https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811107#M492561 <HTML><HEAD></HEAD><BODY><P>Inspection can only be on for non -default applictions Frist it should understand the protocol then only it can open the packet and see the content.</P><P></P><P>Thanks</P><P>Ajay</P></BODY></HTML> Fri, 25 Nov 2011 07:19:04 GMT ajay chauhan 2011-11-25T07:19:04Z https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811101#M492554 <P>Hi experts,</P><P></P><P>My company uses a pair of 5510 ASAs as the gateway to Internet. I once configured policy-map to filter certain webpages (facebook, twitter, ...etc) and they work fine. However nowdays those websites all support HTTPS. In the https the URL seems encrypted so can't do regex match... Is there anyway that I can still block those webpages?</P><P></P><P>Another two ways I can think of are</P><P>1. Block IPs (don't really want do this unless absolutely necessary)</P><P>2. Block DNS for the URL (however they can work around by setting static DNS entries)</P><P></P><P>Thanks!</P><P>Difan</P> Mon, 11 Mar 2019 21:54:42 GMT https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811101#M492554 Difan Zhao 2019-03-11T21:54:42Z https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811102#M492556 <HTML><HEAD></HEAD><BODY><P>You are absolutely correct .</P><P></P><P>1. Blocking IP really wont help much since its not fixed for these kind of sites.</P><P>2. DNS Entries wise you can do if you want to block few.</P><P></P><P>Basically websense is used with ASA to these kind of filtering thats 3rd party request get redirected to server and based on policy traffic is allowed/deny.</P><P></P><P>Thanks</P><P>Ajay</P></BODY></HTML> Thu, 24 Nov 2011 07:06:34 GMT https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811102#M492556 ajay chauhan 2011-11-24T07:06:34Z https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811103#M492557 <HTML><HEAD></HEAD><BODY><P>Hello Difan Zhao,</P><P></P><P>Adding to what Ajay just said, you can also implement the Content Security and Control (CSC) module into the ASA, this module running version 6 is able to block the https sites.</P><P></P><P>Here is one link you can take a look:</P><P><A href="http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc4.html#wp1098125">http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc4.html#wp1098125</A></P><P></P><P>This is another option just in case.</P><P></P><P>Have a great day,</P><P></P><P>Julio</P></BODY></HTML> Thu, 24 Nov 2011 07:15:24 GMT https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811103#M492557 Julio Carvajal 2011-11-24T07:15:24Z https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811104#M492558 <HTML><HEAD></HEAD><BODY><P>Hey guys thanks so much for your replies.</P><P></P><P>Ajay, with websense, does it filter based on the IPs? Just being curious how it works... Technically even with websense it can't look into the HTTPS packets, correct? So I guess the websense just keeps updated IPs for certain websites and filter by IPs?</P><P></P><P>Julio, I read your link very carefully and I see how CSC filters URLs based on the TLS extension SNI in the client request. I did wireshark capture and I see "www.facebook.com" in the extension. I'm wondering: since this is in clear text, maybe ASA without CSC can still check the specific field in the TLS packet and drop the TLS packet which in turn destroy the web traffic. I will give it a try.</P><P></P><P>Thanks!</P><P>Difan</P></BODY></HTML> Thu, 24 Nov 2011 19:34:48 GMT https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811104#M492558 Difan Zhao 2011-11-24T19:34:48Z https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811105#M492559 <HTML><HEAD></HEAD><BODY><P>Basically, mirrored traffic is directed to Websense's monitoring card.&nbsp; Network Agent sniffs that traffic, and then sends spoofed packets to block the traffic, while at the same time redirecting the user to a block page hosted on the Websense server.</P><P>you can specify an IP Address Range, a specific host name (www.yourhost.com), it can use regular expressions ([Yy][Oo][Uu][Rr][Hh][Oo][Ss][Tt]\.[Cc][… which will match Yourhost.com, yourHost.com, YoUrHoSt.CoM, or any case of yourhost.com, etc. Finally, it can do a keyword match so that if you request a web site that contains ReallBadSwearWord in any of it's content, headers, etc, the page will be blocked. There's probably more that I didn't mention, but Websense does things in a very intelligent manner and gives users control over what they can block. Furthermore, they have already pre-classified sites into different categories (sex, proxy-avoidance, illegal, gambling, etc) and it lets you recategorize these sites to different categories. So, you can make <A href="https://community.cisco.com/www.playboy.com" target="_blank">www.playboy.com</A> appear as a gaming site versus a sex site.</P></BODY></HTML> Thu, 24 Nov 2011 19:45:12 GMT https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811105#M492559 ajay chauhan 2011-11-24T19:45:12Z https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811106#M492560 <HTML><HEAD></HEAD><BODY><P>Thanks Ajay. Last question. Can ASA do packet inspection on protocols it doesn't support? For example, you want to drop a packet which contains ASCII value of "facebook". In this case it doesn't matter if ASA understands the protocol or not. It drops the packet as long as the packet contains the specified string. Possible??</P><P></P><P>Thanks!</P></BODY></HTML> Fri, 25 Nov 2011 01:54:20 GMT https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811106#M492560 Difan Zhao 2011-11-25T01:54:20Z https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811107#M492561 <HTML><HEAD></HEAD><BODY><P>Inspection can only be on for non -default applictions Frist it should understand the protocol then only it can open the packet and see the content.</P><P></P><P>Thanks</P><P>Ajay</P></BODY></HTML> Fri, 25 Nov 2011 07:19:04 GMT https://community.cisco.com/t5/network-security/asa-filters-urls-in-https/m-p/1811107#M492561 ajay chauhan 2011-11-25T07:19:04Z