I had been using normal ACLs for blocking web-browsing (https/http) access for my company users. but recently, we started using DHCP providing auto ip-addrs for users. this means i am no more able to block/allow spicific users web-access based ip thier ip-addrs because they have automatic ip assigned
Can anyone advise me what other option except ACLs i can use to block users web-access ?
2- Second question: How can i block Tor-Browser on my network. I tried using NBAR2, tried using (class-map match protocol attribute sub-category client-server ) options..... but none of them given any plus result to me. any advise plz
If you're using a router, it knows about IP addresses, not user identities.
If you're using an ASA firewall, you can use the identity firewall features.
Otherwise you'd have to do a web proxy that has hooks to authenticate the end users, either actively or passively. You could also do this with a Cloud Web Security (former ScanSafe product) connector in your router.
I've not tried to do anything with blocking TOR so I don't know about that one.
Here are different ways you can block TOR traffic :
* Requiring NTLM auth in explicit proxy mode stops it cold - this is just a missing feature in TOR. * If you disable auth, or use Basic auth, then requiring that SSL destinations have server certs signed by known CA's will stop it. (This works regardless of the decryption reputation, as the WSA always appears to check this in explicit mode when configured.) * If you disable the above two methods, the "filter avoidance" URL category is only effective against the initial "find directory servers" boot-up. If we miss one, or the client has this info cached from before, the URL category is not effective. * Another method that would be effective would be to block all browsing by IP address; however, this has a pretty good chance of false positives.
Notice that the above will only work if all egress ports which are not proxied are blocked. TOR will attempt to go outbound on higher ports; if the customer is not blocking these (eg on the Firewall), it becomes nearly impossible to effectively block TOR.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...