Filtering Outbound Connections

ActiveX objects and Java applets are security risks for outbound connections because they can contain code to attack hosts and servers. You can disable ActiveX objects and remove Java applets with the firewall filter command. In addition, you can use the filter command to work with a Websense server to remove URLs you deem inappropriate for use at the site.

Filtering ActiveX Objects

ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.

The firewall ActiveX feature blocks the HTML <object> commands by commenting them out within the HTML web page. This functionality has been added to the filter command with the activex option.

<object> tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by the new command.

If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, firewall cannot block the tag.

Filtering Java Applets

The filter java command filters out Java applets that return to the firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.

If Java applets are known to be in <object> tags, use the filter activex command to remove them.

Examples

To specify that all outbound connections have Java applet blocking, use the following command:

filter java 80 0 0 0 0

This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.

filter java http 192.168.3.3 255.255.255.255 0 0

This command prevents host 192.168.3.3 from downloading Java applets.

Filtering URLs with Websense

Filtering URLs

The filter url command allows you to prevent outbound users from accessing World Wide Web URLs that you designate using the Websense filtering application.

The allow option to the filter command determines how the firewall behaves in the event that the Websense server goes offline. If you use the allow option with the filter command and the Websense server goes offline, port 80 traffic passes through the firewall without filtering. Used without the allow option and with the server offline, firewall stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.

With the allow option set, firewall now passes control to an alternate server if the Websense server goes offline.

Perform the following steps to filter URLs:

  1. Designate a Websense server with the url-server command.

  2. Enable filtering with the filter command.

  3. If needed, improve throughput with the url-cache command. However, this command does not update Websense logs, which may affect Websense accounting reports. Accumulate Websense run logs before using the url-cache command.

  4. Use the show url-cache stats and the show perfmon commands to view run information.

The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:

url-server (perimeter) host 10.0.1.1
filter url http 0 0 0 0
filter url except 10.0.2.54 255.255.255.255 0 0

Websense Filtering by Username and Group

The Websense Server (UFS) works with the firewall to deny users from access to web sites based on the company security policy.

Websense protocol version 4 enables group and username authentication between a host and a firewall. The firewall performs a username lookup, and then the Websense server handles URL filtering and username logging.

Websense protocol version 4 contains the following enhancements:

  • URL filtering allows the firewall to check outgoing URL requests against the policy defined on the Websense server.

  • Username logging tracks username, group, and domain name on the Websense server.

  • Username lookup enables the firewall to use the user authentication table to map the host's IP address to the username.