URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on information contained in an URL list. You can maintain a local URL list on the router, and you can use URL lists stored on Websense or Secure Computing URL filter list servers.
ip urlfilter allow-mode on/off
This is a fail open, fail close mechanism, if it is turned on, all the rest of the websites not specified are going to be allowed, if it is set to off, all the websites will be blocked.
ip urlfilter exclusive-domain deny www.yahoo.com
ip urlfilter exclusive-domain deny www.cisco.com
ip inspect name WEBFILTER http urlfilter
interface FastEthernet1/1
ip address 172.20.1.2 255.255.255.0
ip inspect WEBFILTER out
verification
R1#show ip urlfilter cache
Maximum number of cache entries: 5000
Number of entries cached: 2
--------------------------------------------------------
IP address Age Time since last hit
(In seconds) (In seconds)
--------------------------------------------------------
87.248.122.122 117 106
95.100.64.170 146 144
R1#show ip urlfilter statistics
URL filtering statistics
=========================
Current requests count: 0
Current packet buffer count(in use): 0
Current cache entry count: 2
Maxever request count: 1
Maxever packet buffer count: 0
Maxever cache entry count: 1
Total requests sent to URL Filter Server :0
Total responses received from URL Filter Server :0
Total requests allowed: 0
Total requests blocked: 0
Because of these issues, ACLs typically are not used to implement these kinds of policies. Instead, a content-filtering server is used. Cisco currently supports server products from N2H2 (Sentian) and Websense to perform this filtering process.
ip urlfilter server vendor websense 10.1.1.100
R1#show ip urlfilter config
Websense URL Filtering is DISABLED
Primary Websense server configurations
=========================================
Websense server IP address Or Host Name: 10.0.0.100
Websense server port: 15868
Websense retransmission time out: 6 (in seconds)
Websense number of retransmission: 2
Secondary Websense servers configurations
============================================
Other configurations
=====================
Allow Mode: ON
System Alert: ENABLED
Audit Trail: DISABLED
Log message on Websense server: DISABLED
Truncate Hostname: DISABLED
Truncate Script-parameters: DISABLED
Maximum number of cache entries: 5000
Maximum number of packet buffers: 200
Maximum outstanding requests: 1000
- ZFW URL Filtering
ZFW offers URL filtering capabilities to limit access to web content to that specified by a white- or black-list defined on the router, or by forwarding domain names to a URL filtering server to verify access to specific domains.
For server-based URL filtering, you must define a parameter-map that describes the urlfilter server configuration:
parameter-map type urlfilter websense-parmap
server vendor [n2h2 | websense] 10.1.1.2
If static white- or black-lists are preferred, you can define a list of domains or subdomains that are specifically allowed or denied, while the inverse action is applied to traffic that does not match the list:
parameter-map type urlfilter websense-parmap
exclusive-domain deny .disallowed.com
exclusive-domain permit .cisco.com
If a URL black-list is defined using deny options in the exclusive-domain definitions, all other domains will be allowed. If any “permit” definitions are defined, all domains that will be allowed must be explicitly specified, similar to the function of IP access-control lists.
Set up a class-map that will match HTTP traffic:
class-map type inspect match-any http-cmap
match protocol http
Define a policy-map that associates your class-map with inspect and urlfilter actions:
policy-map type inspect http-filter-pmap
class type inspect http-cmap
inspect
urlfilter websense-parmap
No comments:
Post a Comment