Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, 6.1F
Configuring Filter Rules
Download this chapter
Configuring Filter RulesConfiguring Filter Rules
Download the complete book
Full-Book PDF: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, 6.1FFull-Book PDF: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, 6.1F (PDF - 10 MB)
give_us_feedback

Table Of Contents

Configuring Filter Rules

Filtering Overview

ActiveX Filtering Overview

Java Filtering Overview

URL Filtering Overview

FTP Filtering Overview

Filtering Configuration Summary

Configuring Filtering Rules

URL Filtering Servers

Add/Edit Parameters for Websense URL Filtering

Add/Edit Parameters for Secure Computing SmartFilter URL Filtering

Advanced URL Filtering

Filter Rules

Add/Edit Filter Rule

Filtering the Rule Table

Define Query

Browse Source/Destination/Service   


Configuring Filter Rules

This chapter describes how to configure filtering rules, and contains the following sections:

Filtering Overview

Configuring Filtering Rules

Filtering Overview

This section describes how filtering can provide greater control over traffic passing through the FWSM. Filtering can be used in two ways:

Filtering ActiveX objects or Java applets

Filtering URLs with an external filtering server

Instead of blocking access altogether, you can remove specific undesirable objects from HTTP traffic, such as ActiveX objects or Java applets, that may pose a security threat in certain situations.

You can also use URL filtering to direct specific traffic to an external filtering server, such a Secure Computing SmartFilter (formerly N2H2) or Websense filtering server. Filtering servers can block traffic to specific sites or types of sites, as specified by the security policy.

Because URL filtering is CPU-intensive, using an external filtering server ensures that the throughput of other traffic is not affected. However, depending on the speed of your network and the capacity of your URL filtering server, the time required for the initial connection may be noticeably slower when filtering traffic with an external filtering server.

This section includes the following topics:

ActiveX Filtering Overview

Java Filtering Overview

URL Filtering Overview

FTP Filtering Overview

Filtering Configuration Summary

ActiveX Filtering Overview

ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with ActiveX filtering.

ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.

The ActiveX filter rule blocks the HTML <object> commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET> and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested tags is supported by converting top-level tags to comments.

Caution This command also blocks any Java applets, image files, or multimedia objects that are embedded in object tags.

If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, FWSM cannot block the tag.

ActiveX blocking does not occur when users access an IP address referenced by the alias command.

Java Filtering Overview

Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network.

A Java filter rule filters out Java applets that return to the FWSM from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute.

URL Filtering Overview

You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use access lists to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve FWSM performance by using a separate server running one of the following Internet filtering products:

Websense Enterprise for filtering HTTP, HTTPS, and FTP.

Secure Computing SmartFilter (formerly N2H2) for filtering HTTP and long URL filtering.

Although FWSM performance is less affected when using an external server, users may notice longer access times to websites or FTP servers when the filtering server is remote from the FWSM.

When filtering is enabled and a request for content is directed through the FWSM, the request is sent to the content server and to the filtering server at the same time. If the filtering server allows the connection, the FWSM forwards the response from the content server to the originating client. If the filtering server denies the connection, the FWSM drops the response and sends a message or return code indicating that the connection was not successful.

If user authentication is enabled on the FWSM, then the FWSM also sends the username to the filtering server. The filtering server can use username filtering settings or provide enhanced reporting regarding usage.

FTP Filtering Overview

When the filtering server approves an FTP connection request, the FWSM allows the successful FTP return code to reach originating client. For example, a successful return code is "250: CWD command successful." If the filtering server denies the request, alters the FTP return code to show that the connection was denied. For example, the FWSM changes code 250 to "550 Requested file is prohibited by URL filtering policy."

Filtering Configuration Summary

The following summarizes the procedure for enabling filtering with an external filtering server.

Step 1 Go to Configuration > Firewall > URL Filter Servers to specify an external filtering server. See URL Filtering Servers.

Step 2 (Optional) Buffer responses from the content server. See Advanced URL Filtering.

Step 3 (Optional) Cache content server addresses to improve performance. See Advanced URL Filtering

Step 4 Go to Configuration > Firewall > Filter Rules to configure filter rules. See Filter Rules.

