Content filtering features allow administrators to block certain types of web related features or content that may be deemed a threat to the network or inappropriate to the workplace. For example, ActiveX objects and Java applets can represent security vulnerabilities for outside connections because they can contain code intended to attack hosts and servers. You can disable ActiveX objects and remove Java applets with the PIX Firewall configuration mode filter command. The filter command can work with a Websense server to remove URLs that are inappropriate for the organization. These features are similar to some of the PIX IOS firewall features covered in Chapter 6.
You can block ActiveX controls from web pages that return to the PIX Firewall from an outbound connection. ActiveX controls, formerly known as OLE or OCX controls, such as custom forms, buttons, calendars, or any of the extensive third-party objects, can be inserted in a web page or other application for gathering or displaying information. These controls can present potential security problems because they can be created to attack network servers or take over a workstation. The user still receives the HTML page, but the web page source for the object can’t execute. You might recall that the IOS Firewall can’t block ActiveX objects.
Use the filter activex configuration mode command to filter out ActiveX. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts. No ActiveX blocking occurs if users access an IP address referenced by the alias command. The no form of the command turns off the feature. The syntax is the following:
pix(config)# filter activex port local_ip local_mask foreign_ip foreign_mask
pix(config)# no filter activex port local_ip local_mask foreign_ip foreign_mask
port |
Port receiving Internet traffic on the PIX Firewall. Typically, 80, but other values are accepted. The http or url literal can be used for port 80. |
local_ip |
The IP address of the highest security-level interface from which access is sought. Set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. |
local_mask |
Network mask of local_ip. Use 0.0.0.0 (or 0) to specify all hosts. |
foreign_ip |
The IP address of the lowest security-level interface to which access is sought. Use 0.0.0.0 (or in shortened form, 0) to specify all hosts. |
foreign_mask |
Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts. |
The <object> tag, which is blocked by the filter activex command, is also used for Java applets, image files, and multimedia objects.
In the following output, the first example blocks ActiveX for web traffic on port 80 from any local host and for connections to any foreign host. The second example blocks ActiveX for web traffic on port 80 from network 192.168.1.0 to any host.
pix(config)#filter activex 80 0 0 0 0 pix(config)#filter activex http 192.168.1.0 255.255.255.0 0 0
The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out, so the applet can’t execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts. If Java applets are known to be in <object> tags, use the filter activex command to remove them. The syntax is as follows:
pix(config)#filter java port[-port] local_ip local_mask foreign_ip foreign_mask
pix(config)#no filter java port[-port] local_ip local_mask foreign_ip foreign_mask
-port |
Use to define a range of ports. |
In the following output, the first example blocks Java for web traffic on port 80 from any local host and for connections to any foreign host. The second example blocks Java for web traffic on port 80 from network 192.168.1.0 to any host.
pix(config)#filter java 80 0 0 0 0 pix(config)#filter java http 192.168.1.0 255.255.255.0 0 0
Websense and N2H2 are both developers of employee Internet management (EIM) software solution or URL filtering systems. PIX Firewall versions of both companies’ products exist. Figure 19-14 shows a typical Websense solution.
The Cisco PIX Firewall Edition of Websense Enterprise allows transparent analysis, management, and reporting of traffic flowing from the internal networks to the Internet. Websense uses pass-through technology to provide accurate, reliable, and scalable Internet filtering. URL filtering allows the PIX Firewall to check outgoing URL requests against the company security policy defined on the Websense server. Websense Enterprise automatically downloads updates to the Master Database daily, including additions, changes, and deletions, so you can be sure you’re using the freshest database at all times. Figure 19-15 shows an example of a site-blocked screen.
Websense protocol enables group and user name authentication between a host and a PIX Firewall. The PIX Firewall performs a user name lookup, and then the Websense server handles URL filtering and user name logging. User name logging tracks the user name, group, and domain name on the Websense server.
Follow these steps to filter URLs:
Define a N2H2 or Websense server using the appropriate vendor-specific form of the url-server command.
Enable filtering with the filter command.
If needed, improve throughput with the url-cache command. This command doesn’t update Websense logs, however, which might affect Websense’s accounting reports. Accumulate Websense run logs before using the url-cache command.
Use the show url-cache stats and the show perfmon commands to view run information.
To perform URL filtering based on N2H2 or Websense server policies, use the filter url command. Use the no form of the command to turn the feature off. The syntax is as follows:
pix(config)# filter url [http | port[-port]] local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]pix(config)#no filter url [http | port[-port]] local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]
To create an exception to a previous filter condition, use the filter url except command. Use the no form of the command to turn off the feature. The syntax is
pix(config)# filter url except local_ip local_mask foreign_ip foreign_maskpix(config)# no filter url except local_ip local_mask foreign_ip foreign_mask
url |
Filters URLs from data passing through the PIX Firewall. |
http |
Specifies port 80. Can also use http or www to indicate port 80. |
except |
Creates an exception to a previous filter condition. |
allow |
Lets outbound connections pass through the PIX Firewall without filtering if the N2H2/Websense server is unavailable. If this option is omitted and the server goes offline, the PIX Firewall stops all outbound port 80 (Web) traffic until the server is back online. |
proxy-block |
Prevents users from connecting to an HTTP proxy server. |
longurl-truncate |
Sends only the originating host name or IP address to the Websense server if the URL is over the URL buffer limit. |
longurl-deny |
Denies the URL request if the URL is over the URL buffer-size limit or the URL buffer is unavailable. |
cgi_truncate |
Sends a CGI script as a URL. |
The url-server command defines the server running the N2H2 or Websense URL application. While it’s possible to define up to 16 URL servers by repeating the command, you can use only one URL filtering application at a time: either N2H2 or Websense. The syntax is as follows:
Pix(config)#url-server [(if_name)] vendor n2h2 host local_ip [port number]
[timeout seconds] [protocol {TCP | UDP}]Pix(config)#url-server [(if_name)] vendor websense host local_ip [timeout seconds]
[protocol{TCP | UDP} version]
timeout seconds |
Maximum idle time permitted before PIX Firewall switches to the next server you specified. The default is five seconds. |
This example specifies a Websense server, and then filters all outbound HTTP connections, except those from the host 192.168.1.149.
pix(config)#url-server (perimeter) vendor websense host 192.168.100.10 ?? ?timeout 15 pix(config)#filter url 80 0 0 0 0 pix(config)#filter url except 192.168.1.149 255.255.255.255 0 0
The next example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:
pix(config)#url-server (perimeter) vendor n2h2 host 192.168.100.10 pix(config)#filter url 8080 0 0 0 0 proxy-block
The following is an example of the show url-server stats command:
pix#show url-server stats URL Server Statistics: ---------------------- URL Server Vendor ?? ? ? ?? ?????websense URLs total/allowed/denied ?? ??? 178/135/43 ? URL Server Status: ------------------ 192.168.100.10 ? ?? ? ?UP 192.168.100.12 ?? ?? DOWN
More information on Websense, including a good tutorial video on the products tab, is available at the following web site: http://www.websense.com.
N2H2 information is available at http://www.n2h2.com.