Monday, 4 February 2013

Cisco IOS Local Content Filtering

Introduction

The Cisco IOS content filtering feature allows us to block, log or allow http requests going through the router. It is an excellent feature where we can categorize (social networking, pornography etc. ) and filter the traffic thereby increasing the overall employee productivity and improve the network security by blocking adware, malware, spyware and Phishing sites. Cisco enabled this feature from IOS release 12.04(20)T

Content filtering can be configured  in two different ways on an IOS router. They are:

1. Local Content Filtering : A local database of Black and White list on the router.
2. Subscription based Content Filtering : Router will communicate with an external Content filtering server (Trend Micro, Websense and Smartfilter). You need to purchase a valid license from the vendor to do this.

[Note: Content filtering cannot work on https traffic.]
  • This document will show how to configure a local content filtering on a Cisco IOS Router.
The content filtering works in such a way that when the end user request a URL, it checks with the content filtering services configured on the router to decide whether to permit or deny the URL. The local content filtering contain a limited functionality compared with Trend Micro content filtering services where the local database support only 100 black and white lists.


Prerequisites
  1. This configuration requires a Zone Based Firewall deployed on your router. For more info visit http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html
  2. Cisco IOS release 12.4(15)XZ or above.
  3. The Cisco IOS Advanced IP Services or Advanced Security image is required.
  4. For more info visit http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/prod_qas0900aecd804abb06.html 
Configuration Tasks
  1. Parameter map configuration to define patterns.
  2. Class-map configuration to define URL filtering classes.
  3. Policy-map configuration to allow or reset the classes.
  4. Apply policy-map configuration as a child object Zone-Based firewall security policy.
1. Configuring parameter map of type inspect to define patterns.

parameter-map type urlf-glob FACEBOOK
 pattern facebook.com
 pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
 pattern youtube.com
 pattern *.youtube.com

parameter-map type urlf-glob  PERMITTEDSITES
 pattern *

2. Class map configuration to define URL filtering classes

class-map type urlfilter match-any BLOCKEDSITES
 match  server-domain urlf-glob FACEBOOK
 match  server-domain urlf-glob YOUTUBE

class-map type urlfilter match-any PERMITTEDSITES
 match  server-domain urlf-glob PERMITTEDSITES

3. Policy map configuration

policy-map type inspect urlfilter CONTENT-FILTERING
 class type urlfilter BLOCKEDSITES
  log
  reset
 class type urlfilter PERMITTEDSITES
  allow

4. Apply policy-map configuration in Zone-Based firewall security policy.

You have to apply the URL filtering policy as a child policy (with the service-policy urlfilter command) of a zone-based firewall class which matches http traffic.

policy-map type inspect IN-TO-OUT-POLICY
 class type inspect HTTP-ACCESS
  inspect
  service-policy urlfilter CONTENT-FILTERING

There we finish the local content filtering configuration on a Cisco IOS router. Now try to connect the blocked website and see the result.


Verification and Troubleshooting

You can use the below commands for verification and troubleshooting.
  • show class-map type urlfilter
  • show policy-map type inspect urlfilter
  • show parameter-map type urlf-glob
Also you can monitor the blocked sites in your router logs. Below is an example for the same:


For more information about IOS content filtering using Trend Micro services visit http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html 

9 comments:

  1. Hi Tony,

    The post at Cisco Support Community lead me here. This is a great post, very useful.

    A have a question though, what if the URL is youtube.com/anythingthatfollows? Is it still filtered?

    Hope to here from you soon. Thank you.

    Regards,
    Jemel

    ReplyDelete
    Replies
    1. Hi Jemel,

      Thanks for your comment. And about your question, no we can't do that because the urlf glob pattern will accept only top level domain or child domain(or characters / or { or } not allowed in urlf glob pattern). For example you can either block 'http://example.com' or 'http://mail.example.com' but can't block the page 'http://example.com/doc/abcd'. Also remember this method cannot examine https session.I would recommend you to use a proxy to achieve this task. I hope this helps.

