Wednesday, February 9, 2011

Cisco IOS content Filtering (Subscription Based)

Hi Guys

Today I wanted to talk about a feature called Cisco IOS Content Filter, this extremely handy feature is available on all ISR routers and some 880 Series routers running At least Advanced Security or Advanced IP Services and with IOS 12.4T.

The feature basically provides a way to do URL filtering. But when doubled with a Trend Micro Subscription available on the router, filters dynamically. So every time you get a HTTP web page, for example, google.com, the site is checked against Trend Micro's URL database and categorized into one of several categories (News, Blog, Social, or pornography, illegal drug use, etc.) It will also categorize the sites "Reputation" (Example: adware site, phising site) and report that back. Based on this info the page can be blocked and a log message produced on your router.

The database is centrally located at trend micro, every time you make a URL request the request is checked against Trend Micro's service and then the category/reputation are returned to your router.

You can even block advertisements with it!

You can manually set sites as part of a white list and a black list too if you so desire, and choose a "failover mode" which basically means if it fails to get the reputation/category because TRPS is down or something else is wrong should it allow or fail.

The whole thing is configured in the IOS router. A 30 day trial is available so you can test it to see how well it is going to work for you.

With all this in mind, Let's talk about how you go ahead and configure it!

First thing, there is a few steps you need to do before you just dive in and do the configuration

DON"T JUST READ MY CONFIG EXAMPLE: READ THIS PART FIRST
--------------------------------------------------------------------------

1. Login to your router and execute show diag

You will find:

Slot 0:
C2801 2FE 4SLOT Mainboard Port adapter, 4 ports
Port adapter is analyzed
Port adapter insertion time 5w0d ago
EEPROM contents at hardware discovery:
MAC Address block size : 34
Product (FRU) Number : CISCO28XX
Version Identifier : VN/A
Processor type : 86
Chassis Serial Number : FXXXXXXX

Take a note of your chassis serial number and product number.

Next, head on over to:

http://www.cisco.com/go/license/

Login with your CCO username and password.

Next, go to:
"Click here for available licenses"

scroll down until you see:

Cisco IOS Content Filtering Service Demo License

Click on the link, fill in your details and the chassis serial and product number you noted down earlier.

You will receive an email, that's all you need to do for the trial license, you don't need to install any license on your router: your router identifies itself to trend when it goes to get the updates and this identity is checked against the chassis serial number and product number trend has registered in it's database.

OK good, now that's done here is the next step.

Is your router directly connected to the internet with a public IP address? Good.

enable IP http server on it with the following command:

ip http server

enable it for secure server too

ip http secure-server

you might also need to enable the http server to use an authentication method, the easiest way is probably local.

ip http authentication local


browse to your router via https:// and make sure a webpage does respond. Be careful that none of your outside access-lists are blocking HTTPS access, you will need it for this step. Make sure you know the username.

Ok, with that done, go to this URL:
http://www.cisco.com/en/US/products/ps5854/products_configuration_example09186a0080816c23.shtml

Scroll down until you see
AV Firewall Device Provisioning

Put in the public IP of your router and click submit, you will be asked for your username and password to the router. What this is doing in this stage is installing the PKI certificate used by the Cisco router to communicate securely to Trend Micro's reputation/category database.

Hopefully you receive a successful message and we are ready to start the configuration!

First, login to your router and ping the following hostname:

ping trps.trendmicro.com

Take the IP address that is returned by this and configure it as a static host entry on your router. Note that if you don't have DNS turned on on your router (so the above command fails to resolve the hostname) pinging from your desktop PC is O.K. too, just execute the following:

config t
ip host trps.trendmicro.com

Once that's done, make sure you can ping trps.trendmicro.com from your router.

Next, ensure the clock on your router is accurate:

PeterCCIE18371#show clock
13:36:46.610 UTC Wed Feb 9 2011

This is important so that the certificate is shown as valid.


Next, enter the following configuration:

conf t
parameter-map type trend-global global-param-map
server trps.trendmicro.com

This configures the site where the router will obtain its updates.

Now the big moment, in command exec mode (not config mode) execute:

trm register


here's an example of a succesful registration:

PeterCCIE18371#trm register
Translating "trps.trendmicro.com"...domain server (192.231.203.132) (192.231.203.3)
Processing registration request
Please run 'show ip trm subscription status' to get more info

PeterCCIE18371#show ip trm subscription status
Package Name: Security & Productivity (Trial)
------------------------------------------------
Status: Active
Status Update Time: 13:38:51 UTC Wed Feb 9 2011
Expiration-Date: Wed Mar 9 08:00:00 2011

Last Req Status: Processed response successfully
Last Req Sent Time: 13:38:49 UTC Wed Feb 9 2011

Woo! it has succesfully registered! Now we begin to do our config for each of the categories/websites.

