Friday, August 17, 2007

PIX URL filtering

PIX/ASA are capable of doing advanced protocol inspection and this applies to all popular protocols in the world. In this post, I am giving an example of URL filtering using advanced http inspection with the use of regular expressions.

Though ASA has an option of CSC module to do the same, there is no provision for creating multiple profiles for different set of users. The only difference between the ASA/PIX method and the CSC method (As far as the HTTP functionality goes) is the blocking of websites based on site content classifications which are updated regularly from the internet & custom message that CSC module can throw to the user when it blocks the website.

Below is an example wherein all users in the 'INSIDE' network should be able to access only 'GOOGLE' and all its services but not any other website. (Please note that it can be done vice-versa, i.e., by blocking certain websites and allowing all others.
*************************************
regex allow_google ".*google.*"

class-map inside
match any

class-map type inspect http match-all url_filter
match not request header host regex allow_google

policy-map type inspect http url_filter
parameters
class url_filter
drop-connection log

policy-map inside
class inside
inspect http url_filter

service-policy inside interface inside
************************************

I feel it should be possible to port snort rules into PIX/ASA using regular expressions. Probably, the next post may have an example.

happy tweaking....


4 comments:

Show you said...

“Christmas is a division of giving,” I told my students eden gold
RS Goldwow

cheaptera said...

Thanks for sharing and letting us aware about this information. This is a great thread, so much info.it ls a good article and love your words , so charming and make people learn a lot , thanks !
Here are my blogs posts:
http://cheapwoweu.nwmomsonline.com/2011/12/08/how-to-satisfy-players-with-variety-of-cheap-wow-gold-services/
http://articlebusinesspro.com/test-dru/node/9255
http://wowgoldguides.devhub.com/blog/731542-players-can-purchase-all-the-items-with-cheap-wow-gold/

teracheapgold said...

Anytime you come to our site to buy Cheapest WOW Gold , you can contact with our live help. Just click the “Live Help” on the World Of Warcraft Gold page, our professional customer server will reply you. Through this way, you can ask anything about our site about World of Warcraft, we will try our best to let you satisfied to Gold WOW.

Unknown said...

Since that time, the two corporations windows 7 professional retail version have partnered closely, and Nokia quickly emerged because the favored Windows Phone vendor www.windows7prokeys.com. It sold 82 percent of all Windows Phones inside the second quarter, in accordance with IDC.