Description
In some cases, the security policy on a Finjan system might appear to be ineffective. This can be noticed after a recent policy change or after first deploying a Finjan solution.
Symptoms
Common symptoms include:
- Content that should be blocked is downloadable by a browser.
- Images or text content might be missing from an allowed page.
- A script error might be indicated in the lower left corner of the browser on an allowed page.
- Some menus on an allowed page might not function.
Cause
There are two common causes for this behavior:
- Caching
- Content received from multiple web hosts
Solution
Caching - Caching is often the reason why a security policy change might appear to be ineffective.
For example, if the default policy blocks an applet, the substitute applet might be cached.
If the administrator changes the policy to allow the applet, the user might continue to receive the cached substitute applet. Therefore, it appears as though the security policy change did not work.
Using logs, it is possible to determine if cached content is provided to the user.
If an object is served from a cache, there will be no record of the request in the logs.
In order to see all transactions, it may be necessary to temporarily change the logging settings.
Please note that increased logging can reduce performance, so it is important to change the logging settings back to their previous values when troubleshooting is complete.
The systems administrator should be aware of all caches that might prevent requests from reaching the scanner.
The administrator should also know how to manage these caches.
Common caches include:
- A network caching solution, such as ISA or Blue Coat, that is located between the Finjan system and the browsers.
- The browser's own cache - In order to completely clear this cache, it may be necessary to first exit all browser instances.
- The JVM's cache - Sun's Java Virtual Machine maintains its own applet cache that is separate from the browser's cache. This cache can be managed by double-clicking the Java Plug-in icon in Windows' Control Panel and selecting the Cache tab.
- Vital Security NG's built-in Security Caching - To disable this, navigate in the Management Console to Settings -> Content Processors -> Security Caching and unselect the Enable Caching checkbox.
When the Finjan system is implemented in proxy mode, one way to determine if a policy change took effect is to configure a browser to proxy directly through the Finjan proxy.
This will eliminate the possiblility of interference from any network caching solutions.
If a browser having a clear cache and configured to proxy directly to the Finjan system continues to receive the wrong policy, then the policy should be inspected once more.
In environments that utilize different user policies, please verify that the correct policy is assigned to the test browser.
Content received from Multiple Web Hosts
Even if the URL list entry matches the website shown in the browser's address bar, it is important to note that many web pages are built from content that comes from several websites.
For example, on a news site, the initial links on the page might come from one server, while the dynamic content (links to new articles) might come from a different server in a completely different domain.
Again, the logs should reveal which sites are involved in the transaction.
As with caching, it may be necessary to temporarily increase the logging level to track the transactions associated with the web page.
Once the all of the involved sites have been identified, the logs can be returned to their former settings and the policy can be modified appropriately to allow the desired page.
VSOS
8.3.x
8.4.x
8.5.0
- This article applies to:
- NG 1000
- NG 5000
- NG 8000
- This article was previously published as:
- Finjan KB 1299