Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 5

By Cisco Press | Posted Sep 27, 2001
Page 5 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

URL Filtering
You added URL filtering for monitoring, reporting, and restricting URL access. Cisco Systems and Websense, Inc. have formed a partnership for joint marketing and coordination of technical information on a product called Websense, which is used to control the sites that users are allowed to access. For example, web sites classified as employment or violent can be blocked. Instructions on ordering Websense are included in the documentation of every PIX Firewall.

The PIX Firewall configuration for enabling URL filtering is very simple. The following three lines show the configuration. The first line tells the PIX to allow or block URL access based on the information received from the Websense server on the inside interface at the 10.1.1.51 IP address. Should a response to a request not be received within the timeout parameter of 30 seconds shown on this line, the next Websense server will be queried. The default timeout is 5 seconds. The second line shows the failover Websense server, which is also the Web server on the public interface. The third line defines that all HTTP requests will be watched. Multiple filter commands can be combined to refine what is monitored.
The full syntax of the filter command will be shown after the command lines.

 url-server (inside) host 10.1.1.51 timeout 30
 url-server (public) host 192.168.2.30
 filter url http 0 0 0 0
The full syntax of the filter command is as follows:
filter [activex http url] | except local_ip local_mask foreign_ip foreign_mask [allow]

The definitions of the parameters can be found in Table 4-1.
Command Description
activex Blocks outbound ActiveX, Java applets, and other HTML object tags from outbound packets.
url Filters URL data from moving through the PIX.
http Filters HTTP URLs.
except Creates an exception to a previously stated filter condition.
local_ip The IP address before NAT (if any) is applied. Use 0 for all IP addresses.
local_mask The subnet mask of the local IP. Use 0 if 0 is used for the IP address.
foreign_ip The IP address of the lower security level host or network. Use 0 for all foreign IP addresses.
foreign_mask The subnet mask of the foreign IP. Use 0 if the foreign IP is 0.
allow When a server is unavailable, this lets outbound connections pass through the PIX without filtering.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter