Jump to:navigation, search
Wiki

Cloud Shield Profile

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden






















































































































Configuration of profiles for the Securepoint Cloud Shield

Last adaptation to the version: 2.10

New:
  • Externe Blockierunglisten wurde zur Externe Listen, welche zusätzlich Allowlisten ermöglicht
notempty
This article refers to a Beta version
-
Access: portal.securepoint.cloud Cloud Shield Profile


Profile

Overview

Under Cloud Shield Profiles an overview of all current Cloud Shield Profiles is displayed.

Using the  Add profile button, a new profile can be created.
Clicking on a profile allows it to be edited.
Addtionally, a profile can be edited, copied, or deleted via the button.

Profile overview
 Managed Devices
Das Profil besitzt den Typ Verwaltete Geräte
 External devices
Das Profil besitzt den Typ Externe Geräte
 Verwaltet durch ICS notempty
New as of: 2.10
 Das Profil ist aus dem Intelligent Cloud Shield (ICS) migriert
  • Dieses Profil kann in Cloud Shield Profile angesehen werden
    Ready-Only
    , bearbeitbar ist es weiterhin im ICS
  • Erhält automatisch den Profiltyp  Externe Geräte
Allowed hosts: 0 Number of hosts explicitly authorized by this profile
Blocked hosts: 0 Number of hosts blocked by this profile
Filter categories: 3 Number of selected categories in this profile
Filtered countries: 3 Number of countries filtered by this profile
Protocols: Deaktiviert Status of the logs for this profile
MDM profiles:
Only for  Managed devices		 Doku MDM profiles that use this Cloud Shield profile
Number of devices:
Only for  External devices		 10 Number of devices using this Cloud Shield profile.
  • This value is configured and is not determined automatically.
    • UTM-Profiles: Doku UTM profiles using this Cloud Shield profile
    Configuration:
    		 show Opens a dialog in which the setup of the Cloud Shield profile is displayed for all possible devices, as well as the data required in each case (e.g. configuration ID).

    For profiles of type  Verwaltete Geräte, the profile can be added to MDM profiles.

    For profiles of type  External devices, there are explanations for using the Cloud Shield for the following options:

    1. Download the Securepoint Cloud Shield app (PlayStore / AppStore)
    2. Scan the QR code in the portal or alternatively enter the Configuration ID from the portal into the settings of the Cloud Shield App

    notempty
    New as of: 2.8.x
    1. Cloud Shield-App vom Microsoft Store herunterladen
    2. Cloud Shield als administrativer Benutzer öffnen
    3. Optional: Adapter über einen Rechtsklick ausschließen, die nicht konfiguriert werden sollen
    4. Zur Konfigurationsübersicht navigieren
    5. Die angezeigte Konfigurations-ID des Cloud Shield-Profils eingeben
    6. Optional: Einen Namen für das Gerät angeben. Dadurch kann das Gerät in Statistiken und Protokollen leichter identifiziert werden
    7. Die Konfiguration abspeichern

    1. Open the settings of the Android Device
    2. Navigate to Network & Internet
    3. Select Private DNS
    4. Tap on Private DNS provider hostname
    5. Enter the address using the configuration ID from the profile

    1. Download the signed mobileconfig from the portal
    2. Install the mobileconfig on the device

    Chrome:
    1. Open Chrome
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Select Privacy and security
    5. Select Security
    6. Activate Use secure DNS under the menu item Advanced
    7. Under Select DNS provider, select the option Add custom DNS service provider
    8. Enter the address with the configuration ID from the portal

    Firefox:

    1. Open Firefox
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Enter DNS in the search field
    5. Select Maximum protection
    6. Under the Select provider menu item, select the Custom option
    7. Enter the address with the configuration ID from the portal

    Edge:

    1. Open Edge
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Click on Privacy, search and services in the left bar
    5. Scroll down to the Security section
    6. Under the menu item Use secure DNS to specify how to look up the network address for websites, select the option Select a service provider
    7. Enter the address with the configuration ID from the portal

    • Cloud Shield can be set up directly on the router. For this you can use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
    • The corresponding endpoint URL's along with the Configuration ID must be copied from the portal.

