Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

Unanswered Question
Feb 24th, 2009
User Badges:

Dear All,


we are having problem as end users have a lot of spyware/walware and have illegal proxy install in the lan.


One of the idea is to deny HTTPS or "CONNECT" type http, at the "inside fwsm/asa" to any ip-base url destination. Since the ip-base url are random, maybe regex could help.


please advice us how to do it. thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vikram_anumukonda Wed, 02/25/2009 - 03:57
User Badges:
  • Bronze, 100 points or more

Hi, could you explain what do you mean by an ip-base url ( does it mean users typing in the ip addresses in the browser instead of domain-name's. )

hasmurizal Wed, 02/25/2009 - 16:01
User Badges:

Hi Vikram,


yes, that's what i meant. (user's typing ip addresses instead of name addresses)

vikram_anumukonda Wed, 02/25/2009 - 21:17
User Badges:
  • Bronze, 100 points or more

Hi,


you can try this


#####################################

regex ipurl "\.[0-255]\.[0-255]\.[0-255]\.[0-255]"

!

class-map type regex match-any domain-list

match regex ipurl

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################


but if you are looking to filter https , you will have to go for a external url filtering server.


Hoping this is what you are looking for.



-vikram

hasmurizal Wed, 02/25/2009 - 21:39
User Badges:

nice...


~~~~~~~~~~~~~~~~~~~~~

!

class-map web

match port tcp eq www

!

~~~~~~~~~~~~~~~~~~~~~


for this portion, can we replace www with 443 ?


vikram_anumukonda Wed, 02/25/2009 - 21:44
User Badges:
  • Bronze, 100 points or more

it wouldn't work if you replace "www" with "443" because the traffic is encrypted , for this very reason you will have to opt for an external URL filtering server.


I tried it once with 443 and it didn't work. You can give it a shot though.



Vikram

vikram_anumukonda Thu, 02/26/2009 - 01:42
User Badges:
  • Bronze, 100 points or more

the regex in my earlier reply is horribly wrong ,


will post a reply as soon as i have an accurate one


-Vikram

vikram_anumukonda Thu, 02/26/2009 - 02:57
User Badges:
  • Bronze, 100 points or more

Hi,


the below regex will match anything but numbers in the host-header (http://<>/index.html - basically the address typed in by the user )


and the below code would drop the http connection as long as there is no a-z or A-Z in the host-header ( which is basically only numbers in the host-header )


#########################################


regex ipurl "[a-zA-Z]+"

!

class-map type regex match-any domain-list

match regex ipurl

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

##########################################



I really hope this is helpful to you.



-Vikram

hasmurizal Thu, 02/26/2009 - 04:07
User Badges:

hi.


thanks for the info. appreaciate the help that i received.


anyway, the real problem is due to this software which can bypass content filtering and firewall configuration. http://www.ultrareach.net/


on the content filtering server, we have manage it by applying deny "connect" regex ip addresses url. so i was thinking if there is anyway we can eliminate it on fwsm in case if the lan do not have content filtering servers.


i will check in the near future as i dont have any spare asa for now, and i will responce for any update later. thank you

Actions

This Discussion