Step 5 Configure the external filtering server. For more information refer to the following websites:

http://www.websense.com

http://www.securecomputing.com

Configuring Filtering Rules

This section describes all the windows associated with filter rules, and includes the following topics:

URL Filtering Servers

Advanced URL Filtering

Filter Rules

Filtering the Rule Table

Define Query

Browse Source/Destination/Service

URL Filtering Servers

The URL Filtering Servers pane lets you specify the external filter server to use. You can identify up to four of the same type of filtering servers per context. In single mode a maximum of 16 of the same type of filtering servers are allowed. The FWSM uses the servers in order until a server responds. You can only configure a single type of server (Websense or Secure Computing SmartFilter) in your configuration.

Note You must add the filtering server before you can configure filtering for HTTP, HTTPS, or FTP filtering rules.

Fields

The URL Filtering Server Type area contains the following fields:

Websense—Enables the Websense URL filtering servers

Secure Computing SmartFilter—Enables the Secure Computing SmartFilter URL filtering server.

Secure Computing SmartFilter Port—Specifies the Secure Computing SmartFilter port. The default is 4005.

The URL Filtering Servers area contains the following fields:

Interface—Displays the interface connected to the filtering server.

IP Address—Displays the IP address of the filtering server.

Timeout—Displays the number of seconds after which the request to the filtering server times out.

Protocol—Displays the protocol used to communicate with the filtering server.

TCP Connections—Displays the maximum number of TCP connections allowed for communicating with the URL filtering server.

Add—Adds a new filtering server, depending on whether you have selected Websense or Secure Computing SmartFilter. See the following topics for more information:

Add/Edit Parameters for Websense URL Filtering

Add/Edit Parameters for Secure Computing SmartFilter URL Filtering

Insert Before—Adds a new filtering server in a higher priority position than the currently selected server.

Insert After—Adds a new filtering server in a lower priority position than the currently selected server.

Edit—Lets you modify parameters for the selected filtering server

Delete—Deletes the selected filtering server.

You can perform the following actions on this pane:

Advanced—Displays advanced filtering parameters, including buffering caching, and long URL support.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Advanced URL Filtering

Filter Rules

Add/Edit Parameters for Websense URL Filtering

Interface—Specifies the interface on which the URL filtering server is connected.

IP Address—Specifies the IP address of the URL filtering server.

Timeout—Specifies the number of seconds after which the request to the filtering server times out.

Protocol area

TCP 1—Uses TCP Version 1 for communicating with the Websense URL filtering server.

TCP 4—Uses TCP Version 4 for communicating with the Websense URL filtering server.

UDP 4—Uses UDP Version 4 for communicating with the Websense URL filtering server.

TCP Connections—Specifies the maximum number of TCP connections allowed for communicating with the URL filtering server.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Parameters for Secure Computing SmartFilter URL Filtering

Interface—Specifies the interface on which the URL filtering server is connected.

IP Address—Specifies the IP address of the URL filtering server.

Timeout—Specifies the number of seconds after which the request to the filtering server times out.

Protocol area

TCP—Uses TCP for communicating with the Secure Computing SmartFilter URL filtering server.

UDP—Uses UDP for communicating with the Secure Computing SmartFilter URL filtering server.

TCP Connections—Specifies the maximum number of TCP connections allowed for communicating with the URL filtering server.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Advanced URL Filtering

Fields

URL Cache Size area

After a user accesses a site, the filtering server can allow the FWSM to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the FWSM does not need to consult the filtering server again.

Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports.

Enable caching based on—Enables caching based on the specified criteria.

Destination Address—Caches entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server.

Source/Destination Address—Caches entries based on both the source address initiating the URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the server

Cache size—Specifies the size of the cache.

URL Buffer Size area

When a user issues a request to connect to a content server, the FWSM sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This delays the web server response from the point of view of the web client because the client must reissue the request.

By enabling the HTTP response buffer, replies from web content servers are buffered and the responses are forwarded to the requesting client if the filtering server allows the connection. This prevents the delay that might otherwise occur.

Enable buffering—Enables request buffering.

Number of 1550-byte buffers—Specifies the number of 1550-byte buffers. Valid values are from 1 to 128.

Long URL Support area

By default, the FWSM considers an HTTP URL to be a long URL if it is greater than 1159 characters. For Websense servers, you can increase the maximum length allowed.

Use Long URL—Enables long URLs for Websense filtering servers.

Maximum Long URL Size—Specifies the maximum URL length allowed, up to a maximum of 4 KB.

Memory Allocated for Long URL—Specifies the memory allocated for long URLs.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Filter Rules

The Filter Rules pane displays configured filter rules and provides options for adding new filter rules or modifying existing rules. A filter rule specifies the type of filtering to apply and the kind of traffic to which it should be applied.

