- About this Guide
-
- Information About Cisco Unified Communications Features
- Using the Cisco Unified Communication Wizard
- Configuring the Cisco Phone Proxy
- Configuring the TLS Proxy for Encrypted Voice Inspection
- Configuring Cisco Mobility Advantage
- Configuring Cisco Unified Presence
- Configuring Cisco Unified Communications Intercompany Media Engine
- Index
- Information About Web Traffic Filtering
- Configuring ActiveX Filtering
- Licensing Requirements for ActiveX Filtering
- Configuring Java Applet Filtering
- Filtering URLs and FTP Requests with an External Server
Configuring Filtering Services
This chapter describes how to use filtering services to provide greater control over traffic passing through the ASA and includes the following sections:
Information About Web Traffic Filtering
You can use web traffic filtering in two distinct ways:
Instead of blocking access altogether, you can remove specific undesirable objects from web traffic, such as ActiveX objects or Java applets, that may pose a security threat in certain situations.
You can use web traffic filtering to direct specific traffic to an external filtering server, such an Secure Computing SmartFilter (formerly N2H2) or the Websense filtering server. You can enable long URL, HTTPS, and FTP filtering using either Websense or Secure Computing SmartFilter for web traffic filtering. Filtering servers can block traffic to specific sites or types of sites, as specified by the security policy.
Note URL caching will only work if the version of the URL server software from the URL server vendor supports it.
Because web traffic filtering is CPU-intensive, using an external filtering server ensures that the throughput of other traffic is not affected. However, depending on the speed of your network and the capacity of your web traffic filtering server, the time required for the initial connection may be noticeably slower when filtering traffic with an external filtering server.
Configuring ActiveX Filtering
This section includes the following topics:
- Information About ActiveX Filtering
- Licensing Requirements for ActiveX Filtering
- Guidelines and Limitations for ActiveX Filtering
- Configuring ActiveX Filtering
- Configuration Examples for ActiveX Filtering
- Feature History for ActiveX Filtering
Information About ActiveX Filtering
ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with ActiveX filtering.
ActiveX controls, formerly known as OLE or OCX controls, are components that you can insert in a web page or another application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.
The filter activex command blocks the HTML object commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET> and </APPLET>, and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested tags is supported by converting top-level tags to comments.
If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the ASA cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command or for clientless SSL VPN traffic.
Licensing Requirements for ActiveX Filtering
The following table shows the licensing requirements for this feature:
|
|
---|---|
Guidelines and Limitations for ActiveX Filtering
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Configuring ActiveX Filtering
To remove ActiveX objects in HTTP traffic that is passing through the ASA, enter the following command:
Configuration Examples for ActiveX Filtering
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0 for either mask (or in shortened form, 0) to specify all masks. This command specifies that the ActiveX object blocking applies to HTTP traffic on port 80 from any local host and for connections to any foreign host.
The following example shows how to configure ActiveX filtering to block all outbound connections:
The following example shows how to remove ActiveX filtering:
Feature History for ActiveX Filtering
Table 29-1 lists the release history for ActiveX Filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
|
|
|
---|---|---|
Filters specific undesirable objects from HTTP traffic, such as ActiveX objects, which may pose a security threat in certain situations. |
Configuring Java Applet Filtering
This section includes the following topics:
- Information About Java Applet Filtering
- Licensing Requirements for Java Applet Filtering
- Guidelines and Limitations for Java Applet Filtering
- Configuring Java Applet Filtering
- Configuration Examples for Java Applet Filtering
- Feature History for Java Applet Filtering
Information About Java Applet Filtering
Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command.
Note Use the filter activex command to remove Java applets that are embedded in <object> tags.
The filter java command filters out Java applets that return to the ASA from an outbound connection. You still receive the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. The filter java command does not filter clientless SSL VPN traffic.
Licensing Requirements for Java Applet Filtering
The following table shows the licensing requirements for Java applet filtering:
|
|
---|---|
Guidelines and Limitations for Java Applet Filtering
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Configuring Java Applet Filtering
To apply filtering to remove Java applets from HTTP traffic passing through the ASA, enter the following command:
Configuration Examples for Java Applet Filtering
The following example specifies that Java applets are blocked on all outbound connections:
This command specifies that the Java applet blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.
The following example blocks downloading of Java applets to a host on a protected network:
This command prevents host 192.168.3.3 from downloading Java applets.
The following example removes the configuration for downloading Java applets to a host on a protected network:
This command allows host 192.168.3.3 to download Java applets.
Feature History for Java Applet Filtering
Table 29-1 lists the release history for Java applet filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
|
|
|
---|---|---|
Filters specific undesirable objects from HTTP traffic, such as Java applets, which may pose a security threat in certain situations. |
Filtering URLs and FTP Requests with an External Server
This section describes how to filter URLs and FTP requests with an external server and includes the following topics:
- Information About URL Filtering
- Licensing Requirements for URL Filtering
- Guidelines and Limitations for URL Filtering
- Identifying the Filtering Server
- Configuring Additional URL Filtering Settings
- Feature History for URL Filtering
Information About URL Filtering
You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve ASA performance by using a separate server running one of the following Internet filtering products:
- Websense Enterprise for filtering HTTP, HTTPS, and FTP.
