Monday, 4 February 2013

Cisco IOS Local Content Filtering

Introduction

The Cisco IOS content filtering feature allows us to block, log or allow http requests going through the router. It is an excellent feature where we can categorize (social networking, pornography etc. ) and filter the traffic thereby increasing the overall employee productivity and improve the network security by blocking adware, malware, spyware and Phishing sites. Cisco enabled this feature from IOS release 12.04(20)T

Content filtering can be configured  in two different ways on an IOS router. They are:

1. Local Content Filtering : A local database of Black and White list on the router.
2. Subscription based Content Filtering : Router will communicate with an external Content filtering server (Trend Micro, Websense and Smartfilter). You need to purchase a valid license from the vendor to do this.

[Note: Content filtering cannot work on https traffic.]
  • This document will show how to configure a local content filtering on a Cisco IOS Router.
The content filtering works in such a way that when the end user request a URL, it checks with the content filtering services configured on the router to decide whether to permit or deny the URL. The local content filtering contain a limited functionality compared with Trend Micro content filtering services where the local database support only 100 black and white lists.


Prerequisites
  1. This configuration requires a Zone Based Firewall deployed on your router. For more info visit http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html
  2. Cisco IOS release 12.4(15)XZ or above.
  3. The Cisco IOS Advanced IP Services or Advanced Security image is required.
  4. For more info visit http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/prod_qas0900aecd804abb06.html 
Configuration Tasks
  1. Parameter map configuration to define patterns.
  2. Class-map configuration to define URL filtering classes.
  3. Policy-map configuration to allow or reset the classes.
  4. Apply policy-map configuration as a child object Zone-Based firewall security policy.
1. Configuring parameter map of type inspect to define patterns.

parameter-map type urlf-glob FACEBOOK
 pattern facebook.com
 pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
 pattern youtube.com
 pattern *.youtube.com

parameter-map type urlf-glob  PERMITTEDSITES
 pattern *

2. Class map configuration to define URL filtering classes

class-map type urlfilter match-any BLOCKEDSITES
 match  server-domain urlf-glob FACEBOOK
 match  server-domain urlf-glob YOUTUBE

class-map type urlfilter match-any PERMITTEDSITES
 match  server-domain urlf-glob PERMITTEDSITES

3. Policy map configuration

policy-map type inspect urlfilter CONTENT-FILTERING
 class type urlfilter BLOCKEDSITES
  log
  reset
 class type urlfilter PERMITTEDSITES
  allow

4. Apply policy-map configuration in Zone-Based firewall security policy.

You have to apply the URL filtering policy as a child policy (with the service-policy urlfilter command) of a zone-based firewall class which matches http traffic.

policy-map type inspect IN-TO-OUT-POLICY
 class type inspect HTTP-ACCESS
  inspect
  service-policy urlfilter CONTENT-FILTERING

There we finish the local content filtering configuration on a Cisco IOS router. Now try to connect the blocked website and see the result.


Verification and Troubleshooting

You can use the below commands for verification and troubleshooting.
  • show class-map type urlfilter
  • show policy-map type inspect urlfilter
  • show parameter-map type urlf-glob
Also you can monitor the blocked sites in your router logs. Below is an example for the same:


For more information about IOS content filtering using Trend Micro services visit http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html 

5 comments:

  1. Hi Tony,

    The post at Cisco Support Community lead me here. This is a great post, very useful.

    A have a question though, what if the URL is youtube.com/anythingthatfollows? Is it still filtered?

    Hope to here from you soon. Thank you.

    Regards,
    Jemel

    ReplyDelete
    Replies
    1. Hi Jemel,

      Thanks for your comment. And about your question, no we can't do that because the urlf glob pattern will accept only top level domain or child domain(or characters / or { or } not allowed in urlf glob pattern). For example you can either block 'http://example.com' or 'http://mail.example.com' but can't block the page 'http://example.com/doc/abcd'. Also remember this method cannot examine https session.I would recommend you to use a proxy to achieve this task. I hope this helps.

      Regards,
      Tony

      Delete
  2. Hi.
    This is a great and easy to read guide. question. In your last section when applying the service policy to the policy you have class type inspect "http-access" but I dont see this ever defined earlier. Am i missing something? Thanks.

    ReplyDelete
    Replies
    1. Hi,

      You need to have a ZBFW configured on your router in order to do this config. Refer http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html

      Delete
  3. Thanks for the information. Permission for keep it on this

    Netgear Router Tehnical Support

    ReplyDelete