Note Before you can add an HTTP, HTTPS, or FTP filter rule, you must enable a URL filtering server. To enable a URL filtering server, use the Configuration > Firewall > URL Filtering Servers pane. For more information see Filtering Overview.

Fields

No—Numeric identifier of the rule. Rules are applied in numeric order.

Source—Source host or network to which the filtering action applies.

Destination—Destination host or network to which the filtering action applies.

Service—Identifies the protocol or service to which the filtering action applies.

Action—Type of filtering action to apply.

Options—Indicates the options that have been enabled for the specific action.

Add—Displays the types of filter rules you can add. Clicking the rule type Opens the Add Filter Rule dialog box for the specified filter rule type.

Add Filter ActiveX Rule

Add Filter Java Rule

Add Filter HTTP Rule

Add Filter HTTPS Rule

Add Filter FTP Rule

Edit—Displays the Edit Filter Rule dialog box for editing the selected filtering rule.

Delete—Deletes the selected filtering rule.

Cut—Lets you to cut a filter rule and place it elsewhere.

Copy—Lets you copy a filter rule.

Paste—Lets you paste a filter rule elsewhere.

Find—Lets you search for a filter rule. Clicking on this button brings up an extended tool bar. See Filtering the Rule Table for more information.

Rule Diagram—Toggles the display of the Rule Diagram.

Packet Trace—Launches the Packet Tracer utility.

Use the Addresses tab to select the source of the filter rule that you are choosing.

Type—Lets you select a source from the drop-down menu, selecting from All, IP Address Objects, IP Names, or Network Object groups.

Name—Lists the name(s) of the filter rule.

Add—Lets you add a filter rule.

Edit—Lets you edit a filter rule.

Delete—Lets you delete a filter rule.

Find—Lets you find a filter rule.

Use the Services tab to select a predefined filter rule.

Type—Lets you select a source from the drop-down menu, selecting from All, IP Address Objects, IP Names, or Network Object groups.

Name—Lists the name(s) of the filter rule.

Edit—Lets you edit a filter rule.

Delete—Lets you delete a filter rule.

Find—Lets you find a filter rule.

Use the Time Ranges to select a time range for the filter rule.

Add—Add—Lets you add a time range for the filter rule.

Edit—Lets you edit a time range for the filter rule.

Delete—Lets you delete a time range for a filter rule.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Filter Rule

Use the Add Filter Rule dialog box to specify the interface on which the rule applies, to identify the traffic to which it applies, or to configure a specific type of filtering action.

Note Before you can add an HTTP, HTTPS, or FTP filter rule, you must enable a URL filtering server. To enable a URL filtering server, use the Features > Configuration > Properties > URL Filtering screen. For more information see Filtering Overview.

Fields

Action—Provides the following drop-down list of different filtering actions to apply (the actions displayed depend upon the type of filter rule being created or edited):

Filter ActiveX

Do not filter ActiveX

Filter Java Applet

Do not filter Java Applet

Filter HTTP (URL)

Do not filter HTTP (URL)

Filter HTTPS

Do not filter HTTPS

Filter FTP

Do not filter FTP

Source—Enter the source of the traffic to which the filtering action applies. You can enter the source in one of the following ways:

any—Enter "any" (without quotation marks) to indicate any source address.

name—Enter a hostname.

address/mask—Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0.

...—Opens the Browse Source dialog box. You can select a host or address from the list.

Destination—Identifies the destination of the traffic to which the filtering action applies. You can enter the destination in one of the following ways:

any—Enter "any" (without quotation marks) to indicate any destination address.

name—Enter a hostname.

address/mask—Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0.

...—Opens the Browse Destination dialog box. You can select a host or address from the list.

Service—Identifies the service of the traffic to which the filtering action applies. You can enter the destination in one of the following ways:

tcp/port—The port number can be from 1 to 65535. Additionally, you can use the following modifiers with the TCP service:

!=—Not equal to. For example, !=tcp/443

<—Less than. For example, <tcp/2000.

>—Great than. For example, >tcp/2000.

- —Range. For example, tcp/2000-3000.

name—Enter a well-known service name, such as http or ftp.

...—Opens the Browse Service dialog box. You can select a service from the list.

HTTP Options—This area appears only for HTTP filter rules.

When URL exceeds maximum permitted size—Select the action to take when the URL exceeds the specified size. You can choose to truncate the URL or block the traffic.

Allow outbound traffic if URL server is not available—When enabled, if the URL filtering server is down or connectivity is interrupted to the FWSM, users will be able to connect without URL filtering being performed. If this is disabled, users will not be able to connect to Internet websites when the URL server is unavailable.

