Access Control Using Content Restriction

The following topics describe how to configure access control policies to use content restriction features:

About Content Restriction

Major search engines and content delivery services provide features that allow you to restrict search results and website content. For example, schools use content restriction features to comply with the Children's Internet Protection Act (CIPA).

When implemented by search engines and content delivery services, you can enforce content restriction features only for individual browsers or users. The Firepower System allows you to extend these features to your entire network.

The system allows you to enforce:

  • Safe Search—Supported in many major search engines, this service filters out explicit and adult-oriented content that business, government, and education environments classify as objectionable. The system does not restrict a user's ability to access the home pages for supported search engines.

  • YouTube EDU—This service filters YouTube content for an educational environment. It allows schools to set access for educational content while limiting access to noneducational content. YouTube EDU is a different feature than YouTube Restricted Mode, which enforces restrictions on YouTube searches as part of Google's Safe Search feature. YouTube Restricted Mode is a subfeature of Safe Search. With YouTube EDU, users access the YouTube EDU home page, rather than the standard YouTube home page.

You can use two methods to configure the system to enforce these features:

Method: Access Control Rules
Content restriction features communicate the restricted status of a search or content query via an element in the request URI, an associated cookie, or a custom HTTP header element. You can configure access control rules to modify these elements as the system processes traffic.
Method: DNS Sinkhole
For Google searches, you can configure the system to redirect traffic to the Google SafeSearch Virtual IP Address (VIP), which imposes filters for Safe Search (including YouTube Restricted Mode).

The table below describes the differences between these enforcement methods.

Table 1. Comparison of Content Restriction Methods

Attribute

Method: Access Control Rules

Method: DNS Sinkhole

Supported devices Any Firepower Threat Defense only

Search engines supported

Any tagged safesearch supported in the Applications tab of the rule editor

Google only

YouTube Restricted Mode supported Yes Yes

YouTube EDU supported

Yes

No

SSL policy required

Yes

No

Hosts must be using IPv4

No

Yes

Connection event logging

Yes

Yes

When determining which method to use, consider the following limitations:

  • The access control rules method requires an SSL policy, which impacts performance.

  • The Google SafeSearch VIP supports IPv4 traffic only. If you configure a DNS sinkhole to manage Google searches, any hosts on the affected network must be using IPv4.

The system logs different values for the Reason field in connection events, depending on the method:

  • Access Control Rules—Content Restriction

  • DNS Sinkhole—DNS Block

Requirements and Prerequisites for Content Restriction

Model Support

Any, or as indicated in the procedure.

Supported Domains

Any

User Roles

  • Admin

  • Access Admin

  • Network Admin

Using Access Control Rules to Enforce Content Restriction


Caution


To avoid rule preemption, position rules governing YouTube EDU above rules governing Safe Search in both SSL and access control policies; see Content Restriction Rule Order.



Note


When safe search or YouTube EDU is enabled in an access control rule, inline normalization is enabled automatically. For more information, see The Inline Normalization Preprocessor.


Before you begin

For Classic devices, you must have the Control license.

Procedure


Step 1

Create an SSL policy; see Create Basic SSL Policies.

Step 2

Add SSL rules for handling Safe Search and YouTube EDU traffic:

  • Choose Decrypt - Resign as the Action for the rules. The system does not support any other action for content restriction handling.

  • In Applications, add selections to the Selected Applications and Filters list:

    • YouTube EDU—Add the YouTube and YouTube Upload applications.

    • Safe Search—Add the Category: search engine filter.

For more information, see Adding an Application Condition to a TLS/SSL Rule.

Step 3

Set rule positions for the SSL rules you added. Click and drag, or use the right-click menu to cut and paste.

To avoid preemption, position the Safe Search rule after the YouTube EDU rule.

Step 4

Create or edit an access control policy, and associate the SSL policy with the access control policy.

For more information, see Associating Other Policies with Access Control.

Step 5

In the access control policy, add rules for handling Safe Search and YouTube EDU traffic:

  • Choose Allow as the Action for the rules. The system does not allow any other action for content restriction handling.

  • In Applications, click dimmed for either Safe search (safe search icon) or YouTube EDU (YouTube EDU icon), and set related options; see Safe Search Options for Access Control Rules and YouTube EDU Options for Access Control Rules.

    These options are disabled, rather than dimmed, if you choose any Action other than Allow for the rule.

    You cannot enable Safe Search and YouTube EDU restrictions for the same access control rule.

  • In Applications, refine application selections in the Selected Applications and Filters list.

