Deny Rules

In an environment where Network Security is enabled and uses Deny Rules, Workspace Control allows all connections by default. The connections that could be harmful need to be blocked for all users. Furthermore, connections that must be available but only to specific users need to be blocked for everybody, and then specific users must be excepted using an Authorized Connection.

For example:

  • Nobody should be able to transfer information over ports 21 and 22, because these ports are often used for transferring information using FTP.

  • Connection to the SQL server holding financial data should be blocked for everyone except staff of the Finance department, provided they are logging on from a computer located in the office, not from home.

  • Connection to the Linux servers is blocked for everyone, but authorized for the administrators who manage those servers.

This setup can be achieved with:

  • Blocked Connections that apply to all users for:

    • the database server holding the financial data

    • the Linux servers

  • Authorized Connections configured for:

    • connection to database server holding the financial data with Access Control set to the members of the Finance department and Workspace Control set to the office computers.

    • connection to the Linux servers, with Access Control set to the administrators.

  • An additional blocked connection for monitoring purposes so that the connections that are actually established are logged.

  • With Deny Rules, an authorized connection is only useful if it narrows down a blocked connection. For example, there is no point in blocking all traffic over port 22, but specifically allowing TCP/IP traffic over port 23, as that was already allowed.

  • With Deny Rules, it is also possible to grant access to a specific connection for a specific group. To do so, create a blocked connection for the specific connection. Set Access Control for this connection to the specific group and select Exclude members of Selected group. Now this connection is blocked for everyone not in the designated group.