Block users from connecting to an HTTP proxy server—Prevent HTTP requests made through a proxy server.

Truncate CGI parameters from URL sent to URL server—The FWSM forwards only the CGI script location and the script name, without any parameters, to the filtering server.

HTTPS Options—This area appears only when you select the Filter HTTPS option from the drop-down list.

Allow outbound traffic if URL server is not available—When enabled, if the URL filtering server is down or connectivity is interrupted to the FWSM, users will be able to connect without URL filtering being performed. If this is disabled, users will not be able to connect to Internet websites when the URL server is unavailable.

FTP Options—This area appears only when you select the Filter FTP option from the drop-down list.

Allow outbound traffic if URL server is not available—When enabled, if the URL filtering server is down or connectivity is interrupted to the FWSM, users will be able to connect without URL filtering being performed. If this is disabled, users will not be able to connect to Internet websites when the URL server is unavailable.

Block interactive FTP sessions (block if absolute FTP path is not provided)—When enabled, FTP requests are dropped if they use a relative path name to the FTP directory.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Filtering the Rule Table

It can be difficult to find a specific rule if your rule table contains a lot of entries. You can apply a filter to the rule table to show only the rules specified by the filter. To filter the rule table, perform the following steps:

Step 1 Click Find in the toolbar. The Filter toolbar appears.

Step 2 Select the type of filter from the filter list:

Source—displays rules based on the specified source address or hostname.

Destination—displays rules based on the specified destination address or hostname.

Source or Destination—displays rules based on the specified source or destination address or hostname.

Service—displays rules based on the specified service.

Rule Type—displays rules based on the specified rule type.

Query—displays rules based on a complex query comprise of source, destination, service, and rule type information.

Step 3 For Source, Destination, Source or Destination, and Service filters, perform the following steps:

a. Select the match criteria from the list. Select "is" (without the quotes) for exact string matches or select "contains" for partial string matches.

b. Enter the string to match using one of the following methods:

Type the source, destination, or service name into the condition field.

Click ... to open a browse dialog from which you can select existing services, IP addresses, or host names.

Step 4 For Rule Type filter, select the rule type from the list.

Step 5 For Query filters, click Define Query an d configure the complex query. For more information about configuring the complex query, see Browse Source/Destination/Service.

Step 6 To apply the filter to the rule table, click Filter.

Step 7 To clear the filter from the rule table and display all rule entries, click Clear.

Define Query

The Define Query dialog box lets you define a rule table filter based on multiple criteria, such as source, destination, service, and rule type.

Once you create the query and click OK, the filter is immediately applied to the rule table. You can clear the filter by clicking Clear.

Fields

Source—IP address or host name of the source. Choose "is" for an exact match or choose "contains" for a partial match. Click ... to open up a selection dialog. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them by commas (,).

Destination—IP address or host name of the destination. Choose "is" for an exact match or choose "contains" for a partial match. Click ... to open up a selection dialog. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them by commas (,).

Source or Destination—IP address or host name of the source or destination. Choose "is" for an exact match or choose "contains" for a partial match. Click ... to open up a selection dialog. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them by commas (,).

Service—The protocol/port or name of a service. Choose "is" for an exact match or choose "contains" for a partial match. Click ... to open up a selection dialog. You can specify multiple services by separating them by commas (,).

Rule Type—Select the rule type from the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Filtering the Rule Table

Browse Source/Destination/Service   

The Browse Source/Destination/Service dialog box lets you select from existing IP address, name, or service objects.

Fields

Add—Click to add a new IP address, name, or service object.

Edit—Click to edit an existing IP address, name, or service object.

Filter/Clear—Enter a string by which to filter the information shown in the dialog box. Click Filter to apply the filter to the information shown in the dialog box. Click Clear to remove the filter and display all objects.

Type—Organizes the objects shown into types, such as IP Names, IP Address Objects, and so on.

Name—The name of the object. For services, it is the service name. For IP Address objects, it is the IP address, for IP name objects, it is the host name.

IP Address—The IP address of the address object.

Netmask—The network mask of the address object.

Protocol—The network protocol used by the service (such as tcp, udp, or icmp).

Source Ports—The source port used by the service.

Destination Ports—The destination port used by the service.

ICMP Type—The ICMP type (for example 9, which is a router advertisement).

Description (optional)—Specifies a description for the object.

Source/Destination/Service button—Click this to add the address or service object to the filter rule or query.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Filter Rules

Filtering Overview