PIX Access Control List and content filtering (4)

PIX Access Control List and content filtering (4) iv. malicious activity code filtering www.2cto.com 1. Java Applet filtering Java programs may become a way to intrude into internal systems. To solve this problem, enabling Java filtering can prevent internal systems from downloading Java applets. When port 80 (HTTP) is allowed, Java applets may be downloaded. Some Java applets may contain hidden code, which may damage data in the internal network. The Java applet filter of the PIX Firewall can block Java applications for each client or each IP address. When Java filtering is enabled, the PIX Firewall searches for the "cafe babe" string in the program. Once this string is found, the firewall rejects this Java applet. Typical Java code snippet: 00000000: cafe babe 003 002d 0099 0900 8345 0098 2. ActiveX filter ActiveX control, as the predecessor of the object connection and Embedding (OLE) control (OCX, it is a small program that can be embedded in web pages and is often used in other animation applications. ActiveX Control provides a way to attack the server and brings security problems. Therefore, you can use the PIX Firewall to block all ActiveX controls. Use the filter activex | java command to filter ActiveX or Java applications in outbound data packets. Filter activex | the java command syntax is as follows: filter activex | java port [-port] local_ip mask foreign_ip mask ● activex -- used to block ActiveX and other HTML <object> tags in the outbound data packet ● java -- used to block the returned results from the outbound connection java applets ● port -- port for receiving Internet traffic on the PIX Firewall ● local_ip -- IP address of the interface with the highest security level that can be accessed ● mask -- wildcard mask ● foreign_ip -- accessible the IP address of the lowest security level interface. When a user accesses the IP address pointed to by the alias command, activeX filtering is not performed. The filter command can enable or disable filtering of outbound URLs or HTML. The following lists some commands used to filter ActiveX controls from internal hosts to external hosts on port 80 in the network. Pixfirewall (config) # filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 5. URL filtering www.2cto.com URL filtering applications can provide URL filtering for the PIX Firewall to monitor and control network traffic more effectively. Because the PIX Firewall does not have the URL filtering function, you must use the URL filtering application to filter specific URLs. The PIX Firewall can work with WebSense or N2H2 URL filtering applications to achieve this goal. When the PIX Firewall receives a request from a user to access a URL, It queries the URL filter server to determine whether to return this URL request. The URL filtering server checks its configuration to determine whether to filter the URL. If this URL should be filtered out, the URL filtering application will display the filtering information or request the user to the URL of a specified web site. Before using URL filtering, you must specify at least one server to run the WebSense or N2H2 URL filtering application. A maximum of 16 URL servers can be specified. Only one application in N2H2 or WebSense can be used at a time. In addition, changing the configuration of the application server on the PIX Firewall does not update the configuration of the application server, but must be configured separately according to the instructions of each vendor. Use the url-server command to specify the server that runs the URL filtering service, and then use the filter url Command to enable the URL filtering service. The url-server command syntax in WebSense is as follows: url-server [(if_name)] vendor websense host local_ip [timeout seconds] [protocol TCP | UDP version [1 | 4] ● if_name -- Name of the network interface where the authentication server is located. If not specified, the default value is inside. ● Vendor websense -- specify that the vendor of the URL filtering service is WebSense ● host local_ip -- the server that runs the URL filtering application ● timeout seconds -- maximum idle allowed before the PIX Firewall switches to the next specified server time. The default value is 5 seconds. ● Protocol-protocol that can be configured using the TCP or UDP keyword. The default value is the TCP protocol of version 1. ● Version -- Protocol version that can be configured with the keyword 1 or 4. The default protocol is TCP, and the version is 1. TCP can use version 1 or 4, and UDP can only use version 4. The syntax of the url-server command in N2H2 is as follows: url-server [(if_name)] vendor n2h2 host local_ip [port number] [timeout seconds] [protocol TCP | UDP] ● if_name -- Name of the network interface where the authentication server is located. If not specified, the default value is inside. ● Vendor n2h2 -- specify that the vendor of the URL filtering service is N2H2 ● host local_ip -- the server that runs the URL filtering application ● port number -- N2H2 server port. In addition, the PIX Firewall listens to UDP replies on this port. The default port number is 4005 ● timeout seconds-the maximum idle time allowed before the PIX Firewall switches to the next specified server. The default value is 5 seconds. ● Protocol-protocol that can be configured using the TCP or UDP keyword. By default, TCP uses the filter URL | ftp | https