Friday, August 17, 2007

PIX URL filtering

PIX/ASA are capable of doing advanced protocol inspection and this applies to all popular protocols in the world. In this post, I am giving an example of URL filtering using advanced http inspection with the use of regular expressions.

Though ASA has an option of CSC module to do the same, there is no provision for creating multiple profiles for different set of users. The only difference between the ASA/PIX method and the CSC method (As far as the HTTP functionality goes) is the blocking of websites based on site content classifications which are updated regularly from the internet & custom message that CSC module can throw to the user when it blocks the website.

Below is an example wherein all users in the 'INSIDE' network should be able to access only 'GOOGLE' and all its services but not any other website. (Please note that it can be done vice-versa, i.e., by blocking certain websites and allowing all others.
regex allow_google ".*google.*"

class-map inside
match any

class-map type inspect http match-all url_filter
match not request header host regex allow_google

policy-map type inspect http url_filter
class url_filter
drop-connection log

policy-map inside
class inside
inspect http url_filter

service-policy inside interface inside

I feel it should be possible to port snort rules into PIX/ASA using regular expressions. Probably, the next post may have an example.

happy tweaking....