Академический Документы
Профессиональный Документы
Культура Документы
Additional Resources
By Ivan Pepelnjak
IOS release 12.4(20)T introduced support for web content filtering based on Trend Micro URL
filtering service. This feature allows the routers to intercept HTTP requests, perform deep packet
inspection (DPI) and query the Trend Micro server to determine whether an HTTP request
should be allowed or blocked. A subset of this feature allows a router to perform local content
filtering without contacting an external filtering service.
IOS Content Filtering (or any other DPI technique) cannot examine HTTPS (HTTP over
SSL/TLS) sessions.
Other IOS features, including Modular QoS CLI and Network Based Application Recognition
support HTTP DPI, but these features can only block access to the target server. IOS Content
Filtering can intercept a transit HTTP session and return alternate content to the end-user (see
Figure 1).
This article contains a step-by-step explanation of a working Cisco IOS Content Filtering
configuration implemented on a firewall router connecting a LAN to an FTTB service.
If you’re familiar with the NAT and zone-based firewall configuration, go directly to the content
filtering configuration section.
Contents
[hide]
• 6 Additional Resources
IP addressing configuration
No routing protocols are used; the router gets the default route from the DHCP server:
In the sample configuration, we’ll configure two zones: Inside and Outside. The inter-zone
policy is simple: HTTP, HTTPS, DNS and ICMP can pass from the Inside zone to the Outside
zone. The inspect configuration option configures stateful inspection of these protocols. No
unsolicited traffic is permitted from the Outside zone to the Inside zone.
The zone-based firewall configuration shown in this article is not complete, as it does not protect
the router (the self zone). In-depth information on the zone-based firewall configuration can be
found in the Deploying Zone-Based Firewalls e-book published by Cisco Press.
The zone-based firewall configuration starts with the class-map configurations defining security-
relevant traffic classes:
After the traffic classes have been defined, you can configure a policy-map defining an inter-
zone security policy. The security policy allows outbound HTTP, DNS, ICMP and HTTPS
sessions and drops all other outbound traffic.
Security policy
Security zones
The zone-pair definition ties together a source zone, a destination zone and a security policy
defining the traffic inspection/filtering between the pair of zones. The outside-to-inside zone pair
is not defined; all unsolicited traffic from the Outside zone to the Inside zone is thus dropped.
As the final configuration step, individual interfaces are assigned to the security zones.
interface FastEthernet0/0
description Outside interface
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security Outside
!
interface FastEthernet0/1
description Inside LAN
ip address 10.17.0.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security Inside
1. Define the patterns you want to match using a new parameter-map type urlf-glob
object.
2. Define URL filtering classes with the class-map type urlfilter.
3. Define URL filtering policies with the policy-map type inspect urlfilter. You can allow
or reset individual classes within the policy and (optionally) log their usage.
4. Apply the URL filtering policy as a child policy to the zone-based firewall security
policy.
5. Optionally, change the parameters of the content filtering functionality with the
parameter-map type urlfpolicy local.
The content filtering feature has introduced yet another pattern matching object – the
parameter-map type urlf-glob with the following syntax:
The content filtering patterns are glob patterns, not regular expressions. They have only two
special characters: * matches any number of characters and ? matches a single character.
Numerous patterns can be listed in the same parameter-map; any one of them can match.
The sample configuration matches two social networking sites (LinkedIn and Facebook). It also
contains a wildcard match that will be used to permit all other sites.
Filtering classes
The content filtering feature uses its own class type (type urlfilter). The matching logic is the
same as in other IOS classes: a class can match any (match-any) or all (match-all) match
conditions specified in the class. The URL filter classes support two match conditions:
• match server-domain matches the Host header of HTTP request. All RFC 2616-
compliant browsers (Cisco IOS is not one of them) set the Host header to the server name
(the part of the URL between http:// and the next slash).
The specified pattern has to match the whole server name. For example, pattern facebook.com
will not match www.facebook.com.
• match url-keyword matches the URL passed in the GET or POST request. Unless the
browser is using an HTTP proxy, the server name is not part of the URL.
In IOS release 12.4(24)T, the URL filter classes do not support class hierarchies (a class cannot
be member of another class).
The sample configuration defines two classes: social networking sites (which will be blocked)
and the rest of the internet (permitted sites).
After the URL filtering classes have been defined, you can define a filtering policy. The policy
configuration syntax is very similar to the Modular QoS policy or zone-based firewall policy
configuration with a few minor differences:
• Only the URL filter classes can be used in the URL filtering policy.
• You have to configure allow or reset action in each class.
• You might configure the log action to write the filtering results to the syslog.