command to allow the PIX Firewall to send appropriate requests to the server after specifying the server that runs the url filtering application. In addition to URL filtering in the old version, the PIX Firewall with version 6.3 also supports FTP and HTTPS filtering. The commands in the following example allow the PIX Firewall to send all URL requests to be filtered to the URL Filter server. When using URL filtering on the PIX Firewall, The allow option in the filter command is crucial. When the URL filtering server is offline, if the allow option is used, the PIX Firewall does not filter all URL requests, but if the allow option is not used, all URL requests on port 80 will be blocked until the server goes online again. Pixfirewall (config) # filter url http 0 0 0 0 allow filter url | ftp | the syntax of the https command is as follows: filter url port [-port] | T local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate] filter ftp port local_ip local_mask foreign_ip foreign_mask [allow] [interact-block] filter https port local_ip local_mask foreign_ip foreign_mask [allow] ● url -- filter URLs from data through the PIX Firewall ● Ftp-filter the FTP address from the data through the PIX Firewall ● https-filter the HTTPS address from the data through the PIX Firewall ● port-the port that receives Internet traffic on the PIX Firewall. The typical port is 80, but other values can also be used. You can use http or url to replace port 80. ● challenge t -- create an exception under the previous filter condition. ● local_ip -- the IP address of the interface with the highest security level that can be accessed. ● local_mask -- local_ip Network mask ● foreign_ip -- IP address of the interface with the lowest security level that can be accessed ● foreign_mask -- network mask of foreign_ip ● allow -- when the URL filtering server is unavailable, use the PIX Firewall ● proxy-block-to prevent users from connecting to the HTTP proxy Server ● interact-block-to prevent users from connecting to the FTP server through an interactive FTP program ● longurl-truncate -- whether the URL cache is available or not, all Allow outbound URL traffic ● longurl-deny -- if the URL exceeds the URL cache size limit or the URL cache is unavailable, reject URL requests ● cgi-truncate -- use the CGI tutorial as a URL to send Long URL filtering You cannot filter URLs larger than 6.1 bytes on the PIX Firewall of version 1159 or earlier. On the PIX Firewall with versions 6.2 and later, the WebSense filter server can filter URLs up to 4096 bytes. You can also use the url-block url-size command to increase the maximum length of a single URL (WebSense only ). When a user sends a long URL request, the PIX Firewall splits the long URL into multiple IP data packets and copies them to the cache. The URL is then sent to the WebSense server over TCP. You can use the url-block url-mempool command to configure the Maximum Cache for long URLs. You can use the no format of the url-block url-size and url-block url-mempool commands to delete them. The PIX Firewall does not support long URLs for WebSense UDP servers. If the length of a URL exceeds the maximum length allowed or the URL cache is unavailable, you can use other new options in the filter url Command to control this behavior. When the URL length exceeds the maximum length allowed, the longurl-truncate option enables the PIX Firewall to send only the host name or IP address in the URL to the filter server as the judgment basis, the longurl-deny option is used to block outbound URL traffic. If a long URL request is a CGI request, use the new option cgi-truncate in the filter url Command to speed up its processing. When the cgi-truncate option is enabled, the PIX Firewall only transmits the CGI script name and location to the WebSense server as the URL. A long list of parameters may be omitted by the PIX Firewall. On the PIX Firewall with version 6.2, the url-block command enables the PIX Firewall to record the response from the web server in the cache before receiving the response from the filter server. This reduces the time for the client to wait for the HTTP response. On the PIX Firewall of Version 6.1 or earlier, the response from the web server is discarded before receiving the response from the filter server. As a result, the client has to wait for the web server to resend the response. The response cache feature works with the WebSense and N2H2 filter applications. The no format of the url-block command can disable the response cache feature. On the PIX Firewall with version 6.2, a URL of up to 1159 bytes is supported when the N2H2 filter server is used. The url-block command syntax is as follows: url-block url-mempool memory_pool_sizeurl-block url-size long_url_sizeurl-block block block_buffer_limit ● memory_pool_size -- maximum allocable memory between 2 to 10 MB, value Range: 2 to 10000 ● long_url_size -- maximum allowed URL length, the value range is 2 to 6 kb. ● block_buffer_limit -- the maximum number of blocks allowed in the HTTP Response cache. The following describes the configuration required to enable long URL filtering: pixfirewall (config) # url-server (inside) vendor Websense host 10.0.0.30 timeout 5 protocol TCP version 1 pixfirewall (config) # filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 longurltruncate cgi-truncatepixfirewall (config) # url-block url-mempool 1500 pixfirewall (config) # url-block url-size 4