Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 5

By  Cisco Press | Sep 27, 2001
Page 5 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

URL Filtering
You added URL filtering for monitoring, reporting, and restricting URL access. Cisco Systems and Websense, Inc. have formed a partnership for joint marketing and coordination of technical information on a product called Websense, which is used to control the sites that users are allowed to access. For example, web sites classified as employment or violent can be blocked. Instructions on ordering Websense are included in the documentation of every PIX Firewall.

The PIX Firewall configuration for enabling URL filtering is very simple. The following three lines show the configuration. The first line tells the PIX to allow or block URL access based on the information received from the Websense server on the inside interface at the 10.1.1.51 IP address. Should a response to a request not be received within the timeout parameter of 30 seconds shown on this line, the next Websense server will be queried. The default timeout is 5 seconds. The second line shows the failover Websense server, which is also the Web server on the public interface. The third line defines that all HTTP requests will be watched. Multiple filter commands can be combined to refine what is monitored.
The full syntax of the filter command will be shown after the command lines. 

 url-server (inside) host 10.1.1.51 timeout 30
 url-server (public) host 192.168.2.30
 filter url http 0 0 0 0
The full syntax of the filter command is as follows:
filter [activex http url] | except local_ip local_mask foreign_ip foreign_mask [allow]

The definitions of the parameters can be found in Table 4-1.
Command Description
activex Blocks outbound ActiveX, Java applets, and other HTML object tags from outbound packets.
url Filters URL data from moving through the PIX.
http Filters HTTP URLs.
except Creates an exception to a previously stated filter condition.
local_ip The IP address before NAT (if any) is applied. Use 0 for all IP addresses.
local_mask The subnet mask of the local IP. Use 0 if 0 is used for the IP address.
foreign_ip The IP address of the lower security level host or network. Use 0 for all foreign IP addresses.
foreign_mask The subnet mask of the foreign IP. Use 0 if the foreign IP is 0.
allow When a server is unavailable, this lets outbound connections pass through the PIX without filtering.
jfreund@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >