Content Filtering

Content Filtering Many enterprises are beginning to concern themselves with the use of the corporate Internet connection by their employees.
Nội dung trích xuất từ tài liệu:
Content FilteringContent FilteringMany enterprises are beginning to concern themselves with the use of the corporateInternet connection by their employees. The unmanaged access to inappropriate ordistracting web content can involve significant legal risk and may well jeopardizenetwork security. Additionally, unmanaged access to web content typically results insignificant reduction of employee productivity. These issues cannot be easily ignored bymany companies.One of the newer features being required of firewalls is the capability of filtering thecontent that passes through them. This filtering typically is defined as URL filtering,whereby the firewall is used either by itself or in conjunction with another appliance orsoftware suite to control which websites users are allowed to visit. However, given thatweb content can range from the simple to the complex, firewalls typically offload thedetailed evaluation and decision making to other devices, which is an excellent exampleof the limitations of a firewall being a selfcontained contentfiltering device. Rather, thefirewall becomes a control point where the decision made by the evaluation device(whether it is a content engine or a filtering software suite) is applied to user traffic.Implementing a URL FilterImplementing URL filters is relatively straightforward. There are two typical ways toimplement a URL filter. The first is to maintain a list of URLs that will be blocked on thefirewall, typically in the format of an access control list (ACL). This can be atimeconsuming process for both the implementation and maintenance of the URL list.Additionally, because ACLs are typically stored in a flat file format, the firewall can besubjected to latency in permitting or denying traffic while a large ACL is beingprocessed.The second method is to utilize a thirdparty contentfiltering application running on aseparate server from the firewall or on a content engine that is separate from the firewallto handle the actual building, maintaining, and configuring of the URL filter list. Aspreviously mentioned, this allows the firewall to offload the processing and evaluation oftraffic to the contentfiltering device, which enables the firewall to do what it does best, toserve as a control point for traffic, blocking content as defined by the contentfilteringdevice. Because this is the most efficient and effective way to perform content filteringwith most firewalls, this is the situation that we detail in this chapter.For most firewalls to be able to block specific content, they must have access to adatabase that contains a list of URLs that are prohibited; whenever a user opens aconnection to one of these sites, the firewall blocks the connection. Given that the list canbe quite extensive and that the enterprises management may want to deny access to sitesthat are considered wasteful in terms of time, many higherend firewalls provide for theuse of an external URL database system that can decide whether the connection should bepermitted. Thus a specialized devicefor example, a content engine or a contentfilteringserverperforms all the processing of the traffic, which in turn allows the firewall to justprovide the necessary enforcement by either permitting or denying the traffic asdetermined by the contentfiltering system.The Cisco PIX Firewall can work in conjunction with two webfiltering software suites:WebSense and N2H2.NoteIn 2003, Secure Computing acquired N2H2 and integrated the N2H2 filtering softwareinto their SmartFilter product. The Cisco documentation and command syntax still refersto N2H2, however, and for the sake of simplicity this book uses the term N2H2 to refer toboth products, because the configuration for either is exactly the same.To configure the PIX to enforce URL filtering, the administrator needs to first configurethe PIX to work with the URLfiltering software suite by configuring the PIX with the IPaddress of the filtering server. For a WebSense server, the command is as follows:[View full width] gandalf(config)# url-server (inside) vendor websense host 172.28.230.44 protocol TCP version 1You can specify either TCP or UDP for the protocol (TCP is recommended) as well asVersion 1 or Version 4. The default for TCP is Version 1, whereas UDP only supportsVersion 4. For an N2H2 server, the command is as follows:gandalf(config)# url-server (inside) vendor n2h2 host 172.28.230.45 port 4005 protocoltcpFor N2H2, you can define the port and protocol to use. The default values are port 4005and protocol TCP.After you have identified the filtering server and defined how the firewall should connectto the filtering server, the next step is to configure the PIX firewall to actually filter URLtraffic by running the following command:gandalf(config)# filter url http 0 0 0 0In this case, the PIX firewall will filter all traffic that passes through the firewall. You canalso configure the firewall to filter only specific subnets. For example, if you want tofilter traffic from network 172.28.238.0/24 to any network, you run the followingcommand:gandalf(config)# filter url http 172.28.238.0 255.255.255.0 0.0.0.0 0.0.0.0When the PIX sees the outbound connection, it does not allow the return traffic from theweb server back to the client until it has received a response from the URLfilteringserver. When the filtering server approves the connection, the PIX allows the connectionto complete back to the client. If the filtering server denies the request, the user isredirected to a block page indicating that access was denied and possibly the reason itwas denied. Figure 14-1 shows this filtering. Figure 14-1. URL Filtering with the Cisco PIX Firewall [View full size image]The following is a description of the process in Figure 14-1: 1. The client sends the in ...