not included by default can be added to the Allow/Block list. However, these cannot be subject to content checking. This means that the file extension will be trusted as being correct for the contents of the file.
Validate File Extension

This option enables MIME verification that the filetype of a file download agrees with the contents of the file (the term filetype here is also known as the filename extension).

All filetypes that are checked in this way by cOS Core are listed in Appendix C, Verified MIME filetypes. When enabled, any file download that fails MIME verification, in other words its filetype does not match its contents, is dropped by cOS Core on the assumption that it can be a security threat.

Example 6.49. File Control Setup with an IP Policy

In this example, internal HTTP clients will be downloading files from the Internet which will be checked using a File Control Policy so that files of the type .exe or .msi will be blocked. In addition, the MIME type of any downloaded files will be verified.

Command-Line Interface

A. Create a new Service object for inbound HTTP traffic:

Device:/> add Service ServiceTCPUDP my_http_service
			Type=TCP
			DestinationPorts=80
			Protocol=HTTP

B. Create an FileControlPolicy object:

Device:/> add Policy FileControlPolicy my_fc_policy
			FileListType=Block
			File=exe,msi
			VerifyContentMimeType=Yes

C. Create an IP Policy for HTTP traffic:

Device:/> add IPPolicy Name=my_http_policy
			SourceInterface=lan
			SourceNetwork=lannet
			DestinationInterface=wan
			DestinationNetwork=all-nets
			Service=my_http_service
			Action=Allow
			SourceAddressTranslation=NAT
			NATSourceAddressAction=OutgoingInterfaceIP
			FileControl=Yes
			FC_Mode=UsePolicy
			FC_Policy=my_fc_policy

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. Create a new Service object for inbound SMTP:

Go to: Objects > Services > Add > TCP/UDP Service
Now enter:
- Name: my_http_service
- Type: TCP
- Destination: 80
- Protocol: HTTP
Click OK

B. Create a File Control Profile object:

Go to: Policies > Firewalling > File Control > Add > File Control Profile
Now enter:
- Name: my_fc_profile
- File Type Action: Block
- File Types: exe.msi
- Validate File Extension: Enabled
Select OK

C. Create an IP Policy for HTTP traffic:

Go to: Policies > Firewalling > Main IP Rules > Add > IP Policy
Now enter:
- Name: my_http_policy
- Action: Allow
Under Filter enter:
- Source Interface: lan
- Source Network: lannet
- Destination Interface: wan
- Destination Network: all-nets
- Service: my_http_service
Under Source Translation enter:
- Address Translation: NAT
- Address Action: Outgoing Interface IP
Under File Control enter:
- Enable File Control: ON
- File Control Profile: my_fc_profile
Click OK