      Regards,
      Tony

      Delete
  2. Hi.
    This is a great and easy to read guide. question. In your last section when applying the service policy to the policy you have class type inspect "http-access" but I dont see this ever defined earlier. Am i missing something? Thanks.

    ReplyDelete
    Replies
    1. Hi,

      You need to have a ZBFW configured on your router in order to do this config. Refer http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html

      Delete
  3. Thanks for the information. Permission for keep it on this

    Netgear Router Tehnical Support

    ReplyDelete
  4. I have a Cisco c881 router how do I setup this?

    ReplyDelete
  5. I have a Cisco c881 router how do I setup this?

    ReplyDelete


  6. these are the settings
    ----------------------------------------

    no ip source-route
    no ip gratuitous-arps
    !
    !
    !
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    !
    ip dhcp pool LAN FAB1 DHCP
    network 192.168.0.0 255.255.255.0
    default-router 192.168.0.1
    dns-server 1.1.1.1 1.0.0.1
    lease 7
    !
    !
    !
    no ip bootp server
    ip domain name grupoterrasul.local
    ip host www.facebook.com 10.10.10.10
    ip inspect audit-trail
    ip inspect udp idle-time 1800
    ip inspect dns-timeout 7
    ip inspect tcp idle-time 14400
    ip inspect name autosec_inspect ftp timeout 3600
    ip inspect name autosec_inspect http timeout 3600
    ip inspect name autosec_inspect rcmd timeout 3600
    ip inspect name autosec_inspect realaudio timeout 3600
    ip inspect name autosec_inspect smtp timeout 3600
    ip inspect name autosec_inspect tftp timeout 30
    ip inspect name autosec_inspect udp timeout 15
    ip inspect name autosec_inspect tcp timeout 3600
    ip cef
    no ipv6 cef
    !
    !
    license udi pid CISCO881-K9 sn FCZ173691FR
    !
    !
    archive
    log config
    logging enable
    object-group network obj-facebook.com
    !
    !
    !
    !
    class-map match-any url-bloquear-sites
    match protocol http host "*youtube*"
    match protocol http host "*facebook*"
    match protocol http host "*xvideos*"
    match protocol http host "*torrent*"
    match protocol http host "*badoo*"
    match protocol http host "*porn*"
    match protocol http host "*twitter*"
    match protocol http host "*bittorrent*"
    class-map match-all FACEBOOKBLOCK
    match protocol http host "www.facebook.com"
    match protocol secure-http
    !
    policy-map FACEBOOK.COM-POLICY
    class FACEBOOKBLOCK
    drop
    policy-map url-bloquearsites-policy
    class url-bloquear-sites
    drop
    !
    zone security inside
    zone security outside
    zone security dmz
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0
    no ip address
    spanning-tree portfast
    service-policy input url-bloquearsites-policy
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    no ip address
    !
    interface FastEthernet3
    no ip address
    spanning-tree portfast
    !
    interface FastEthernet4
    description TVBACO FIBRA 20M
    ip address 192.168.100.77 255.255.255.0
    ip access-group autosec_firewall_acl in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect autosec_inspect out
    ip virtual-reassembly in
    ip verify unicast source reachable-via rx allow-default 100
    duplex auto
    speed auto
    service-policy input url-bloquearsites-policy
    !
    interface Vlan1
    description LAN FAB1
    ip address 192.168.0.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    !
    ip forward-protocol nd
    no ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip dns server
    ip nat inside source list 1 interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 192.168.100.1
    !
    ip access-list extended NAT_FILTERING
    ip access-list extended autosec_firewall_acl
    permit udp any any eq bootpc
    deny ip any any
    !
    logging trap debugging
    logging facility local2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 permit udp any any eq bootpc
    no cdp run
    !

    ReplyDelete
  7. Securium Solutions is a Cyber Security Services company, that offers preventive measures to defend systems from cyber crimes and intelligent threats. We offer advanced solutions that can really bring out effective results, some of the related technologies are penetration testing, network security, endpoint security and many more. We give intelligent solutions by which you can know and get to perform the latest measures to make your devices and information secure from being infected by different kinds of bugs and errors.

    ReplyDelete