    In most cases, enabling Safe Search or YouTube EDU populates the Selected Applications and Filters list with the appropriate values. The system does not automatically populate the list if a Safe Search or YouTube application is already present in the list when you enable the feature. If applications do not populate as expected, manually add them as follows:

    • YouTube EDU—Add the YouTube and YouTube Upload applications.

    • Safe Search—Add the Category: search engine filter.

For more information, see Configuring Application Conditions and Filters.

Step 6

Set rule positions for the access control rules you added. Click and drag, or use the right-click menu to cut and paste.

To avoid preemption, position the Safe Search rule after the YouTube EDU rule.

Step 7

Configure the HTTP response page that the system displays when it blocks restricted content; see Choosing HTTP Response Pages.

Step 8

Deploy configuration changes; see Deploy Configuration Changes.


Safe Search Options for Access Control Rules

The Firepower System supports Safe Search filtering for specific search engines only. For a list of supported search engines, see applications tagged safesearch supported in the Applications tab of the access control rule editor. For a list of unsupported search engines, see applications tagged safesearch unsupported.

When enabling Safe Search for an access control rule, set the following parameters:

Enable Safe Search
Enables Safe Search filtering for traffic that matches this rule.
Unsupported Search Traffic
Specifies the action you want the system to take when it processes traffic from unsupported search engines. If you choose Block or Block with Reset, you must also configure the HTTP response page that the system displays when it blocks restricted content; see Choosing HTTP Response Pages.

YouTube EDU Options for Access Control Rules

When enabling YouTube EDU for an access control rule, set the following parameters:

Enable YouTube EDU
Enables YouTube EDU filtering for traffic that matches this rule.
Custom ID
Specifies the value that uniquely identifies a school or district network in the YouTube EDU initiative. YouTube provides this ID when a school or district registers for a YouTube EDU account.

Note


If you check Enable YouTube EDU, you must enter a Custom ID. This ID is defined externally by YouTube. The system does not validate what you enter against the YouTube system. If you enter an invalid ID, YouTube EDU restrictions may not perform as expected.


Using a DNS Sinkhole to Enforce Content Restriction

Typically, a DNS sinkhole directs traffic away from a particular target. This procedure describes how to configure a DNS sinkhole to redirect traffic to the Google SafeSearch Virtual IP Address (VIP), which imposes content filters on Google and YouTube search results.

Because Google SafeSearch uses a single IPv4 address for the VIP, hosts must use IPv4 addressing.


Caution


If your network includes proxy servers, this content restriction method is not effective unless you position your Firepower Threat Defense devices between the proxy servers and the Internet.


This procedure describes enforcing content restriction for Google searches only. To enforce content restriction for other search engines, see Using Access Control Rules to Enforce Content Restriction.

Before you begin

This procedure applies to Firepower Threat Defense only, and requires the Threat license.

Procedure


Step 1

Obtain a list of supported Google domains via the following URL: https://www.google.com/supported_domains.

Step 2

Create a custom DNS list on your local computer, and add the following entries:

  • To enforce Google SafeSearch, add an entry for each supported Google domain.
  • To enforce YouTube Restricted Mode, add a "youtube.com" entry.

The custom DNS list must be in text file (.txt) format. Each line of the text file must specify an individual domain name, stripped of any leading periods. For example, the supported domain ".google.com" must appear as "google.com".

Step 3

Upload the custom DNS list to the Firepower Management Center; see Uploading New Security Intelligence Lists to the Firepower Management Center.

Step 4

Determine the IPv4 address for the Google SafeSearch VIP. For example, run nslookup on forcesafesearch.google.com.

Step 5

Create a sinkhole object for the SafeSearch VIP; see Creating Sinkhole Objects.

Use the following values for this object:

  • IPv4 Address—Enter the SafeSearch VIP address.

  • IPv6 Address—Enter the IPv6 loopback address (::1).

  • Log Connections to Sinkhole—Click Log Connections.

  • Type—Choose None.

Step 6

Create a basic DNS policy; see Creating Basic DNS Policies.

Step 7

Add a DNS rule for the sinkhole; see Creating and Editing DNS Rules.

For this rule:

  • Check the Enabled check box.

  • Choose Sinkhole from the Action drop-down list.

  • Choose the sinkhole object you created from the Sinkhole drop-down list.

  • Add the custom DNS list you created to the Selected Items list on DNS.

  • (Optional) Choose a network in Networks to limit content restriction to specific users. For example, if you want to limit content restriction to student users, assign students to a different subnet than faculty, and specify that subnet in this rule.

Step 8

Associate the DNS policy with an access control policy; see Associating Other Policies with Access Control.

Step 9

Deploy configuration changes; see Deploy Configuration Changes.