My company uses a pair of 5510 ASAs as the gateway to Internet. I once configured policy-map to filter certain webpages (facebook, twitter, ...etc) and they work fine. However nowdays those websites all support HTTPS. In the https the URL seems encrypted so can't do regex match... Is there anyway that I can still block those webpages?
Another two ways I can think of are
1. Block IPs (don't really want do this unless absolutely necessary)
2. Block DNS for the URL (however they can work around by setting static DNS entries)
Ajay, with websense, does it filter based on the IPs? Just being curious how it works... Technically even with websense it can't look into the HTTPS packets, correct? So I guess the websense just keeps updated IPs for certain websites and filter by IPs?
Julio, I read your link very carefully and I see how CSC filters URLs based on the TLS extension SNI in the client request. I did wireshark capture and I see "www.facebook.com" in the extension. I'm wondering: since this is in clear text, maybe ASA without CSC can still check the specific field in the TLS packet and drop the TLS packet which in turn destroy the web traffic. I will give it a try.
Basically, mirrored traffic is directed to Websense's monitoring card. Network Agent sniffs that traffic, and then sends spoofed packets to block the traffic, while at the same time redirecting the user to a block page hosted on the Websense server.
you can specify an IP Address Range, a specific host name (www.yourhost.com), it can use regular expressions ([Yy][Oo][Uu][Rr][Hh][Oo][Ss][Tt]\.[Cc][… which will match Yourhost.com, yourHost.com, YoUrHoSt.CoM, or any case of yourhost.com, etc. Finally, it can do a keyword match so that if you request a web site that contains ReallBadSwearWord in any of it's content, headers, etc, the page will be blocked. There's probably more that I didn't mention, but Websense does things in a very intelligent manner and gives users control over what they can block. Furthermore, they have already pre-classified sites into different categories (sex, proxy-avoidance, illegal, gambling, etc) and it lets you recategorize these sites to different categories. So, you can make www.playboy.com appear as a gaming site versus a sex site.
Thanks Ajay. Last question. Can ASA do packet inspection on protocols it doesn't support? For example, you want to drop a packet which contains ASCII value of "facebook". In this case it doesn't matter if ASA understands the protocol or not. It drops the packet as long as the packet contains the specified string. Possible??
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...