Configuring NAP to access Certain Websites,
Website Contents and User Actions
1. Configuring web applications in a Network Access Policy to control
user actions and access to certain contents on websites
2.Configuring a URL category in a Network Access Policy to control
access to certain websites
Vishal Tangadkar and Shweta Joshi
Level 2 Technical Support Engineer
© 2015 IBM Corporation
© 2015 IBM Corporation
1
Use case scenario - 1
1. Configuring web applications in a Network Access Policy to control
user actions and access to certain contents on websites
2. Configuring a URL category in a Network Access Policy to control
access to certain websites
© 2015 IBM Corporation
2
Web Application Object
1. Using web application objects to control access to categorized types of web-based
applications and to control how people use them on your network.
2. The Network Protection database provides an indexed list of web application
categories that you can block or limit access to on your network .These categories
include News, Search engine, web mail, social networking, gaming sites, and many
more.
3. You can prohibit users from performing specific actions on many of these sites.
For example:
 You can allow customer access the sites but block streaming on the sites.
 You can allow users to view social media sites such as YouTube or Flickr, but not
allow users to post to them.
 You can allow users to view and to post to networking sites, such as Myspace, but
not to upload photos or to play games.
© 2015 IBM Corporation
3
Network Configuration
© 2015 IBM Corporation
4
Configuring NAP Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Click the New button to open the Add Network Access Rule window.
© 2015 IBM Corporation
5
Configuring NAP Policy
© 2015 IBM Corporation
6
Configuring Response Tab
© 2015 IBM Corporation
7
Configuring Source Tab
© 2015 IBM Corporation
8
Configuring Destination Tab
© 2015 IBM Corporation
9
Configuring Application Tab
© 2015 IBM Corporation
10
Configuring Web Application Object...
© 2015 IBM Corporation
11
Configuring Web Application Object
© 2015 IBM Corporation
12
Configuring Inspection Tab
© 2015 IBM Corporation
13
Configuring Schedule Tab
© 2015 IBM Corporation
14
Deploying NAP Policy
© 2015 IBM Corporation
15
Accessing Web Application...
© 2015 IBM Corporation
16
Accessing Web Application
© 2015 IBM Corporation
17
Reading Access Event
© 2015 IBM Corporation
18
Use case Scenario - 2
Configuring a URL category in a Network Access Policy to control
access to certain websites
© 2015 IBM Corporation
19
Use case Scenario - 2
 You can configure a Network Access Policy to control the user’s access to a specific URL
Category.
 In this example, XGS blocks the user’s access to Vehicles sites using a URL Category.
© 2015 IBM Corporation
20
Configuring NAP Policy…
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Click the New button to open the Add Network Access Rule window.
© 2015 IBM Corporation
21
Configuring NAP Policy
On the General Configuration tab, enter 1 in the Order field. Select the Enable check box.
Set the Action to Reject.
© 2015 IBM Corporation
22
Configuring Response Tab…
We can attach response objects to Network Access Policy rules to trigger responses when
specified events occur on your network.

This add a record to the event log file when a rule is triggered or when a system event
occurs.

© 2015 IBM Corporation
23
Configuring Response Tab
 In the Response Tab, add an Event Log Object.
© 2015 IBM Corporation
24
Configuring Source Tab
In the Source Tab, click Any (Means, Any Source)
© 2015 IBM Corporation
25
Configuring Destination Tab
In the Destination Tab, click Any (Means, Any Destination)
© 2015 IBM Corporation
26
Configuring Application Object…
Application objects are used to control the types of applications and websites that can
communicate across your network.
 For the use case requirement, we are using URL Category.
 URL category objects are used to control access to certain types of websites and to noncategorized web-based applications on your network.
© 2015 IBM Corporation
27
Configuring Application Object…
 Click on New, to create a new Application Object.
© 2015 IBM Corporation
28
Configuring Application Object…
© 2015 IBM Corporation
29
Configuring Application Object
© 2015 IBM Corporation
30
Configuring Inspection Tab...


We use Inspection Object to identify network events or types of web pages that you want
to control.
You can attach inspection objects to network access policy rules in conjunction with other
network objects to filter certain traffic or events.
© 2015 IBM Corporation
31
Configuring Inspection Tab
 In the Inspection Tab, add the Inspection Object " Default IPS".
 The default IPS object contains all security events the IBM X-Force® research and
development team configures with specific settings and responses to protect against
a wide range of threats.
© 2015 IBM Corporation
32
Configuring Schedule Tab...
 By using Schedule Objects, you can restrict network access policy rules so that they apply
only at specified times.
 Use schedule objects to quickly add time parameters to multiple network access policy
rules.
© 2015 IBM Corporation
33
Configuring Schedule Tab
© 2015 IBM Corporation
34
Deploying NAP Policy
Once the rule has been configured, click on Save Configuration and deploy the NAP policy.
© 2015 IBM Corporation
35
Accessing the URL
© 2015 IBM Corporation
36
View NAP Events...
To view the NAP events, go to Secure Policy Configuration, Under Logs Select Network
Access Events

Under Network Access Events, Click on Start Live Streaming to resume live updating of the
event log.

© 2015 IBM Corporation
37
View NAP Events
Select the Event, and click on View Details, to view more details.
© 2015 IBM Corporation
38
References
 Configuring Network Access Policy –
http://www01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc
/concepts/alps_about_acl_rules.htm?lang=en
 URL Category Objects –
http://www01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc
/concepts/alps_url_category_objects.htm?lang=en
 Web Application Object http://www01.ibm.com/support/knowledgecenter/SSHLHV_5.2.0/com.ibm.alps.doc
/alps_collateral/alps_dochome_stg.htm
 Knowledge center for XGS –
http://www01.ibm.com/support/knowledgecenter/SSHLHV_5.2.0/com.ibm.alps.doc
/alps_collateral/alps_dochome_stg.htm
© 2015 IBM Corporation
39
Questions ?
© 2015 IBM Corporation
Subscribe to our
Channel
https://www.youtube.com/user/IBM
SecuritySupport
© 2015 IBM Corporation
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.