The first thing we should do is modify a few default parameters:

parameter-map type urlfpolicy trend trend-URLFiltering-Params
max-request 2147483647
max-resp-pak 1000
allow-mode on
block-page message "Blocked Page"

This is my configuration, block-page message chooses your message to be shown on blocked pages. You can also do block-page redirect if you want to send people to a certain webpage should they try and get to a restricted site. Max-request and max-resp-pak are both fine tuning the http request/response parameters and you can safely ignore these and leave them default. I have just modified mine to try and speed thing's up a bit.

allow-mode on or off control's what happens when the trend micro site cannot be contacted, should you just be allowed to browse or not? mode on means you can always browse, mode off obviously means you cannot.

The next step is to configure some class-maps to define what categories/reputations you want to block.
enter:
conf t

class-map type urlfilter trend match-any block_category
match url category ?

when you press the question mark you will be given a list of categories that the trend system can match against. Enter one category per line, then simply enter another match url category command to add more categories.

Once your done with that, set another class-map up for reputation, here's an example of one I have configured:

class-map type urlfilter trend match-any block_reputation
match url reputation ADWARE
match url reputation DIALER
match url reputation PHISHING
match url reputation SPYWARE

Once you have done that, you need to configure a class-map that matches HTTP traffic so we can inspect it later.

class-map type inspect match-all http-class
match protocol http

Next, we need to create our policy-map which contains our class maps for url filtering we just configured above.


policy-map type inspect urlfilter TrendURLFiltering_Policy


parameter type urlfpolicy trend trend-URLFiltering-Params


The command listed above defines your policy and then says that the trend-URLFiltering-Params parameter map we mentioned above should apply to this URL filtering policy. So you could configure diffirent parameters and indeed diffirent policies for diffirent interfaces/VLAN's should you so desire (but because this is policy-based config you could do all sorts of funky things that are beyond the scope of this article. But just as an example you could say never inspect traffic from a particular IP Address no matter what, or for example you could only apply this URL filtering to your guest wireless subnet.)

next we define what we want to do with each of our traffic types:


class type urlfilter trend block_reputation

reset
log
class type urlfilter trend block_category
reset
log


as you can see in this example, we are blocking and resetting any sites that fit into the categories I listed above.

OK, so far so good, next we need to define a normal zone-security policy. Zone-Security is a whole topic in and of itself. In this example I am giving below I am just allowing all traffic through, this is PROBABLY NOT A GOOD IDEA! But zone-security is a totally seperate topic and I know some of you just want to see this content filtering work. So for the sake of this article I have allowed all traffic which is probably not something you would want to do in production.

OK. Here goes:
policy-map type inspect firewall_policy
class type inspect http-class
inspect
service-policy urlfilter TrendURLFiltering_Policy
class class-default
pass

So, in this configuration I am saying match all http traffic and inside that http traffic apply the TrendURLFiltering policy. Then I have a class class-default which allows all traffic.

Next, you need to define some security zone members:

zone security inside
zone security outside


In my example, we have a very simple network of inside and outside.

Next, we define a security policy for when inside zones talk to outside zones:


zone-pair security insideoutside source inside destination outside
service-policy type inspect firewall_policy

I also then created a outsidein zone-pair to allow the return traffic, I will show the config for that here but I am not going to explain it because if you don't get what I am doing here you should not put this on a production network.

policy-map type inspect outside_in
class class-default
pass


zone-pair security outsidein source outside destination inside
service-policy type inspect outside_in

Ugh, let's pretend we did not see that.

Ok, once this is done. you just need to make each of your interfaces members of the zones:

on your outside int

int fa0/0 <(replace fa0/0 with your outside int)
zone-member security outside
!
int fa0/1 <(replace fa0/1 with your inside int)
zone-member security inside
!
Done! You should now have URL filtering. if you have log turned on if you visit a common website like cnn.com you should note advertisements being blocked if you used my reputation map listed above. A great way to test is to add news to your category filter class-map shown above and visit http://news.com.au, it should be blocked.


I hope this helped someone out there! If anyone wants an article on zone-security. Please respond in the comment section below! I will endeavor to write a good one.