Outbound/Upload - One Way Quota

Hi Guys,

Is it possible to implement a one way type quota?

We have come across an issue with data exfiltration through a legitimate site using a legitimate HTTPS service and want to know if uploads could be quoted?

In this instance we don't care about their downloads, but if they are sending away bulk data its raising red flags.

Trying to minimize potential false positives while also minimizing any calls to helpdesk due to quotas kicking in for the wrong metric.

Thanks,

Dave

Comments

  • edited November 2021

    I'm not seeing how to do this for just uploads currently.

    From the docs on Quotas:
    "Bandwidth — The bandwidth quota is set in MB per day, and is enforced for all TCP and UDP traffic in both directions."

    About Quotas
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/quota_about_c.html

  • Yeah I know. That's the problem I would like enhanced. Ideally if we can quota traffic for a specific direction we have a much better chance of catching suspect traffic or at the very least be able to leverage a slowing tactic.

    I admit that this is something that I hadn't even thought of doing until we had the situation we just experienced.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DaveDave
    At this time quotas sum up traffic in both directions. I created a feature request (FBX-22392) with that issue -- if you'd like to follow that request please create a support case and mention FBX-22392 in the comments somewhere.

    At this current point in time, the best suggestion I have would be to monitor the Dimension top clients report for any large bandwidth users. Clicking down into their details should give a better idea of what they're doing.

    -James Carson
    WatchGuard Customer Support

  • edited March 10

    You mean like this?

    I would also advise throttling your bandwidth (download/upload) to 95 % on your Inbound (Download speed, internal interface) and outbound (Upload speed, Outgoing interface) interfaces. This will allow you to use QoS markings to prioritize specific traffic like VOIP and such.

    Have used this trick for years and it's fixed all kinds of bandwidth utilization problems!

    ~T

  • I think the issue, as stated , is to have a max size (quota) to limit large uploads.
    This is not a bandwidth concern.

  • Hi Tristan, thanks for your input, but as Bruce highlighted the issue isn't related to bandwidth constraints.

    The instance that we had, a user was compromised, and then their AD account was used to then upload significant data using a combination of Mega Upload, FTP and AnyDesk services.

    While I can block these from an application layer, this could just be circumvented through other means e.g. OneDrive/DropBox some other HTTPS service etc.

    I'm trying to raise a metric, so that I can raise alerts/red flags when i see that User A has uploaded 5GB of data in a day, which doesn't fit within their job description.

    As it currently stands the bidirectional quota is a bit archaic and has limited use cases these days, but by being a bit more flexible in terms of data flow direction, this could have the potential to alert and minimise data leakage events which is significantly more prevalent with new ransomware groups e.g Conti

  • edited March 21

    Sounds like something that you’d want an endpoint solution to do (especially as OneDrive and such don’t need vpn to sync )… but I’d be fascinated to see if WG can do this from a security edge appliance.

    EPDR can kind of do this… but it has a focus on Cybersecurity not productivity monitoring…
    but if it’s productivity monitoring/alerting you are after than “ActivTrak” (https://www.activtrak.com/) is a really nice tool. Integrates with AD and is agent based (doesn’t need VPN to work). Has been a godsend for remote work monitoring. Even does the upload alerts you are looking for:
    https://www.activtrak.com/product/alarms/

Sign In to comment.