لطفا منتظر باشید ...
Foundation Topics
Filtering ActiveX Objects and Java Applets
ActiveX objects and Java applets are designed to make the browsing experience more interactive. Based on the Component Object Model (COM), ActiveX objects are written for a specific platform of Microsoft Windows. When the user displays a page containing ActiveX or Java, the browser downloads the control dynamically. ActiveX objects are native programs, so they can do all the things that local programs can do. For example, they can read and write to the hard drive, execute programs, perform network administration tasks, and determine which system configuration they are running on. While ActiveX objects and Java applets can perform powerful tasks, they can also be used maliciously to damage systems.One way to prevent the threats posed by ActiveX objects and Java applets is to disallow ActiveX objects and Java applets at the browser or user level. Users can configure their web browsers not to run ActiveX objects or Java applets. Although you can disable ActiveX objects and Java applets within the browser, this requires a great deal of effort for a large enterprise network. In these cases, it is easier to prevent the ActiveX objects and Java applets from reaching the browser.When configured for filtering, the Cisco PIX Firewall filters ActiveX objects and Java applets fro179 web pages before those pages reach the browser. Java applet and ActiveX object filtering o172 files is performed by selectively replacing the <APPLET> and </APPLET> tags and the <OBJECT> and </OBJECT> tags with comments.
Filtering Java Applets
The filter java command filters out Java applets that return to the Cisco PIX Firewall from an outbound connection. The user still receives th171 page, but the web page source for the applet is commented out so that the applet cannot execute. The syntax for filter java is
The following example specifies that Java applet blocking applies to web traffic on port 80 from local subnet 10.10.10.0 and for connections to any foreign host:
filter java port [ -port ] local-ip mask foreign-ip-mask
allow Filters URL only. When the server is unavailable, lets outbound connections pass through the Cisco PIX Firewall without filtering. If you omit this option, and if the N2H2 or Websense server goes offline, Cisco PIX Firewall stops outbound port 80 (web) traffic until the N2H2 or Websense server is back online.cgi-truncate Sends a CGI script as an URL.except Filters URL only. Creates an exception to a previous filter condition.foreign-ip The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or, in shortened form, 0) to specify all hosts.java Filters out Java applets returning from an outbound connection.local-ip The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or, in shortened form, 0) to specify all hosts.local-mask Network mask of local-ip . You can use 0.0.0.0 (or, in shortened form, 0) to specify all hosts.longurl-deny Denies the URL request if the URL is over the URL buffer size limit or if the URL buffer is unavailable.longurl-truncate Sends only the originating host name or IP address to the Websense server if the URL is over the URL buffer limit.mask Subnet mask.port The port that receives Internet traffic on the Cisco PIX Firewall. Typically, this is port 80, but other values are accepted. The http or www literal can be used for port 80.proxy-block Prevents users from connecting to an HTTP proxy server.url Filters URLs from data moving through the Cisco PIX Firewall.interact-block Prevents users from connecting to the FTP server through an interactive program.NoteTable 15-2 lists the parameters for the filter command that appear in this chapter.
filter java http 10.10.10.0 255.255.255.0 0 0
Filtering ActiveX Objects
The filter activex command filters out ActiveX objects and othe184 <OBJECT> usages from inbound packets. These controls include custom forms, calendars, and extensive third-party forms for gathering or displaying information. The syntax for filtering ActiveX objects is as follows:
Note that if the <OBJECT> and </OBJECT> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the maximum transmission unit (MTU), Cisco PIX Firewall cannot block the tag.
