Need a "Whitelist Only" solution

Unanswered Question
Apr 15th, 2010

Looking fora Cisco Router for 75 users.

The Number 1 solution we need is a "Whitelist only" URL filtering.  A call to Cisco sales didn't help.

Is this possible with any Cisco router?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 04/15/2010 - 13:46

Hi,

I don't think there's a Cisco router specialized in web filtering.

You can however use FPM to match and filter URLs on the router.

www.cisco.com/go/fpm

Normally, Cisco routers can work with a websense device for example to redirect URL requests.

Federico.

Panos Kampanakis Fri, 04/16/2010 - 15:40

You can use NBAR to "not block" a url and block everything else. An example (Method A) that does it for various nimda virus urls is here http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml But you will do the same using your urls. Whatever you match a good whitelisted website you will set the dhscp value to something, say x. And then for whatever else website you will set dscp to something else, say y. The you will drop value with dscp y as it is done in the example.

Another way of doing it is to use the IOS URL filtering feature. It is licensable, but very efficient. It can blacklist, white list and URL filter based on reputation and categories. Here is the link for your reference http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html

I hope it helps.

PK

Kureli Sankar Fri, 04/16/2010 - 18:07
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0e.html

ip inspect name FW ftp
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW http java-list 1 urlfilter
ip urlfilter server vendor websense 192.168.100.16 timeout 2 retransmit 3 ---> just configure some random ip.
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit .yahoo.com ----------------> will only allow yahoo.com and google.com and deny allother sites.
ip urlfilter exclusive-domain permit .google.com


access-list 1 permit any -------> Java filter required for URL filtering

interface GigabitEthernet0/1
description Public internet facing ISP
  ip address 1.1.1.1 255.255.255.0
ip access-group 111 in   ------------------------------------> this acl will allow all inbound traffic
ip inspect FW out

Is is an old cbac style config.  With no additional expense or license you can just allow a few domain names and deny every other domain.
That websense server IP address can be anything. I believe the config would work even without that line.

-KS

Actions

This Discussion