Websense and N2H2
The PIX can collaborate with two types of clarification servers:Websense (www
.websense.com) and N2H2 (www.n2h2.com).Websense is accurate in PIX
version 5.3 and later, and N2H2 abutment was added in adaptation 6.2. PIX URL
filtering is activated alone to HTTP requests; for example, it does not accomplish any
inspections of FTP links. (Although a URL of blazon ftp://ftp.somedomain.com
can be entered in a Web browser, it uses the FTP protocol, not HTTP.) The PIX
also does not audit HTTPS connections.
The accomplish to configure URL clarification are:
1. Specify the server to use for URL processing.
2. Tell the firewall the cartage to inspect—ports and IP addresses.
3. Optionally configure some server-specific parameters.
4. Configure clarification rules on the clarification server.
The command for allegorical a clarification server for Websense is:
url-server (
www.syngress.com
Figure 4.9 Interaction Among a Client, a Web Server, PIX, and a
Filtering Server
"GET /goodpage.html HTTP/1.1
Client Host: www.company.com"
FIltering Server www.mycompany.com
"Permit?"
"Yes"
"GET /goodpage.html HTTP/1.1
Host: www.company.com"
168 Chapter 4 • Advanced PIX Configurations
For example, the afterward cipher specifies that the PIX should use a server
with IP abode 10.0.0.1, which is amid on the interface “inside,” and connect
to it appliance TCP Websense agreement adaptation 4:
PIX1(config)# url-server (inside) host 10.0.0.1 agreement tcp adaptation 4
Particularly, if_name is an interface on which the server is located, the default
here is the central interface. local_ip is the IP abode of the clarification server.The
PIX uses abeyance (default is 5 seconds) to adjudge how continued it has to delay for a
reply from the server until it gives up and switches to the abutting configured server
or takes a absence activity if there are no added servers available. It is accessible to
configure up to 16 servers, but they all charge be of the aforementioned type; it is not possible
to use both Websense and N2H2 clarification servers in the aforementioned configuration.
The aboriginal server configured is a primary clarification server and is contacted first.
Protocol blazon and adaptation ambit specify the Websense agreement that should
be acclimated for advice with the server. It can be either TCP protocol
version 1 (default) or 4 or UDP agreement adaptation 4.
The N2H2 server is defined by the command:
url-server (if_name) bell-ringer n2h2 host
[port
The acceptation of ambit is the same.The constant bell-ringer n2h2 states that
the server is an N2H2 clarification server. It is accessible to add the constant vendor
websense to the Websense server configuration, but it is affected by default. N2H2
servers accept alone a advice agreement adaptation available, so it is not specified.
It is accessible to configure the anchorage to use for advice with the
N2H2 server appliance the port_number parameter.
NOTE
If you about-face the appliance blazon (that is, change from N2H2 server to
Websense or carnality versa), all agreement of URL clarification is absent and will
need to be re-entered.
The abutting assignment is to configure the clarification action itself.The accordant command
is:
filter url
www.syngress.com
Advanced PIX Configurations • Chapter 4 169
This command specifies anchorage numbers on which HTTP access should
be inspected (with the absence of anchorage 80). local_ip and local_mask specify which
local audience are accountable to ecology (that is, the requests by the machines from
this arrangement will be arrested with URL clarification server).The foreign_ip and
foreign_mask ambit specify that alone requests to a specific set of servers be
checked.The acquiesce constant defines that the PIX should admittance cartage through
if it is clumsy to acquaintance the primary URL clarification server. Finally, the proxy-block
parameter specifies that all requests from any audience to proxy servers will be
denied. For example, the afterward command defines that all HTTP requests to
port 80 will be inspected:
PIX1(config)# clarify url http 0 0 0 0
The afterward command configures analysis of all HTTP requests to port
8080 from audience on arrangement 10.100.1.0/24 to any server and allows the request
to canyon through in case a clarification server is unavailable:
PIX1(config)# clarify url 8080 10.100.1.0 255.255.255.0 0 0 allow
Another alternative of the clarify command allows allegorical that some traffic
should be absolved from filtering.The architecture in this case is:
filter url except
When entered afterwards the clarify command, this command excludes specified
traffic from the policy. For example, the afterward arrangement of commands means
that all HTTP cartage to anchorage 8080 will be inspected, excluding cartage from network
10.100.1.0/24:
PIX1(config)# clarify url 8080 0 0 0 0
PIX1(config)# clarify url except 10.100.1.0 255.255.255.0 0 0 allow