filter activex port local-ip local-mask foreign-ip foreign-mask
Filtering URLs
Most organizations today have human resources policies that specify indecent materials cannot be brought into the workplace. Similarly, most organizations have network security policies that prohibit users from visiting websites that are categorized as indecent or inappropriate to the business mission of the organization.Using other content-filtering vendor products, the Cisco PIX Firewall enforces network security policy as it relates to URL filtering. When a user issues an HTTP request to a website, the Cisco PIX Firewall sends the request to the web server and to the URL-filtering server at the same time. If the policy on the URL-filtering server permits the connection, the Cisco PIX Firewall allows the reply from the website to reach the user who issued the original request. If the policy on the URL-filtering server denies the connection, the Cisco PIX Firewall redirects the user to a block page, indicating that access was denied.The PIX Firewall works in conjunction with two types of URL-filtering application servers:
- Websense Enterprise Supported by Cisco PIX Firewall Version 5.3 and later
- N2H2 Sentian Supported by Cisco PIX Firewall Version 6.2
Identifying the URL-Filtering Server
The url-server command designates the server that is running the N2H2 or Websense URL-filtering application. The PIX Firewall allows you to configure a maximum of 16 URL servers (with the first one entered being the primary URL server), and you can use only one URL-filtering server at a time, either N2H2 or Websense. Configuration is performed both on the PIX Firewall and the URL-filtering server. You can identify more than one URL-filtering server by entering the url-server command multiple times. The primary URL-filtering server is the first server that you identify. The syntax for identifying an N2H2 URL-filtering server is as follows:
The default protocol is TCP. The timeout parameter in the url-server command is the maximum idle time permitted before the PIX Firewall switches to the next URL-filtering server you specified. The default time is 5 seconds.The following example identifies an N2H2 URL-filtering server with an IP address of 10.10.10.13:
url-server [( if-name )] vendor n2h2 host local-ip [ port number ]
[ timeout seconds ] [ protocol { TCP | UDP }]
The default port used by the N2H2 server to communicate with the Cisco PIX Firewall via TCP or UDP is 4005.The syntax for identifying a Websense URL-filtering server is as follows:
pixfw(config)#url-server (inside) vendor n2h2 host 10.10.10.13
The following example identifies a Websense URL-filtering server with an IP address of 10.10.10.14:
url-server [( if-name )] vendor websense host local-ip [ timeout seconds ]
[ protocol { TCP | UDP } version {1|4}]
To view the URL-filtering server, use the show url-server command, as shown in Example 15-1.
pixfw(config)# url-server (inside) vendor websense host 10.10.10.14
Example 15-1. Displaying the URL-Filtering Server Information
pixfw# show url-server
url-server (inside) vendor n2h2 host 10.10.10.13 port 4005 timeout 5 protocol TCP
Configuring URL-Filtering Policy
You must identify and enable the URL-filtering server before you use the following filtering commands. If all URL-filtering servers are removed, any associated filtering commands are also removed. The filter url command enables you to prevent outbound users from accessing URLs that you designate as inadmissible. The syntax for filtering URLs is as follows:
With URL filtering enabled, the Cisco PIX Firewall stops outbound HTTP, HTTPS, and FTP traffic until a URL-filtering server permits the connection. If the primary URL-filtering server and the secondary server do not respond, then outbound web traffic (port 80) stops until the URL-filtering server comes back online. However, the allow option causes the Cisco PIX Firewall to forward HTTP traffic without filtering when the URL-filtering server(s) is unavailable.NotePIX Firewall Version 6.3 supports filtering of HTTPS and FTP sites for Websense servers. HTTPS and FTP filtering are not supported for the N2H2 URL-filtering server.The following example filters all HTTP traffic:
filter url port [ except ] local-ip local-mask foreign-ip foreign-mask [ allow ]
[ proxy-block ] [ longurl-truncate | longurl-deny ] [ cgi-truncate ]
You can make an exception to URL-filtering policies by using the except parameter in the filter url command. For example:
filter url http 0 0
This policy filters all HTTP traffic with the exception of HTTP traffic that originates from host 10.10.10.20.Websense database version 4 contains the following enhancements:
pixfw(config)#filter url http 0 0 0 0
pixfw(config)#filter url except 10.10.10.20 255.255.255.255 0 0
- URL filtering allows the Cisco PIX Firewall to check outgoing URL requests against the policy defined on the Websense server.
- Username logging tracks the username, group, and domain name on the Websense server.
- Username lookup lets the Cisco PIX Firewall use the user authentication table to map the host''''s IP address to the username.
