Cisco IOS URL filter

An URL filter is a mechanism to restrict or control access to any website. The URL filter determines what content will be available or perhaps more often what content will be blocked.

Cisco IOS provides us with many different ways to accomplish an URL filter implementation. I'll discuss various techniques and present example configurations.

To perform the HTTP content filtering, the first three methods classify traffic use Cisco's Modular QoS CLI feature. Where after various ways can be applied to filter out the MQC marked traffic.  

With both the Context-Based Access Control and Zone Based Firewall method the decision which URLs to filter can be made by the router itself or by a content filtering server. In this post I will only show examples of locally configured URL filtering.

Access Control List content filter

This method uses an ACL on the output interface to drop the packets marked by MQC. The packets - containing the website requests - are marked on the interface from which the websites are requested. 

!

class-map match-any URL_BLOCK

 match protocol http host "example.com"

!

policy-map MARK_URL

 class URL_BLOCK

  set ip dscp 1

!

interface FastEthernet0/0

 description WAN interface

 ip access-group 100 out

!

access-list 100 deny   ip any any dscp 1 log

access-list 100 permit ip any any

!

interface FastEthernet0/1

 description LAN interface

 service-policy input MARK_URL

considerations

• Disable sending IP unreachable messages with the no ip unreachable interface-level command to avoid causing the router to expend excessive resources.
• Does NOT inform users, that the website is blocked and why.
• IOS allows only one ACL per direction, per protocol, per interface. So it may not be practical.

Class-Based Policy content filter

The Class-Based Method, requires even less configuration. It uses the policy-map to drop the marked packets - containing the website requests. 

!

class-map match-any URL_BLOCK

 match protocol http host "example.com"

!

policy-map MARK_URL

 class URL_BLOCK

  drop

!

interface FastEthernet0/0

 description WAN interface

!

interface FastEthernet0/1

 description LAN interface

 service-policy input MARK_URL

considerations

• Disable sending IP unreachable messages with the no ip unreachable interface-level command to avoid causing the router to expend excessive resources.
• Does NOT inform users, that the website is blocked and why.

Policy-Based Routing (PBR) content filter

This method, actually gives us two options, either route the to the Null interface, to just drop the website requests for the blocked URLs. Or route the websites marked by MQC, to a local web-server that is configured to reply with a standard page to inform users that their web request is blocked.

!

class-map match-any URL_BLOCK

 match protocol http host "example.com"

!

policy-map MARK_URL

 class URL_BLOCK

  set ip dscp 1

!

access-list 100 deny   ip any any dscp 1 log

access-list 100 permit ip any any

!

route-map test URL_REDIRECT 10

 match ip address 100

 set ip next-hop 192.168.100.100

!

!

interface FastEthernet0/0

 description WAN interface

 ip policy route-map URL_REDIRECT

!

interface FastEthernet0/1

 description LAN interface

 service-policy input MARK_URL

considerations

• If the route-map forwards filtered traffic to interface Null0, disable sending IP unreachable messages with the no ip unreachable interface-level command to avoid causing the router to expend excessive resources, 
• If the route-map forwards traffic to interface Null0, users are NOT informed that the website is blocked and why.
• If the route-map forwards the filtered traffic to a web server, to present an information page to the users, it must be configured as a catch all server. This means that a default virtual host needs to be configured. And it requires that the destination IP address of the HTTP requests are rewritten to the IP address of the server (e.i. destination NAT).

Context-Based Access Control (CBAC) content filter

This method relies on the CBAC Deep Packet Inspection (DPI) to decide which web requests are allowed or denied. The configuration is only a couple of lines. 

!

ip inspect name URL_FILTER http urlfilter

ip urlfilter allow-mode on

ip urlfilter exclusive-domain deny example.com

ip urlfilter audit-trail

!

interface FastEthernet0/0

 description WAN interface

!

interface FastEthernet0/1

 description LAN interface

 ip inspect URL_FILTER in

considerations

• Users are informed that their website request was denied via a 'HTTP 403 - Forbidden' error page.
• Only provides the ability to filter on domain names. It does NOT provide the ability to filter on other variables, like file names, or particular directories of the allowed or denied domains.

Zone Based Firewall (ZBF) content filter

With this method DPI analyses the traffic between (security) zones and the ZBF decides based on a policy map if the traffic is allowed.

!
parameter-map type urlfpolicy local URL_FILTER
 block-page message "You do NOT have permission to view this page"
!
parameter-map type urlf-glob EXAMPLE
 pattern example.com
parameter-map type urlf-glob ALLOW
 pattern *
!
class-map type urlfilter match-any BLOCK
 match  server-domain urlf-glob EXAMPLE
class-map type urlfilter match-any ALLOW
 match  server-domain urlf-glob ALLOW
!
class-map type inspect match-any HTTP
 match protocol http
class-map type inspect match-any HTTPS
 match protocol https
class-map type inspect match-any DNS
 match protocol dns
!
policy-map type inspect urlfilter URL_FILTER
 parameter type urlfpolicy local URL_FILTER
 class type urlfilter BLOCK
  log
  reset
 class type urlfilter ALLOW
  allow
!
policy-map type inspect URLs
 class type inspect HTTP
  inspect
  service-policy urlfilter URL_FILTER
 class type inspect HTTPS
  inspect
 class type inspect DNS
  inspect
 class class-default
  drop
!
zone security LAN
zone security WAN
!
zone-pair security LAN_OUT source LAN destination WAN
 service-policy type inspect URLs
!
interface FastEthernet0/0
 description WAN interface
 zone-member security WAN
!
interface FastEthernet0/1
 description LAN interface

 zone-member security LAN

considerations

• Users are informed that their website request was denied via a customizable error page. 
• Requires complete configuration of Zone Based Firewall, for all security policies.

Conclusion

As we have seen there are many different ways to configure an URL filter, also known as a content filter, on a router. Some considerations which should be made before choosing a method. Do you want to inform users, that they are violating company policy? What type of other security measures are in place, or are planned in the near future. Except domain names, what other criteria do you want to filter.