Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 5

 By Cisco Press
Page 5 of 6   |  Back to Page 1
Print Article

URL Filtering
You added URL filtering for monitoring, reporting, and restricting URL access. Cisco Systems and Websense, Inc. have formed a partnership for joint marketing and coordination of technical information on a product called Websense, which is used to control the sites that users are allowed to access. For example, web sites classified as employment or violent can be blocked. Instructions on ordering Websense are included in the documentation of every PIX Firewall.

The PIX Firewall configuration for enabling URL filtering is very simple. The following three lines show the configuration. The first line tells the PIX to allow or block URL access based on the information received from the Websense server on the inside interface at the IP address. Should a response to a request not be received within the timeout parameter of 30 seconds shown on this line, the next Websense server will be queried. The default timeout is 5 seconds. The second line shows the failover Websense server, which is also the Web server on the public interface. The third line defines that all HTTP requests will be watched. Multiple filter commands can be combined to refine what is monitored.
The full syntax of the filter command will be shown after the command lines.

 url-server (inside) host timeout 30
 url-server (public) host
 filter url http 0 0 0 0
The full syntax of the filter command is as follows:
filter [activex http url] | except local_ip local_mask foreign_ip foreign_mask [allow]

The definitions of the parameters can be found in Table 4-1.
Command Description
activex Blocks outbound ActiveX, Java applets, and other HTML object tags from outbound packets.
url Filters URL data from moving through the PIX.
http Filters HTTP URLs.
except Creates an exception to a previously stated filter condition.
local_ip The IP address before NAT (if any) is applied. Use 0 for all IP addresses.
local_mask The subnet mask of the local IP. Use 0 if 0 is used for the IP address.
foreign_ip The IP address of the lower security level host or network. Use 0 for all foreign IP addresses.
foreign_mask The subnet mask of the foreign IP. Use 0 if the foreign IP is 0.
allow When a server is unavailable, this lets outbound connections pass through the PIX without filtering.
This article was originally published on Sep 27, 2001
Get the Latest Scoop with Networking Update Newsletter