How to block uploading not downloading to file sharing web sites like sendbigfiles.com or dropbox?

Opendns.com was working perfectly in blocking file sharing, file storage web sites & other categories.
Now we want users to be able to download  from all these sites but want to restrict them from uploading any of the company data.

Please suggest any solution .. may include a hardware appliance or a software solution.

Total users are less than 50. Internet connection is 8Mbps only.
Only few users like to have unrestricted access to all the sites.
LVL 2
Akash BansalIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gplanaCommented:
I would add a rule and disallow the port that use the upload but just for these sites. This way users will be able to download but not upload to these sites.
0
Akash BansalIT ProfessionalAuthor Commented:
Is thr any standard port common for all these sites or have to make rule for each site.

Right now we are using : Cisco RVS4000 & RV120W
http://www.cisco.com/c/en/us/products/routers/rvs4000-4-port-gigabit-security-router-vpn/index.html
http://www.cisco.com/c/en/us/products/routers/rv120w-wireless-n-vpn-firewall/index.html

Is this possible with these routers/firewall or do I have to buy some other firewall/UTM?
0
skullnobrainsCommented:
no, and extra hardware won't help much

most such sites will allow files to be uploaded and downloaded on the same regular port 80. but you can in some cases identify tokens in the url they use such as "&action=upload" or the likes. in other cases the client will perform a file sync which will synchronise both ways in the same tcp session.

additionally, such rules will be overall inefficient as the use of proxies will easily defeat whatever you expect to setup in a local proxy in order to enforce the previous rules.

you'll probably turn to DLP-capable soft/hardware which is overall as inefficient as the above because they rely on identified file types which is absolutely trivial to bypass.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Akash BansalIT ProfessionalAuthor Commented:
Tx for such an info and the confirmation.

Now we have two options...
1. Select one such site which we can block uploading from lan side and request sender to use that site only.

2. Setup our own internal ftp server.
0
skullnobrainsCommented:
i can't suggest a side that would be easy to block in a firewall.

nevertheless if you do trust such a site, most of them (including dropbox) feature access control lists that would most certainly let you create download-only profiles

on the local side, setting up a file share or possibly an ftp server is quite trivial, but they might not meet needs such as ability to trace user activities, or version control.
0
Akash BansalIT ProfessionalAuthor Commented:
Though there is no solution of my requirement, it is important to know that there is no solution exist; so that we may start working on work around.

Experts @Expert exchange brings the confidence that if there is a solution we may get it here.
0
skullnobrainsCommented:
feel free to post about your requirements ( automagic synchronisation, offline access, version control... or just be able to access personal files ? ) and possible solutions you are working on if you feel we can help.

note that many existing such sites allow HTTP access. in this case most likely files are uploaded using POST or PUT queries while regular browsing and file downloads are available using GET. if you have an HTTP proxy, allowing GET and HEAD queries only for a series of sites is quite trivial. if the site provides a synchronisation tool that does not work over HTTP, you can block the port altogether. but the users will need to use a browser to retrieve files. one problem of this approach, is you'd probably need to monitor the site for changes since they may change policies in the future without warning.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.