11-4. HTTP, Java, and URL Filtering An IOS firewall can inspect HTTP connections, just as it can with many other application protocols. In addition, the IOS firewall can block or allow Java applets based on the applet server's source address. Finally, you can filter or control web content through cooperation between the firewall and a third-party content-filtering server. Follow these steps to configure an IOS firewall for web protocol inspection and content filtering: 1. | Enable HTTP inspection:
IOSFirewall(config)# ip inspect name inspection-name http [urlfilter] [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
HTTP inspection is added to the CBAC inspection policy named inspection-name. If you use the urlfilter keyword, URL filtering is performed.
For Java inspection, use the java-list keyword, and reference a standard IP access list numbered access-list. In the access list, define permit statements with source addresses of sites that offer trusted Java applets. Untrusted sites (perhaps all others) are blocked by deny statements.
Inspected HTTP connections are tracked until they either close or have been idle for a timeout period. By default, they must be idle for 3,600 seconds. You can use the timeout keyword to adjust the idle period to seconds (5 to 43,200 seconds).
| 2. | Apply inspection on an interface:
IOSFirewall(config)# interface type mod/num IOSFirewall(config-if)# ip inspect inspection-name {in | out}
CBAC inspection can be performed for traffic going into (in) or out of (out) the interface. You can also apply the same inspection policy in both directions by repeating the command, or you can apply two different policies, each in a different direction.
| 3. | Identify a URL filter server:
IOSFirewall(config)# ip urlfilter server vendor {websense | n2h2} ip-address [outside] [port port-number] [timeout seconds] [retransmit number]
The filtering server is located at the IP address ip-address. For best security practices, you should not locate the server on the outside or on a public interface, relative to the IOS firewall. However, if you do, you should use the outside keyword when applying this command. The firewall also translates the client's IP address when it sends requests to the URL filter server.
By default, the IOS firewall uses TCP port 15868 for Websense and TCP port 4005 for N2H2 server requests. You can specify a nondefault port number with the port keyword.
You can repeat the ip urlfilter server vendor command to define multiple servers only if they use the same filtering server vendor. The firewall waits until a timeout period of seconds (the default is 5 seconds) expires if a filtering server doesn't respond. In that case, the same request is sent to the next server configured.
If the filtering server doesn't answer within the timeout period, the IOS firewall retransmits the request number of times (the default is 2) before declaring the server inactive.
| 4. | (Optional) Define a last-resort action if all servers are down:
IOSFirewall(config)# ip urlfilter allowmode [on | off]
By default, if every configured URL filtering server is unreachable, the IOS firewall denies a URL request. This behavior continues until at least one filtering server is available again.
Although this provides complete control over web activity, it can be inconvenient for users who need to access URLs for legitimate reasons. This becomes a bigger issue if you have only one URL filtering server and it goes down during business hours.
Using the on keyword turns on allow mode, causing the IOS firewall to allow URL requests itself while all filtering servers are down.
| 5. | (Optional) Define URL filter reporting.
- a. (Optional) Generate alerts based on URL filter activity:
IOSFirewall(config)# ip urlfilter alert
The IOS firewall generates logging messages when it detects any change in how it communicates with the URL filtering servers. Table 11-6 lists the logging messages used for URL filtering alerts.
Table 11-6. URL Filtering Alert Logging MessagesMessage Prefix | Message Description |
|---|
%URLF-3-ALLOW_MODE | Connection to all the URL filter servers is down, and allow mode is enabled. | %URLF-3-MAX_REQ | The number of pending requests exceeds the maximum limit. | %URLF-3-RESOURCE_ALLOC_FAILED | The URL filtering process can't allocate enough memory. | %URLF-3-SERVER_DOWN | The URL filter can't be contacted. | %URLF-5-SERVER_UP | The URL filter has returned to service, and allow mode is no longer being used. | %URLF-3-URL_TOO_LONG | A requested URL was longer than the URL filtering server allows. |
- b. (Optional) Generate a log of URL request activity:
IOSFirewall(config)# ip urlfilter audit-trail
The IOS firewall generates logging messages as each user request for a URL is permitted or denied. This audit trail can be used as an activity log for the users who are being inspected. Table 11-7 lists the logging messages used for URL filtering audits.
