Thursday, December 2, 2010

Web Filtering with Regular Expressions

I posted something similar to this a while back but the intent of that post was to show how you could specify certain URL's and then drop everything else. That is sort of an odd setup so I thought I would try and document something a little more common.

• In this design we are turning on http inspection and then calling out a few web sites with regular expressions and then based on a match dropping that connection - simple. Because class-maps and policy-maps match statement are so nested and a little confusing to decipher I have laid out exactly what is being done to make all this work.



• Step 1 - The first thing we are doing is defining the regular expressions. You give them a name and you add in the FQDN


• Step 2 - The next step is to create a regular expression class map called blacklist and add in a match statement that points back at the regular expressions you defined a step ago. If later on you decide to add more sites to this "forbidden list" then you would create them as you did in step 1 and then add then under the class map you just created here in step 2.

• Step 3 - Now we're ready to enter some intelligence into this setup. The key to this step is the "match request header" portion. This tells the ASA that you want to match the http header with the regular expressions you defined - they're referenced as class "blacklist" from step 2.


• Step 4 - Here we create a policy-map called black-regex. This is simply the action you want to take after all the criteria are met. In this case it's drop-connection.


• Step 5 - Now we define the global policy (if one does not already exist on the ASA) and the statement class inspection_default will get you a bunch of other inspections that you may or may not want - the one we care about is defined as inspect http and then we reference black-regex.


• Step 6 - This is the most important step in the process. Here we put all of this into action by allying it on an interface. Since we are attempting to stop people from the inside from going to these sites we apply it there.

This could be seen as the poor network engineers web filter or a way to kill youtube the next time a celebrity dies and the entire office decides to suck up every last bit of available bandwidth...

Here are the commands in the illustration laid out for you to copy:


regex forbid1 "xxy.com"
regex forbid2 "xxy.com"
!
class-map type regex match-any BLACKLIST
match regex forbid1
match regex forbid2
!
class-map type inspect http match-all BLACKMAP
match request header host regex class BLACKLIST
!
policy-map type inspect http BLACK-REGEX
parameters
class BLACKMAP
drop-connection
!
policy-map global_policy
class inspection_default
inspect http BLACK-REGEX
!
service-policy global_policy [interface or global]

Happy filtering!
Posted by at 1 comment:
Subscribe to: Posts (Atom)