There are instances in which the web server replies to a user HTTP request faster than the URL-filtering servers. In these instances, the url-cache command provides a configuration option to buffer the response from a web server if its response is faster than that from the N2H2 or Websense URL-filtering server. This prevents the web server''''s response from being loaded twice, improving throughput. The syntax of the url-cache command is as follows:
Table 15-3 describes the parameters for the url-cache command.
url-cache { dst | src-dst } size kbytes
Table 15-3. url-cache Command Parameters
Filtering HTTPS and FTP
As mentioned in the previous section, HTTPS and FTP filtering can be configured on the PIX Firewall using Websense servers. These new features provide a convenient mechanism of enforcing access policy in your environment. Just as it does with HTTP filtering, the PIX Firewall sends FTP requests to both the destination and the Websense server when a user makes an FTP request. If the Websense server denies the connection, the PIX Firewall alters the FTP return code to show that the connection was denied. If the Websense server permits the connection, the PIX Firewall allows the successful FTP return code to reach the user unchanged.HTTPS filtering, on the other hand, works by preventing the completion of SSL connection negotiation if the site is not allowed. The browser displays an error message such as "The Page or the content cannot be displayed." The command syntax to enable FTP and HTTPS filtering is as follows:
filter ftp dest-port localIP local-mask foreign-IP foreign-mask
[ allow ] [ interact-block ]
filter https dest-port localIP local-mask foreign-IP foreign-mask [ allow ]
Filtering Long URLs
Cisco PIX Firewall Version 6.1 and earlier versions do not support filtering URLs longer than 1159 bytes. Cisco PIX Firewall Version 6.2 supports filtering URLs up to 6000 bytes for the Websense URL-filtering server. The default is 2000 bytes. In addition, Cisco PIX Firewall Version 6.2 introduces the longurl-truncate and cgi-truncate parameters to allow handling of URL requests longer than the maximum permitted size. The format for these options is as follows:
Table 15-4 identifies the major parameters for the filter url command.
filter url [ http | port [ -port ]] local-ip local-mask foreign-ip foreign-mask ] [ allow ]
[ proxy-block ] [ longurl-truncate | longurl-deny | cgi-truncate ]
Table 15-4. filter url Command Parameters
local-ip Specifies the source IP addresses for which filtering will be appliedlocal-mask Specifies the network mask for local-ip (note: using 0.0.0.0 specifies all hosts)foreign-ip Specifies the destination IP addresses for which filtering will be appliedforeign-mask Specifies the network mask for foreign-ip (note: using 0.0.0.0 specifies all hosts)allow Allows the connection to pass through the firewall without filtering if the filtering server is unavailableproxy-block Prevents users from connecting to an HTTP proxy serverlongurl-truncate Causes the Cisco PIX Firewall to send only the host name or IP address portion of the URL for evaluation to the URL-filtering server, when the URL is longer than the maximum length permittedlongurl-deny Denies outbound traffic if the URL is longer than the maximum permittedcgi-truncate Sends a CGI script as the URLCisco PIX Firewall Version 6.2 supports a maximum URL length of 1159 bytes for the N2H2 URL-filtering server. To increase the maximum length of a single URL (for Websense only), enter the following command:
The value of the size variable is 2 to 6 KB.
url-block url-size size
Viewing Filtering Statistics and Configuration
The show url-cache command with the stat option displays the URL caching statistics. Example 15-2 demonstrates sample output from this command.
Example 15-2. show url-cache Command Output
The significant fields in this output are as follows:
PIX# show url-cache stat
URL Filter Cache Stats
----------------------
Size: 128KB
Entries: 1415
In Use: 1
Lookups: 0
Hits: 0
- Size The size of the cache in kilobytes, set with the url-cache size option
- Entries The maximum number of cache entries based on the cache size
- In Use The current number of entries in the cache
- Lookups The number of times the Cisco PIX Firewall has looked for a cache entry
- Hits The number of times the Cisco PIX Firewall has found an entry in the cache
You can view more statistics about URL filtering and performance with the show url-server stats and show perfmon commands. Example 15-3 shows output from show url-server stats .
Example 15-3. show url-server stats Command Output
Example 15-4 shows output from the show perfmon command.
PIX(config)# show url-server stats
URL Server Statistics:
----------------------
Vendor Websense
URLs total/allowed/denied 2370/1958/412
URL Server Status:
------------------
10.10.10.13 UP
Example 15-4. show perfmon Command Output
PIX# show perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 2/s
TCP Conns 0/s 2/s
UDP Conns 0/s 0/s
URL Access 0/s 2/s
URL Server Req 0/s 3/s
TCP Fixup 0/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 3/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