    notempty
    An bestehenden Router-Konfigurationen muss nichts geändert werden.
    • Das Cloud Shield kann direkt im Netzwerk für alle verbundenen Geräte verwendet werden, falls der Router kein DoH oder DoT unterstützt
    • Dafür muss die IP-Adresse des Routers an das SPDyn mittels DynDNS übermittelt werden
    • Danach muss die hier angezeigte IPv4- und IPv6-Adresse als DNS-Resolver in den verwendeten Router eingetragen werden
    UDP/TCP vor der Einrichtung
    • Nach der Einrichtung wird die aktuelle Konfiguration im SPDyn mit dem Hostnamen und der IPv4-/IPv6-Adresse angezeigt
    UDP/TCP nach der Einrichtung
    notempty
    New as of: 2.10

    Tile Options

    Using the button at the top right of each profile tile, the following options are available:
     Edit View and edit profile settings. For details, see Create/Edit
     Copy Copies this profile
     Deactivate blocking The blocklist and external lists of the profile is disabled for a configuration period of time
    • The duration can be freely set
      default is 5
    • The time unit can be selected from seconds minutes
      default
      and hours
    • Confirm the process by clicking the  save button
    • A label showing the deactivation duration is displayed on the profile tile
    • After the time expires, blocking is automatically re-enabled. Alternatively, you can manually re-enable is via  Enable blocking
     Delete Deletes the profile from the portal. The deletion must be confirmed withOK
    notempty
    Only for Cloud Shield profiles of the type external devices

    When a Cloud Shield Profile is deleted, a push notification is sent to the device indicating that the Cloud Shield configuration has been removed.
    An appropriate error message is displayed in the Cloud Shield app.

    Create/Edit

    Using the  Create profile button
    under Cloud Shield Profiles
    a new profile can be crated. The same configuration options are available during both, creation and editing.
    Caption Value Description
    General
    General
    Name Doku-Cloud Shield-Profile The name of the configuration
    Create profiles General tab
    Type Managed Devices Type of the Cloud Shield profile
    External devices
    license
    Only for: External devices    		 TTT-Point AG [Mobile Security] (3/5000) License for the Cloud Shield Profile. When this Cloud Shield Profile is saved, the devices are assigned to this license. Depending on the agreed license model, this may incur costs.
    Number of devices
    Only for: External devices    		 10 Geräte / ca. 2 Millionen Anfragen Number of devices using this Cloud Shield Profile. The number of requests is considered a monthly reference value.
    Filter
    Filter
    Allowed categories Updates and important services Selection of permitted categories
    Create profiles General filter
    Blocked categories Threat Intelligence Feed Hacking Spam domains Selection of categories to be blocked. For the selected categories, you can also define which scores (0-23) should trigger blocking.

    Additionally, all available categories can be selected or deselected at once using the corresponding buttons.

     Select all  Deselect all
    Blockierte Dienste notempty
    New as of: 2.10
    Name Description
    Name des blockierten Dienstes Beschreibung des blockierten Dienstes
    		Über diese Dienstliste
    von Securepoint gepflegt
    können die dort vorhandenen Dienste blockiert oder wieder erlaubt werden
    • Mit  Dienste verwalten öffnet sich ein Dialogfenster, indem die Dienstliste dargestellt wird
    • Durch  Blockieren wird der gewünschte Dienst blockiert
    • Über  Erlauben wird ein blockierter Dienst wieder erlaubt
     Dienste verwalten
    Blocked countries Russia China Belarus Selection of countries whose IP addresses should be blocked. Below, an overview of the current selection is also displayed in the form of a map.

    You can select or deselect all countries using the corresponding buttons.