Table 11-7. URL Filtering Audit Logging MessagesMessage Prefix | Message Description |
|---|
%URLF-6-SITE_ALLOWED | The IOS firewall has permitted access to an entire site (and all URLs within it). | %URLF-4-SITE_BLOCKED | The IOS firewall has denied access to an entire site (and all URLs within it). | %URLF-6-URL_ALLOWED | The URL filtering server has allowed a user to access a specific URL. | %URLF-4-URL_BLOCKED | The URL filtering server has denied a request to access a specific URL. |
For example, suppose a URL filtering server has allowed an inside user to access the URL, www.cisco.com, but has denied access to the URL, www.watchmoviesatwork.com. The IOS firewall has denied access to the entire youcantgothere.com site without contacting the URL filtering server:
Mar 14 23:53:04.958: %URLF-6-URL_ALLOWED: Access allowed for URL 'http://www.cisco.com', client 192.168.199.21:3073 server 172.17.17.17:80 Mar 14 23:53:04.958: %URLF-4-URL_BLOCKED: Access denied URL 'http://www.watchmoviesatwork.com', client 192.168.199.21:3073 server 172.18.18.18:80 Mar 15 00:01:23.330: %URLF-4-SITE_BLOCKED: Access denied for the site 'youcantgothere.com', client 192.168.199.21:3082 server 172.19.19.19:80
- c. (Optional) Send activity logging messages to the URL filtering server:
IOSFirewall(config)# ip urlfilter urlf-server-log
In addition to generating normal logging messages to the IOS firewall sessions, buffer, or Syslog servers, you can use this command to send activity logs to the URL filtering server itself. You do this by sending Websense or N2H2 messages containing the log information separately from the actual URL requests.
| 6. | Tune the URL filtering process.
- a. (Optional) Define an implicit access policy for certain websites:
IOSFirewall(config)# ip urlfilter exclusive-domain {permit | deny} domain-name
By default, all URL access is permitted unless a URL filtering server denies it. You can override any other policy by granting or revoking permission with this command. Any domain listed here is "exclusive" because it is excluded from any other URL filtering policy.
The permit keyword allows anyone to access any site within the domain domain-name. The deny keyword denies access to domain-name.
The exclusive policy applies to any directory or service under the domain-name given. In other words, the domain named www.cisco.com permits or denies access to the default page http://www.cisco.com, as well as URLs such as www.cisco.com/go/firewall or www.cisco.com/networkers (and the URLs within www.cisco.com where you are redirected from those sites).
You can also give a partial domain-name by using less-specific domains, beginning with a dot. This means that you can use domains such as .gov to permit or deny any URLs from any other domain name ending in .gov.
- b. (Optional) Adjust the URL filter cache size:
IOSFirewall(config)# ip urlfilter cache number
An IOS firewall keeps the results of URL filtering in a cache as requests are permitted or denied. By default, it keeps up to 5,000 entries. You can change the maximum size by specifying the number of entries (0 to 2,147,483,647). Idle entries are flushed after 10 minutes or when the cache begins to get full. Every 12 hours, the entire cache is emptied.
- c. (Optional) Adjust the URL request buffer size:
IOSFirewall(config)# ip urlfilter max-request number
If URL requests are arriving on the inspected interface faster than the URL filtering server can respond, the requests are buffered. By default, up to 1,000 requests are held before being sent to the server. You can adjust this to number (to 2,147,483,647) requests.
- d. (Optional) Adjust the URL response buffer size:
IOSFirewall(config)# ip urlfilter max-resp-pak number
When a web client requests web content from a site, the IOS firewall relays the request toward the website and sends a request to the filtering serverall in parallel. If the filtering server responds first with its permission data, the web content is allowed through when it arrives.
If the web server responds with its content first, the IOS firewall buffers up to 200 packets by default, waiting on the filtering server's response. As soon as the server approves the URL for the web client, the buffered contents are read and relayed to the client. You can adjust the response buffer size to number (0 to 20,000) packets.
|
TIP Before you adjust the URL request or response buffers, you should verify that a need exists. You can use the show ip urlfilter statistics command to see the maximum values that have been recorded. If the Maxever request count value is equal to the default of 1,000, you should use the ip urlfilter max-request command to increase the number of requests that can be queued. If the Maxever packet buffer count value is equal to the default value of 200, you should use the ip urlfilter max-resp-pak command to increase the size of the URL response buffer.
Monitoring URL Filtering You can monitor the URL filtering configuration with the show ip urlfilter config command. This shows every URL filtering server that has been configured, along with all filtering parameters. In the following example, one Websense server has been configured. URL filtering is configured to keep an audit trail, generate alerts, and send logging information to the Websense server: IOSFirewall# show ip urlfilter config URL filter is ENABLED Primary Websense server configurations =========================== Websense server IP address: 10.0.0.3 Websense server port: 15868 Websense retransmit time out: 5 (seconds) Websense number of retransmit:2 Secondary Websense server configurations: ============================== None. Other configurations =============== Allow Mode: ON System Alert: ENABLED Audit Trail: ENABLED Log message on Websense server:ON Maximum number of cache entries :5000 Maximum number of packet buffers:200 Maximum outstanding requests:1000
You can monitor the URL filtering cache with the show ip urlfilter cache command. Any URL requests that have been returned by the filtering server are kept in the cache and are listed. You can also monitor the age and idle time of each cached entry, as in the following example: IOSFirewall# show ip urlfilter cache Maximum number of entries allowed: 5000 Number of entries cached: 5 IP addresses cached .... -------------------------------------------------------- IP address Age Time since last hit (In seconds) (In seconds) -------------------------------------------------------- 10.64.128.54 3923 3906 172.28.139.21 617 511 10.76.82.25 1984 173 192.168.0.1 2773 2770 10.0.1.2 3910 3901
|
