Solved

Dropbox activities Web Cloud App but dont block Desktop App

  • 21 October 2022
  • 3 replies
  • 49 views

Badge +11

Dropbox activities Web Cloud App but dont block Desktop App

 

Hello good afternoon, as always, thank you very much for your time and your collaboration.

 

I am performing a test with Dropbox, I generated a policy that Blocks Cloud APP Dropbox, the following activities:

Activity = Create, Delete, Edit, Invite, Login Attempt, Login Failed, Login Successful, Logout, Post, Rename, Share, Unshare, Upload, View, View All.
Except "Download" I do not have the Download checkbox checked, so I am allowing it, and the download works correctly, which is the desired behavior.

 

Now I installed the Dropbox application on the Windows workstation, where I have installed the Netskope Client, where I have been doing the tests and it turns out, that when uploading a file through the App, I upload a file and the upload is completely successful. I thought it would stay forever trying to synchronize, but the 2 and 3 test files, via the Dropbox desktop application, works perfectly.

 

Now according to this, I understand that Netskope can delimit activities and block access via the Dropbox App web access, but not the Desktop APP. Can you confirm me if this behavior is expected, or Netskope should block these connections as well, from the Dropbox APP Desktop ? Or this happens because the application uses Certificate Pinned Application and this is why Netskope can't stop the usage from Dropbox APP Desktop ?

 

Ports used by Dropbox APP 80 and 443, among others:
https://help.dropbox.com/es-la/installs/configuring-firewall#:~:text=Permite%20que%20Dropbox%20acceda%20a%20los%20puertos%C2%A080%C2%A0(HTTP)%20y%20443%C2%A0(HTTPS)%2C%20y%2017600%20y%2017603%20(para%20abrir%20archivos%20en%20aplicaciones%20de%20terceros).

 

Thank you very much for your cooperation and your time

 

I remain attentive

 

Best regards

icon

Best answer by qyost 24 October 2022, 15:59

View original

3 replies

Userlevel 5
Badge +16

You'll want to take a very close look at the default steering configuration exceptions, paying special attention to the entries listed as "Certificate Pinned Applications".


Anything that has "Bypass" listed as the Action, is not even sent to Netskope.   Instead, it will follow the normal path for web egress from your device. 

 

Userlevel 4
Badge +17

Hi @MetgatzNK , Hope you're doing well. If @qyost answers helps you on what you're looking. Please feel free to click Qyost comment  "Accept as Solution". 🙂

Badge +7

@MetgatzNK During deployment its recommended to review the default exceptions that are deployed with a new tenant. They are crowdsourced and updated to provide the best compatibility with a myriad of native (Windows/Mac) vs web based applications. In many cases the desired behavior is to force users to use Web browser because it affords the IT security team ability to monitor the behavior and apply Netskope controls through the SSL interaction. In that scenario it would be easy enough to convert the Dropbox bypass to a Dropbox Block for the native app/Dropbox sync client, then only the browser (protected by Netskope's network) would be allowed with the appropriate policy.

Reply