     Select all  Deselect all
    Security
    Security
    DNS rebinding protection    By enabling this feature, attackers are prevented from gaining control over local devices via the internet by automatically blocking DNS responses that contain private IP addresses. Both private IPv4 and private IPv6 addresses are blocked.
    Create profiles Security tab
    Extended DNS Rebinding Protection    When activated   , IPv6 addresses that are reserved for special network purposes such as documentation, tunneling or packet discarding are blocked. These are not typically used on the internet.
    IDN Homograph Attack protection    By activating this option, domains that pretend to be other domains by misusing the large character encoding that is available with the introduction of Internationalized Domain Names (IDNs) are blocked. With this option, only domains with ASCII characters are permitted.
    Blocking of disguised third-party trackers    The activation blocks third-party trackers that disguise themselves as first-party providers. This attack is also known as CNAME cloaking.
    Safe Search    Activation filters the results in all major search engines, including images and videos.
    Restricted youtube mode    By activating this, YouTube content for adults is filtered. All comments will also be hidden.
    AI Filter
    AI Filter  Experimental
    The AI-based filter detects previously unknown threats through real-time risk analysis. Only domains that are not already classified by our content filter are checked.
    Create profiles AI filter tab
    notempty
    No data transfer: All analyses take place in the Securepoint infrastructure - there is no transmission to third parties!
    Own AI development: The filter is based on Securepoint's own machine learning model - specifically trained on current threat patterns on the web.
    Activate AI Filter    When activated   , malicious domains are blocked with the Securepoint machine learning model, which has been trained with tens of thousands of benign and malicious domains.
    Rating Adjust the threshold individually to the security needs. The lower the threshold, the more potentially harmful pages will be blocked - even if this can lead to some false positives.
    50% A page is blocked with a probability of 50%.


    This setting offers the highest possible protection, but increases the likehood of false positives.

    70% Blocks pages that are classified as threatening with a probability of least 70%.


    Good balance between security and surfing comfort.

    90% Ideal for uasers who want maximum freedom on the web while still being protected from clearly malicious pages.


    With this setting, the risk of false positives is low, but potentially more threats remain undetected.

    Allow list
    Allow list
    Allowed IPs     Explicitly allowed IP addresses (even if they are on the block list)
    Create profiles Allow list tab
    Allowed domains     Domains that should be allowed. A subdomain can also be added to allow this if the associated higher domain is not allowed.
    Block list
    Block list
    Blocked IP's     IP addresses that are to be blocked
    Create profiles tab block list
    Blocked domains     Domains that are to be blocked. This also blocks all associated subdomains. If certain subdomains are to be allowed, they can be explicitly added to the allow list.
    External Lists
    External Lists
    Custom Blocklists  Add Blocklist Adding custom blocklists. All common formats are supported, e.g. hosts and ABP.
    Create profiles External lists tab
    Custom Blocklists
    Activated    When activated   , the blocklist is activated
    Name     Name of the blocklist
    URL     URL of the blocklist
    Custom Allowlists notempty
    New as of: 2.8
    		  Add Blocklist Adding custom allowlists. All common formats are supported, e.g. hosts and ABP.
    Custom Allowlists
    Activated    When activated   , the allowlist is activated
    Name     Name of the allowlist
    URL     URL of the allowlisten
    DNS-Rewrites
    DNS-Rewrites
    DNS-IP-Rewrites  Add IP-Rewrite Define or overwrite the DNS response for any domain. Any IP address can be used as the response.
    Create profiles tab DNS-Rewrites
    DNS-IP-Rewrites
    Domain printer.lan Domain which is to be overwritten
    Answer 192.168.0.42 IPs that are sent in response to the overwritten domain
    DNS-CNAME-Rewrites  Add CNAME rewrites Define or overwrite the DNS response for any domain. Any other domain can be used as the response.
    DNS-CNAME-Rewrites
    Domain ttt-point.de Domain which is to be overwritten
    Answer intern.ttt-point.de Domain that is sent in response to the overwritten domain
    Protocols
    Protocols
    Activate protocols    Activates the recording of DNS logs. This setting is required for evaluating the statistics.
    Create profiles tab Protocols
    Log domains
    is only displayed if Enable protocols is activated    		    If this setting is set, domain names are saved for the statistics and logs. Otherwise, a placeholder is displayed.
    Log device names
    is only displayed if Enable protocols is activated    		    If this setting is set, the device names for the statistics and logs are saved independently of the client setting.
    Others
    Others
    Performance
    Create profiles Tab Other
    Cache-Boost    Reduces the number of DNS queries by enforcing a minimum TTL (Time-To-Live) of 5 minutes. Higher TTLs are not overwritten.
    Behavior for blocked domains
    Behaviour Block page Specifies the action for blocked domains
    0.0.0.0 / ::0 Returns an address that cannot be routed
    Block page Displays a block page as soon as a domain is blocked. In some cases an HTTPS warning may be displayed, this can be avoided by downloading and installing the Securepoint Certification Authority.
    User defines IPs Responds with user-defined IP addresses
    User defined CNAME Responds with a user-defined CNAME
    NXDOMAIN Tells the client that the requested domain does not exist
    REFUSED Tells the client that the DNS server refuses to answer the request

