Filtering Web Traffic
Although generally the best absorption is paid to the aegis of centralized servers or
clients from alien awful attempts (the capital purpose of ACLs), it is sometimes
important to adviser and clarify outbound admission fabricated by users. One
reason for agreeable analysis is if you appetite to use your firewall to accomplish security
policies such as an adequate use policy, which could specify that internal
users may not use the company’s Internet affiliation to browse assertive categories
of Web sites.There are abounding solutions for accomplishing this goal, but the most
general one is URL filtering, in which the firewall easily anniversary appeal for HTTP
content to a clarification server, which can accept the appeal or abjure admission to it.
The firewall again acts accordingly: If the appeal is approved, it is forwarded to
www.syngress.com
166 Chapter 4 • Advanced PIX Configurations
the alfresco server and the applicant receives the asked-for content; if not, either the
request is silently alone or the user is redirected to a folio cogent him or her
that the appeal breaches aggregation policy.
Another acumen for clarification is to accord with “active content” such as ActiveX
or Java applets.This could be important in adjustment to assure centralized users from
malicious Web servers that bury these executable applets in their Web pages,
because such executable agreeable can accommodate bacilli or Trojan horses.The most
general band-aid is agreeable filtering, which scans admission applets for bacilli and
denies them back article amiss is found. Unfortunately, the PIX does not
support this accepted solution, and the alone affair you can do with it is to band all
active agreeable from admission Web pages.