- Cisco Employee,
- Different Filtering Methods and Order of Operations
- URL Blocking
- URL Filtering
- Web Reputation
- How to know what feature is blocking a page
This guide covers the basics of how URL filtering and URL blocking works on the CSC module and also how and where to whitelist sites so that they may be allowed through the CSC module.
NOTE: This document was written based on CSC version 6.3.1172.4. Features and functions that are part of this document largely apply to any build of code 6.3.1172.x or later, but may not apply to earlier versions.
Different Filtering Methods and Order of Operations
On the CSC module, there are 3 different URL/Content checks that are done on all HTTP traffic aside from antivirus filtering:
- URL Blocking
- URL Filtering
- Web Reputation
These checks are run in the order shown above and if any of those checks determines that the site should be blocked, the process is stopped and an appropriate notification is displayed to the user. Each method above blocks traffic for varying reasons that will be outlined in more detail below.
The "URL Blocking" functionality is effectively an adminstrator defined list of sites that should be blocked regardless of the category or content of the site.
The Local List
Take a look at the following screen shot of the URL Blocking configuration page:
You will notice that the page is broken into three logical sections. The first section details how to add entries to either of the two lists (Block List or Block List Exceptions). The second section is a list of Keywords or portions of URLs that should be blocked. The third section is a list of patterns that should be allowed through if they were blocked above. Adding a pattern or to the Exception list does not 'white-list' URLs that match it from other other filtering checks, it only white-lists it from the URL Blocking check. We will go into more detail about whitelisting below.
When to use 'Web Site', 'URL Keyword', or 'String'
URL Blocking is simply matching a pattern to the URL of the page. When a user browses to a web page, the URL they are accessing is matched against the patterns in the Block and Exception lists.
This will match URLs that start with the pattern. So adding 'webex.com' as a Website will adds the pattern webex.com/* and will match:
But it will not match the following becuase they do not start with 'webex.com'
This will match URLs that have the pattern anywhere in the URL. Adding 'cisco.com' as a keyword adds *cisco.com* and will match:
- Any url with 'cisco.com' in it...
The String option is a very specific match. It will only match that exact string. If you add 'google.com/' it will match:
- Thats it. Yup.
It will not match:
When the module processes a URL, the module first checks that URL against the Block List. If it matches an entry in the Block List then checks that same URL against the Exceptions List. If the URL matches the Block List but does not match the Exception List, then access to the page is blocked. If the the URL matches both the Block List and the Exception List, then the site is allowed through.
Lets look at the example output above. You can see I have blocked keyword 'cisco.com'. As a result, users that are evaluated against this policy cannot get to sites like cisco.com, www.cisco.com or any page with cisco.com in the URL. Now lets say I want to allow users to get to pages that are hosted on supportforums.cisco.com. You would then add 'supportforums.cisco.com' as a Website. That way people are allowed to go to:
But they cannot go to:
But if we had added 'supportforums.cisco.com' as a Keyword and not a Website, then users could have gotten to the last two pages listed above, which might not be your intent.
URL Filtering is a process by which each URL processed by the CSC module is categorized into one of many different groups ranging from 'Internet Radio and TV' to 'Adult'. Once a website is classified into a category, the page is either permitted or blocked based upon your policy.
Lets take a look at the first tab of the URL Filtering configuration page:
The categories are broken into groups based. Each category can be set to be blocked during work time or during liesure time. For example, above we have blocked Internet radio during work time, but allowed it during liesure time. If you want to know what a categorey a site falls into, click the link at the bottom of the screen (http://reclassify.url.trendmicro.com/). For example 'cisco.com' is part of "Computers / Internet".
When a URL request is sent through the CSC module, for example a user goes to http://cisco.com/index.html, the module grabs the URL and sends an obfuscated version of the URL to TrendMicro's URL classification servers. The Servers then reply with two biits of information:
- The Category of the URL (Adult/Gambling/Etc)
- The Web Reputation of the URL (we'll cover that in a moment)
The CSC then takes this Category info and checks your policy to see if that Category is blocked at the current time (Work/Liesure). If the site should be blocked, when then check against the Exceptions list to see if this specific URL should be excluded from filtering. If the URL does not match the Exceptions list and its Category is blocked, the user is notified and the page is blocked.
The format of the Exceptions Tab should look familar since it shares many of the same concepts/functions as the URL Blocking page:
In the above example, I set the Social Network category to be blocked both during Work and Liesure times but I want to allow Facebook through. As a result I added two Exception Keywords: facebook.com and fbcdn (facebook's content delivery network). As a result the follow sample results are achieved:
- http://www.myspace.com (blocked by Filtering Category)
- http://www.orkut.com (blocked by Filtering Category)
- http://www.facebook.com/ (Blocked by Category but allowed by Exception)
- http://fbcdn-profile-a.akamaihd.net/hprofile-ak-snc4/7_q.jpg (blocked by Category but allowed by Exception)
The Third tab of the URL filtering sections allows you to define what Work and Liesure time constitute:
The Time Allotment sections allows you to specify what portions of the day the Work or Liesure columns of the URL filtering rules should be evaluated.
Web Reputation filtering blocks or allows sites based on the 'reputation' of the page. While a page may not be related to a categorey that you are blocking, if the page is known for distributing malware, its reputation will be listed as Ricky and Web Reputation will block and protect your network. As noted above, the reputation information is obtained during URL filtering request sent earlier.
Below is an example of the WRS Settings page. There is not much to configure here aside from the level of filtering (sensitivity level). The Higher the sensitivity, the more sites will be blocked (this can also lead to more false positives):
Same as the prior exceptions tabs. See above examples for more information:
How to know what feature is blocking a page
When a page is blocked it will list one of a few reasons for being blocked:
|Blocking Reason||Feature blocking the page|
|"Administrator Defined block site"||URL Blocking|
|"High Risk" / "Medium Risk" / "Low Risk"||Web Reputation|
|Categorey like "Network Bandwith" or "Business"||URL Filtering|
Once you identify the feature that is blocking the content, if the content should be allowed, add an Execption for that specific section.
Exceptions in one section have absolutely no impact on other sections. Adding a site to one exception list does not exempt that site from other filtering steps.