• You might configure a parameter map in the filtering policy.
The sample filtering policy blocks access to social networking sites and allows access to all
permitted sites.
If you’re using local content filtering with no external server, any requests not explicitly matched
by a class with the allow action will be blocked. If you want to block a few sites, you have to
have an explicit permit all at the end of the policy-map.
You have to apply the URL filtering policy as a child policy (with the service-policy urlfilter
configuration command) of a zone-based firewall class which matches HTTP traffic (no other
traffic can be matched by that class).
In the sample configuration, the SocialNetworking URL filtering policy is applied within the
Web class of the InsideToOutside security policy.
The URL filtering policy accepts a few parameters that have to be configured in yet another
object: the parameter-map type urlfpolicy. For local content filtering, you have to use the
parameter-map type urlfpolicy local (you could also specify parameters for N2H2 and
Websense servers). The only meaningful parameter in the purely-local scenario is the block-
page parameter which can specify an URL to which the blocked requests are redirected or a text
message to be included in the “content is blocked” web page generated by the router.
The URL filtering policy parameters are applied to the URL filtering policy with the parameter
type urlfpolicy policy map configuration command.
Each URL filtering policy could have its own set of parameters. To customize the filtering
behavior, you might have multiple HTTP-based classes in the same policy-map or use different
URL filtering policies in individual inter-zone security policies.
The local pattern matching parameter maps and URL filtering policy parameter maps can be
display with the show parameter-map type urlf-glob|urlfpolicy command.
The show policy-map type inspect zone-pair urlfilter command displays the operational
parameters and counters of the IOS content filtering. Its outputs are very similar to the show
policy-map type inspect zone-pair command; the only addition are the server-based filtering
counters and statistics (highlighted below).
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [51:4054]
To monitor the blocked or allowed HTTP requests, use the log action in the URL filtering policy.
Whenever a HTTP request matching a class with the log action is processed, the router generates
a syslog message. Sample allow and block messages are included below:
%URLF-6-SITE_ALLOWED: (target:class)-(Inside_to_Outside:Web): →
Client 10.17.0.2:46598 accessed server 88.221.36.170:80
%URLF-4-SITE_BLOCKED: (target:class)-(Inside_to_Outside:Web): →
Access denied for the site 'www.linkedin.com', client 10.17.0.2:46600
server 88.221.36.170:80
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rtr
!
logging message-counter syslog
enable secret 5 $1$l./Y$D2OnN1MW/M3UzJQjHmAcK/
!
no aaa new-model
no ip source-route
ip cef
!
!
!
!
ip domain name example.com
!
parameter-map type urlfpolicy local URLFilter
alert off
block-page message "Don't even try to go there"
!
parameter-map type urlf-glob Facebook
pattern facebook.com
pattern *.facebook.com
!
parameter-map type urlf-glob LinkedIn
pattern *.linkedin.com
pattern linkedin.com
!
parameter-map type urlf-glob PermittedSites
pattern *
!
file prompt quiet
archive
log config
hidekeys
path disk0:configs
!
ip ssh logging events
ip ssh version 2
!
class-map type urlfilter match-any SocialNetworking
match server-domain urlf-glob Facebook
match server-domain urlf-glob LinkedIn
class-map type urlfilter match-any PermittedSites
match server-domain urlf-glob PermittedSites
!
class-map type inspect match-any Control
match protocol dns
match protocol icmp
class-map type inspect match-any Web
match protocol http
class-map match-all SecureWeb
match protocol secure-http
class-map type inspect match-all WebSecure
match protocol https
!
!
policy-map type inspect urlfilter SocialNetworking
parameter type urlfpolicy local URLFilter
class type urlfilter SocialNetworking
log
reset
class type urlfilter PermittedSites
allow
log
!
policy-map type inspect InsideToOutside
class type inspect Web
inspect
service-policy urlfilter SocialNetworking
class type inspect Control
inspect
class type inspect WebSecure
inspect
class class-default
drop
!
zone security Inside
zone security Outside
!
zone-pair security Inside_to_Outside source Inside destination Outside
service-policy type inspect InsideToOutside
!
!
interface Loopback0
ip address 10.17.0.20 255.255.255.255
!
interface FastEthernet0/0
description Outside interface
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security Outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Inside LAN
ip address 10.17.0.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security Inside
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list Inside interface FastEthernet0/0 overload
!
ip access-list standard Inside
permit 10.17.0.0 0.0.0.255
!
snmp-server community Test RO
snmp-server ifindex persist
snmp mib persist cbqos
!
control-plane
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
privilege level 15
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
!
end