- McAfee SmartFilter (formerly N2H2) for filtering HTTP, HTTPS, FTP, and long URL filtering.
In long URLs, the URL in the Referer field might contain a “host:” text string, which could cause the HTTP GET header to be incorrectly parsed as containing the HTTP Host parameter. The ASA, however, correctly parses the Referer field even when it contains a “host:” text string and forwards the header to the McAfee SmartFilter server with the correct Referer URL.
Note URL caching will only work if the version of the URL server software from the URL server vendor supports it.
Although ASA performance is less affected when using an external server, you might notice longer access times to websites or FTP servers when the filtering server is remote from the ASA.
When filtering is enabled and a request for content is directed through the ASA, the request is sent to the content server and to the filtering server at the same time. If the filtering server allows the connection, the ASA forwards the response from the content server to the originating client. If the filtering server denies the connection, the ASA drops the response and sends a message or return code indicating that the connection was not successful.
If user authentication is enabled on the ASA, then the ASA also sends the username to the filtering server. The filtering server can use user-specific filtering settings or provide enhanced reporting about usage.
Licensing Requirements for URL Filtering
The following table shows the licensing requirements for URL filtering:
|
|
---|---|
Guidelines and Limitations for URL Filtering
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Identifying the Filtering Server
You can identify up to four filtering servers per context. The ASA uses the servers in order until a server responds. In single mode, a maximum of 16 of the same type of filtering servers are allowed. You can only configure a single type of server (Websense or Secure Computing SmartFilter) in your configuration.
Note You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter command. If you remove the filtering servers from the configuration, then all filter commands are also removed.
To specify the external filtering server, enter the following command:
Configuring Additional URL Filtering Settings
After you have accessed a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again to obtain the server address.
Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports.
This section describes how to configure additional URL filtering settings and includes the following topics:
Buffering the Content Server Response
When you issue a request to connect to a content server, the ASA sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This behavior delays the web server response for the web client, because the web client must reissue the request.
By enabling the HTTP response buffer, replies from web content servers are buffered, and the responses are forwarded to the requesting client if the filtering server allows the connection. This behavior prevents the delay that might otherwise occur.
To configure buffering for responses to HTTP or FTP requests, enter the following command:
Caching Server Addresses
After you access a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again.
Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports. You can accumulate Websense run logs before using the url-cache command.
To improve throughput, enter the following command:
Filtering HTTP URLs
This section describes how to configure HTTP filtering with an external filtering server and includes the following topics:
Enabling HTTP Filtering
You must identify and enable the URL filtering server before enabling HTTP filtering. When the filtering server approves an HTTP connection request, the ASA allows the reply from the web server to reach the originating client. If the filtering server denies the request, the ASA redirects you to a block page, indicating that access was denied.
To enable HTTP filtering, enter the following command:
Enabling Filtering of Long HTTP URLs
By default, the ASA considers an HTTP URL to be a long URL if it is greater than 1159 characters. You can increase the maximum length allowed.
To configure the maximum size of a single URL, enter the following command:
Truncating Long HTTP URLs
By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this occurrence, truncate a long URL by entering the following command:
Exempting Traffic from Filtering
To exempt traffic from filtering, enter following command:
Filtering HTTPS URLs
You must identify and enable the URL filtering server before enabling HTTPS filtering.
Note Websense and Secure Computing Smartfilter currently support HTTPS; older versions of the Secure Computing SmartFilter (formerly N2H2) do not support HTTPS filtering.
Because HTTPS content is encrypted, the ASA sends the URL lookup without directory and filename information. When the filtering server approves an HTTPS connection request, the ASA allows the completion of SSL connection negotiation and allows the reply from the web server to reach the originating client. If the filtering server denies the request, the ASA prevents the completion of SSL connection negotiation. The browser displays an error message, such as “The Page or the content cannot be displayed.”
Note The ASA does not provide an authentication prompt for HTTPS, so you must authenticate with the ASA using HTTP or FTP before accessing HTTPS servers.
To enable HTTPS filtering, enter the following command:
Filtering FTP Requests
You must identify and enable the URL filtering server before enabling FTP filtering.
Note Websense and Secure Computing Smartfilter currently support FTP; older versions of Secure Computing SmartFilter (formerly known as N2H2) did not support FTP filtering.
When the filtering server approves an FTP connection request, the ASA allows the successful FTP return code to reach the originating client. For example, a successful return code is “250: CWD command successful.” If the filtering server denies the request, the FTP return code is changed to show that the connection was denied. For example, the ASA changes code 250 to “550 Requested file is prohibited by URL filtering policy.”
To enable FTP filtering, enter the following command:
Monitoring Filtering Statistics
To monitor filtering statistics, enter one of the following commands:
Examples
The following is sample output from the show url-server command:
The following is sample output from the show url-server statistics command:
The following is sample output from the show url-block command:
The following is sample output from the show url-block block statistics command:
The following is sample output from the show url-cache stats command:
The following is sample output from the show perfmon command:
The following is sample output from the show filter command:
Feature History for URL Filtering
Table 29-5 lists the release history for URL filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
|
|
|
---|---|---|
Filters URLs based on an established set of filtering criteria. |