    Assignment

    A Cloud Shield profile can be assigned to an iOS profile under  Mobile Security iOS/iPadOS Profile / Tab Cloud Shield.

    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden



















    Cloud Shield

    Cloud Shield
    Caption Value Description
    Cloud Shield settings
    Activate Cloud Shield
    		    Activate Cloud Shield with this profile. This allows the profile to be linked with a Cloud Shield profile
    • If Cloud Shield is active   , enable Security under Security / VPN (link to the wiki article) cannot be activated at the same time
    • If enable Security under Security / VPN is activated, Cloud Shield will automatically be deactivated and cannot be reactivated
    • For profiles created before version 2.3, where both Enable Security and Cloud Shield are active, these buttons will be displayed as inactive
      This can be resolved by removing one of the two apps under Applications

      notempty
      New as of: 2.8
      If the iOS/iPad device is integrated into a VPN configuration (ASC), Cloud Shield can still be used if

    split DNS is used in the VPN configuration (ASC).

    Profile TTT-Point DNS Select Cloud Shield profile whose Cloud Shield configuration should be used.


    The profile must be created in advance in the Cloud Shield Profile menu item, see the following Wiki article.

    Name Device Custom name Choose which attribute should be used as the device name to identify the devices in Cloud Shield statistics and logs
    Not specified Do not set a device name. This means the device cannot be identified in the statistics and logs.
    Device Custom name Uses the default device name as device name
    Device alias Uses the device alias as the device name
    Device ID Uses the device ID as the device name
    Username Uses the assigned username as devicename
    Install CA for block page    When enabled    the CA certificate for the block page is installed on the device, so that no certificate warnings are shown when a page is blocked.

    A Cloud Shield profile can be assigned to an Android profile under  Mobile Security Android Profile / Tab Cloud Shield.


    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden











    Cloud Shield

    Cloud Shield
    Caption Value Description
    Settings Cloud Shield
    Activate Cloud Shield    After enabling    a Cloud Shield Profile can be selected, and the Cloud Shield App for Android will be installed automatically.
    In the
    Applications{{{2}}}
    tab, the Securepoint Cloud Shield app is automatically added
    • If Cloud Shield is active   , Securepoint Mobile Security can be activated in Security / VPN (link to wiki article) until not activated
    • If Securepoint Mobile Security is activated under Security / VPN, Cloud Shield is automatically deactivated and cannot be activated until not is activated
    • For profiles that were created before version 2.3 and where Securepoint Mobile Security and Cloud Shield are active, these buttons are displayed as inactive
      Can be solved if one of the two apps is removed under Applications
      notempty
      Cloud Shield technically uses the Android VPN service. Only one (1) VPN service (Mobile Security or Cloud Shield) can be active on Android devices at the same time.
    Profile
    		Select Profile The Cloud Shield profile to be used for the Cloud Shield configuration.


    The profile must be created in advance in the Cloud Shield Profile menu item, see the following Wiki article.

    Install CA for block page    If    is activated, the CA certificate for the block page is installed on the device so that certificate warnings are no longer displayed if a page is blocked.
    In the
    Applications{{{2}}}
    tab, the value Certificate installation is automatically set in the Delegate areas option in the Securepoint Cloud Shield application
    Retrieved from "https://wiki.securepoint.de/index.php?title=Cloud_Shield/Profile&oldid=98893"